– ISO 27001 is the leading International Standard for Information Security. It helps an organization establish a formal, structured Information Security Management System (ISMS) that steers it in implementing clear security controls within the organization across all facets of security and organizational processes & functions. Implementing ISO 27001 helps an organization have a structured and comprehensive approach to security leveraging a combination of policies, processes, technologies and people.

– An organization gets certified for ISO 27001 after an audit by accredited ISO certifying bodies. When a trusted external body provides this ‘stamp of approval’, it provides assurance to the outside world that the organization has indeed implemented Information Security in a comprehensive structured manner as per the ISO 27001 standard.
– Many external stakeholders like customers, regulators, business associations etc require organizations to get certified as a pre-requisite to doing business. Even without such mandates, several organizations get certified for ISO 27001 to build and convey trust to their ecosystem.

– Not at all! You can be of any size to get certified for ISO 27001. Several of Arrka’s micro, small and mid-sized clients have chosen to go in for ISO 27001 certification.

– You need to first implement the ISO 27001 standard in your organization. Once you complete the implementation and build sufficient evidences to prove that you have the standard running smoothly, you call in an accredited ISO agency to certify you. The agency will conduct an audit to assure itself that you have indeed implemented the standard. Post which, it awards you the certification.

– A certificate is valid for three years. At the end of year 1 and year 2, a surveillance audit (which is a smaller audit compared to the initial audit at the time of certification) is conducted. The surveillance audit is to check that you continue to properly operate all the security controls that you deployed for ISO 27001 compliance. At the end of year 3, you need to go for a ‘recertification’ – which is nothing but a full-fledged audit just like the one that was done when you first implemented the standard. The reason this ‘reset’ is done is because often many things change within an organization in three years. And hence the security controls deployed may need to be reset or reconfigured to the new business reality.

– While you may have deployed several tech solutions, you may not have covered all your risk areas. Secondly, you may not have formal policies and processes to support your security solutions. ISO 27001 brings it all together in a comprehensive, structured manner, aligns everything to risks that get assessed and addresses security at all levels – policy, process, technology and people. Which is why external stakeholders rely on the assurance provided by ISO 27001.

– Yes, you can deploy ISO 27001 in only certain ‘parts’ of the organization. For eg, you can restrict it to a particular geography or business unit or business function. Many organizations deploy the ISO 27001 controls organization-wide but restrict the certification to only certain parts of the organization, depending on business priorities and budgetary constraints.

– We DO NOT ‘replace’ anything that you have already deployed. We merely build on it and add the ‘missing’ pieces. Our endeavour is to leverage whatever has been already done so you can move towards your goal faster.

– Yes, Arrka can conduct a VAPT via the Arrka Lab as part of our solution. However, if you already have a solution for this deployed or you have a vendor who does this for you on a regular basis, we will integrate their test reports into our assessment.

– We at Arrka have done all the hard work on your behalf – so you don’t need to spend time understanding what ISO 27001 is all about. All of this is baked into the platform.
– Further, for actual deployment, we have a team of consultants who will handhold you through the whole process to get you going. And if you need help for day to day management of your security program, then the Arrka team can take that on as well. In short, we work as your virtual CISO (Chief Information Security Officer).

he Arrka platform has all the necessary ‘intelligence’ built into it for ISO 27001. This means that you can do the entire deployment of the standard on your own or with our customer assistance team. In other words, there is no dependence on people and their individual competencies. Secondly, with everything automated on the platform, it takes upto 70% lesser time to implement. And you have all the information you need at your fingertips at any given point in time – no laborious excel sheets and email threads to scan through. Thirdly, the day to day management and operations being fully configured on the platform, you have everything in one place to manage your entire 27001 program. This includes managing client contracts, vendors, auditors, etc. So not only does it help during the initial certification but also through the entire lifecycle.

– Yes, Arrka can help you implement ISO 27701, get certified for it and remain certified through the lifecycle in tandem with your ISO 27001 journey.

– Not at all! Your data continues to remain exactly where it is. The Arrka platform only helps you manage the compliance end-to-end, for which we do not need access to the actual data at any point in time.

– No. Nothing is required to be installed or deployed on your servers

– Yes, Arrka has a pool of Security Experts who can step in to help you with any queries you have or any assistance you may need.