Posted on
ISO 27001

Produce a culture of transparency, action and trust. Find out more about our award-winning compliance solutions here.


Among the best areas of my job at AvePoint is having the ability to help customers all over the world using their privacy, security, compliance and knowledge protection initiatives. GDPR was one of the most popular topics discussed this season, but you may still find many organizations that are curious about or just being challenged to consider good security and governance guidelines to keep their information assets secure.

ISO/IEC 27001 helps organizations prove they have individuals practices in position. Speaking from experience, I’m able to verify it being much more difficult to keep forward momentum after your business continues to be ISO 27001-certified.

Although ISO 27001 certification isn’t mandatory, working towards it can benefit you receive prepared to meet data governance needs for similar functions, laws and regulations, rules and standards.  Most of those share a typical goal: protection of knowledge and assets.

The AvePoint Privacy Impact Assessment (APIA) System will help you automate the entire process of evaluating, assessing and reporting around the privacy implications of the enterprise IT systems. Solely available with the IAPP, the APIA System enables you to decide questions in the prepopulated bank of PIA questions (for example ISO 27001/02) or make your own, meaning you are able to build and save PIA templates to become reused and reported out.

Probably the most common questions organizations frequently ask is, “How will i get began with risk assessment?” Ideally, risk assessments should participate Security and privacy by Design or included in project management software under ISO 27001 Annex 6.1.5 which reads, “Information Security will be addressed in project management software whatever the kind of the work.”

First, you can start and concur your risk assessment methodology. Tailor the guidelines of methods to do the danger management assessment and consume a standard that you could replicate across your business (particularly if you possess a global presence). Remember to define what your risk scoring mechanism (severity versus likelihood) and risk level threshold are.

AvePoint’s Enterprise Risk Management (ERM) system can help you automate Risks Analysis, affiliate recommendations and document appropriate Corrective and Preventive Actions (CAPA) once any non-conformities or any other undesirable the situation is identified from assessments.

After you have defined the methodology, the next thing is to use it across all of the assets your business has. This really is tricky because it also requires you with an Asset Inventory ahead of time as ISO 27001 mandates in Annex A.8.1.1. Generally, organizations might not know or completely understand the potential risks connected with each one of the ISO controls. Some inquiries to help enable you to get audit-ready are:

  • Can there be a good thing owner allotted to each asset?
  • Who maintains the asset inventory?
  • May be the asset inventory regularly reviewed?
  • What’s the asset’s retention period?
  • What’s the asset’s classification?
  • How frequently may be the asset/information supported?
The Inventory Manager enables organizations to centralize all their assets (systems, services, processes, applications, etc.) right into a single pane of glass and conduct automated Privacy, Risk, Security, and knowledge Protection Threshold and Impact Assessments with configurable calculators for risk-based decisions and controls.

If you’ve done the very first two steps, you need to are in possession of identified the gaps between your business expectations and actual situation of the information assets. Now it’s time for you to start planning your risk treatment or corrective and preventative action controls.

Applying security controls is among your choices to mitigate or minimize the potential risks, however, you also can:

  1.  Transfer the danger to a different party
  2.  Avoid the danger by disabling the procedure or activity that is too dangerous (even though the business might not be happy relating to this)
  3.  Accept the danger, which will make sense when the cost and aftereffect of mitigating the danger is greater compared to actual potential loss or damage. Using the recent alterations in data breach penalties like the GDPR (as much as 4% of worldwide revenue or as much as 20Mil euros), however, accepting the danger can be very the questionable decision.

Another common query with regards to ISO 27001 needs and controls is all about data labeling or data classification. Annex 8.2.1 from ISO 27001 claims that “Information will be classified when it comes to legal needs, value, criticality and sensitivity to unauthorized disclosure or modification.”

The greatest issue with information or data classification is locating the easiest, most accurate and efficient way to do this goal. Positioning this to employees can often be both time intensive and inaccurate.

Additionally, its not all worker knows how you can appropriately classify data. Data changes frequently, and it is frequently difficult to exclusively depend on untrained personnel to make certain classification is performed according your organization information classification policy. It isn’t that you simply shouldn’t believe in employees, but it’s easier to monitor and control how details are used through the organization.

How can you safeguard your personal data (PII) and sensitive information while reducing risk over the enterprise? Does your business have processes in position to classify and safeguard data throughout your assets? The word “we possess a firewall” is not valid when adopting cloud collaboration solutions.

Unintended worker action is easily the most standard reason for data breaches worldwide. To be able to safeguard your assets, organizations have to classify that which you have and, in line with the value, apply appropriate security controls.

Not everything must be protected, but being aware of what information you’ve, where’s it, that has access, who’s it distributed to, exactly what the retention period is, etc. is a part of a finest practices data governance process.

ISO 27001

AvePoint itself received ISO 27001 certification and it has had the ability to meet most of the ISO 27001 needs using our very own Enterprise Risk Management (ERM) solution. We’ve had the opportunity to do such things as:

  • Instantly apply data classification to data resting and then any recently- produced document according to sensitivity, document/information type and retention period.
  • Identify non-conformities within the Incident Management Center
  • Automate 3rd party vendor risk assessments
  • Evaluate security into contracts using Impact Assessments

Stay tuned in for any more in depth blog publish on our ISO 27001 certification process within the coming days!

Scan leads to provide understanding of your finest regions of vulnerability. Scan your articles against internal or exterior rules to recognize privacy or security issues in files, file qualities, or perhaps attributes like headers and footers. Start to tag and classify your computer data so that you can easier find, and respond to at-risk or sensitive data.

If you are just beginning your ISO 27001 certification journey or are accomplishing your periodic ISO 27001 review and want a centralized solution that will help you with automating a few of the ISO needs, consider AvePoint’s compliance solutions and you can call us to learn more.


Want more about data protection and compliance? Sign up for our blog in which to stay the loop.