ISO 27001
Out-of-the-Box compliance. Within your reach.

Let limited budgets and lack of access to expertise not stop you from getting ISO 27001 certified. And further managing it through the whole lifecycle.

Arrka empowers you at each stage

Whether you are just thinking of ISO 27001 certification or are already certified

Thinking about it?

You need to get compliant and certified. Yet you worry about finding the budgets and experts. Worry not — The Arrka platform equips you. Get going on your own. Quickly & easily.

Documentation done?

Policies & documents Completed. Controls are being rolled out. The Arrka platform helps automate & streamline — so your evidences are ready for your audit.

Already Certified?

Yayy! Now to ensure you remain compliant. The Arrka platform equips you for that. Throughout the certification lifecycle.

ISO 27001 compliance simplified and streamlined.

Simplified & Quick Assessments

Hassle-free Gap Assessments, Risk Assessments, Security Testing management. Across Teams & Geos.

Centralised Controls Management

Easily implement & manage all controls. Preconfigured workflows for process controls. Import of logs & reports from 3P tech controls.

Handy Built-in Tools

Asset Register, Vendor Risk Management, Contracts Management, Provisioning/ Deprovisioning and many others to help your security program.

KPIs, Metrics & Dashboards

Leverage preset security KPIs or configure yours to track & measure your program on a continual basis. Generate Alerts & Reports as required.

FAQs on ISO 27001 compliance

What is ISO 27001?

– ISO 27001 is the leading International Standard for Information Security. It helps an organization establish a formal, structured Information Security Management System (ISMS) that steers it in implementing clear security controls within the organization across all facets of security and organizational processes & functions. Implementing ISO 27001 helps an organization have a structured and comprehensive approach to security leveraging a combination of policies, processes, technologies and people.

Why do organizations implement and get certified for ISO 27001?

– An organization gets certified for ISO 27001 after an audit by accredited ISO certifying bodies. When a trusted external body provides this ‘stamp of approval’, it provides assurance to the outside world that the organization has indeed implemented Information Security in a comprehensive structured manner as per the ISO 27001 standard.
– Many external stakeholders like customers, regulators, business associations etc require organizations to get certified as a pre-requisite to doing business. Even without such mandates, several organizations get certified for ISO 27001 to build and convey trust to their ecosystem.

Is ISO 27001 only for large enterprises?

– Not at all! You can be of any size to get certified for ISO 27001. Several of Arrka’s micro, small and mid-sized clients have chosen to go in for ISO 27001 certification.

What is the process for ISO 27001 certification?

– You need to first implement the ISO 27001 standard in your organization. Once you complete the implementation and build sufficient evidences to prove that you have the standard running smoothly, you call in an accredited ISO agency to certify you. The agency will conduct an audit to assure itself that you have indeed implemented the standard. Post which, it awards you the certification.

How long is the ISO 27001 certificate valid for? What is the certification lifecycle?

– A certificate is valid for three years. At the end of year 1 and year 2, a surveillance audit (which is a smaller audit compared to the initial audit at the time of certification) is conducted. The surveillance audit is to check that you continue to properly operate all the security controls that you deployed for ISO 27001 compliance. At the end of year 3, you need to go for a ‘recertification’ – which is nothing but a full-fledged audit just like the one that was done when you first implemented the standard. The reason this ‘reset’ is done is because often many things change within an organization in three years. And hence the security controls deployed may need to be reset or reconfigured to the new business reality.

We have already deployed several security solutions in our organization. How will ISO 27001 help in any way?

– While you may have deployed several tech solutions, you may not have covered all your risk areas. Secondly, you may not have formal policies and processes to support your security solutions. ISO 27001 brings it all together in a comprehensive, structured manner, aligns everything to risks that get assessed and addresses security at all levels – policy, process, technology and people. Which is why external stakeholders rely on the assurance provided by ISO 27001.

Does ISO 27001 need to be deployed and/or certified across my entire organization or can it be done in ‘parts’?

– Yes, you can deploy ISO 27001 in only certain ‘parts’ of the organization. For eg, you can restrict it to a particular geography or business unit or business function. Many organizations deploy the ISO 27001 controls organization-wide but restrict the certification to only certain parts of the organization, depending on business priorities and budgetary constraints.

If we avail of Arrka’s ISO 27001 solution, what happens to the security products and other activities that we already have in place?

– We DO NOT ‘replace’ anything that you have already deployed. We merely build on it and add the ‘missing’ pieces. Our endeavour is to leverage whatever has been already done so you can move towards your goal faster.

Will you do Vulnerability Assessment & Penetration Testing (VAPT) as part of your ISO 27001 solution?

– Yes, Arrka can conduct a VAPT via the Arrka Lab as part of our solution. However, if you already have a solution for this deployed or you have a vendor who does this for you on a regular basis, we will integrate their test reports into our assessment.

We have no one in our organization who understands ISO 27001 in depth nor does anyone have the time to spend on this. How does Arrka help?

– We at Arrka have done all the hard work on your behalf – so you don’t need to spend time understanding what ISO 27001 is all about. All of this is baked into the platform.
– Further, for actual deployment, we have a team of consultants who will handhold you through the whole process to get you going. And if you need help for day to day management of your security program, then the Arrka team can take that on as well. In short, we work as your virtual CISO (Chief Information Security Officer).

Everyone else we have spoken to for our ISO 27001 requirement is a consulting services firm. So what is the big deal about the Arrka platform that makes it so different from the others?

he Arrka platform has all the necessary ‘intelligence’ built into it for ISO 27001. This means that you can do the entire deployment of the standard on your own or with our customer assistance team. In other words, there is no dependence on people and their individual competencies. Secondly, with everything automated on the platform, it takes upto 70% lesser time to implement. And you have all the information you need at your fingertips at any given point in time – no laborious excel sheets and email threads to scan through. Thirdly, the day to day management and operations being fully configured on the platform, you have everything in one place to manage your entire 27001 program. This includes managing client contracts, vendors, auditors, etc. So not only does it help during the initial certification but also through the entire lifecycle.

We want to get certified for ISO 27701 also in parallel. Can Arrka do that for us?

– Yes, Arrka can help you implement ISO 27701, get certified for it and remain certified through the lifecycle in tandem with your ISO 27001 journey.

If we use the Arrka solution, will our sensitive business data reside on the Arrka platform?

– Not at all! Your data continues to remain exactly where it is. The Arrka platform only helps you manage the compliance end-to-end, for which we do not need access to the actual data at any point in time.

If we use the Arrka solution, will we need to deploy anything on our servers?

– No. Nothing is required to be installed or deployed on your servers

If we need to reach out and talk to a Security expert at any point in time, can Arrka help with that?

– Yes, Arrka has a pool of Security Experts who can step in to help you with any queries you have or any assistance you may need.

Have additional laws and standards to comply with?

We understand that your business is probably spread across multiple countries – so you may need to comply with more than one law or standard at the same time. Worry not; we can easily do that without missing a beat.