Document Preparation

Our audit preparation services ensure you’re well-documented – giving you peace of mind, every step of the way.

Policy, Standards, & Procedure (PSP) Support

PSPs form the backbone of any compliance framework. Remarkably, although PSPs are the most basic elements, they are also one of the most complex to implement effectively. This is largely due to the comprehensive and inter-dependent nature of PSPs. Key decision points to consider before embarking on a PSP effort:

Structure

Ideally Policies, Standards & Procedures are segregated, which simplifies ongoing administration and version management. However, most organizations combine them, which yields complexity where a particular procedure is integral to multiple Standards and/or procedures.

Presentation

Most organizations leverage a linear document format for PSPs, which does a poor job of communicating their hierarchical nature and interdependencies. Increasingly, Wikis, SharePoints, and/or dedicated ISMS management systems are being leveraged to address this challenge.

Audience

PSPs often have multiple audiences (e.g., employees, IT personnel, contractors, consultants, management). Audience, structure and presentation are highly inter-related and are critical to ensuring that PSPs are understood and followed. If the desired audience can't EASILY find all of the information relevant to a particular issue they are attempting to address, a non-conformity is almost certain to occur.

Business

The company's size, risk/risk tolerance, internal expertise, resource availability, budget and current PSP maturity level significantly impacts the effort. External: The regulations and external business contexts can notably impact the effort.

External

The regulations and external business contexts can notably impact the effort.

Version Control

It is critical that mechanisms to ensure that all necessary approvals for changes are auditable, version histories are retained and only current versions are readily accessible.

SMS Internal Audit

Integral to the PDCA model of most ISMSs is a requirement to conduct an internal audit to determine whether the control objectives, controls, processes, and procedures of its ISMS: Conform to the requirements of ISO-27001 and relevant legislation or regulations; Conform to identified information security requirements; Are effectively implemented and maintained; and Perform as expected.

Certification Audit Support

Many organizations believe that having a Pivot Point Security auditor on-site during one or both of the certification audit phases simplifies the process and reduces the risk that non-conformities may be cited.

ISO-27001 Certificate Extension

We often advocate that organizations minimize the initial scope of their ISO-27001 certificate to limit the level of disruption to business. Extending the certificate during surveillance audits is the simplest approach to progressively increasing the scope of an ISMS.

Ongoing Risk Management Team Membership

Maintaining an optimal composition of the Risk Management Committee ensures the ongoing effectiveness of the Risk Management function, which is critical to the ongoing effectiveness of the ISMS. Many organizations favor the inclusion of an independent and objective third party with cross-organizational/industry expertise to optimize the operation of the Risk Management Committee.