Landing Page C - V3.jpg

ISO/IEC 27001 Implementation

Today’s customers demand heightened levels of data protection assurance, but how is that achieved in an era of weekly data breaches?

An ISO 27001 certification is the most recognized answer. Companies bearing this seal mean they have implemented a systematic set of policies and procedures adhering to multinational regulations, providing enhanced levels of protections, audited by third party certified assessors.

 

3D-Letter-i-Hold-Lo.png

How We Can Help


At Allendevaux & Company, we have created an non-intrusive programme to establish and implement an information security management system (ISMS) through a 7-step process.

Our certified professionals report to a stakeholder within your organisation that you appoint. For an overview of the 7-step process, please download the PDF brochure attached below that describes the process, milestones and timeline.

Data Protection 7-Step System (PDF):

 

Cybersecurity

 

Today’s advanced systems, networks and services require heightened technical fortification to ensure data is protected from cyberattack and loss. The worst two words a CEO can hear are data breach, because the fallout is lasting and the reputational damage regrettable.

How do you know web portals and databases are competently protected without testing the fortification?

3D-Letter-C-Blue-Lo.png

 

At Allendevaux & Company, we provide independent assessment services to review configurations, scan for weaknesses and pentest the security posture of a service or system.

Driven by a certified team of cybersecurity engineers, findings are organised into a report that can be used to identify and remediate weaknesses. When the cadence is repeated, it heightens the security posture of the organisation and its services.

To learn more about vulnerability scanning, application testing, firewall configuration reviews and pentesting services, please click here.

How We Can Help

 

Cloud Security & Big Data

 

ISO/IEC 27001:2013 certification is no longer sufficient protection for organizations and service providers storing sensitive, regulated data in cloud systems. While ISO/IEC 27001 brings some risk assurance, it is not enough.

Heightened, cloud-specific controls are needed in today’s age of complex regulatory compliance. ISO/IEC 27017 establishes the new baseline, and is often paired with added ISO/IEC 27018 controls. 


Understand how ISO/IEC 27017 raises the bar and extends assurance to customers, wrapping customer information in heightened protections. ​

3D-Letter-C-Blue-Lo.png


The cloud service provider benefits from ISO/IEC 27017 and 27018 controls in numerous ways, include these:
 

  • Adherence provides a competitive industry advantage, demonstrating robust controls for data protection
     

  • Safeguards against reputation damage and regulatory fines from a data breach, because it reduces the risk associated with intention and unintentional threats
     

  • Promotes trust and confidence in the service provider’s business, resulting in reassurance to customers and stakeholders alike that information is safeguarded
     

  • Provides guidelines across geographies that bring consistency to data protection, promoting business growth.
     

How It Benefits Providers

 

Risk Management

Murphy’s First Law states that “things will go wrong in any given situation, if you give them a chance.” But by measuring and mitigating risk, chance can be minimised, and risk can be managed.

Many territorial laws require organisations to conduct formal risk assessments to manage risk and minimise the chance of a data breach. That's why there are risk management frameworks such as NIST and ISO/IEC 27005 to help measure and mitigate risks. Allendevaux can help an organisation conduct proper risk assessments that meet contractual and statutory obligations.

3D Letter-R-Gold-Lo.png


A study by the OECD found that “boards did not fully appreciate the risks that the companies were taking, if they were not engaging in reckless risk-taking themselves, and/or deficient risk management systems.” The OECD adds that “effective risk management is not about eliminating risk-taking, which is indeed a fundamental driving force in business and entrepreneurship. At the same time, the need to strengthen risk management practices has been one of the fundamental driving forces in business and entrepreneurship.”

At Allendevaux & Company, we normally conduct a risk assessment at the outset of an engagement when implementing a data protection programme. Doing this enables the enterprise to understand its exposure to untreated risks; this is also called inherent risk, representing the amount of risk that exists in the absence of controls. Understanding the inherent risk in a system is a fundamental starting point, because it indicates the current risk level given the existing set of controls (or absence of controls).

How We Can Help

 

Healthcare Compliance

If your organisation handles healthcare data, heightened levels of protection are required by territorial laws to ensure the confidentiality, integrity and available of this protected class of information. In the EU, special requirements concerning Article 9 data overlap with national derogations. In the US, HIPAA laws mandate specific practices; and some states have added responsibilities. 

 

We help organisations understand what’s required from a compliance perspective, and to implement a data protection framework to fulfill that scope.

3D-Letter-H-Blue-Lo.png

How We Can Help

​​
We provide several scopes to ensure healthcare compliance. Some of these include the following:

  • Healthcare Gap Analysis – Measuring an organization’s current practices against territorial regulatory requirements, and specifying any gaps that must be addressed to pass a compliance audit. This is also useful for an organization that wants to identify a mapping between regulations and an enterprise compliant framework such as ISO/IEC 27001 or SOC2.
     

  • Healthcare Risk Assessment – This includes searching for any risk, specifying it, then suggesting a treatment plan. This could also involve performing a healthcare security gap analysis noted above. The assessment may also involve a cybersecurity assessment to validate internal and external hardening. The cybersecurity audit identifies any vulnerabilities so that weaknesses may be addressed and demonstrates due care and due diligence should a breach ever occur.
     

  • Healthcare Audit – An auditor reviews the administrative processes, technical controls, and physical security practices of an organization along with evidence of practice. This will produce an attestation of compliance or non-compliance.
     

 

Data Protection-as-a-Service

Privacy laws today continue to change and most come with aggressive penalties such as Europe’s GDPR requirements.

Failure to understand these requirements and comply with every aspect can severely impact an organization. Our goal is for you to avoid any negative consequences.

That's why we help organizations achieve data privacy compliance and offer data protection services.

3D-Letter-D-Gold-Lo.png


Privacy compliance and data protection services offered:
 

  • Determine geographic and sectoral data privacy regulatory requirements and create a matrix
     

  • Conduct a personal data inventory and a sensitive information inventory to identify personal and sensitive data of employees, contractors, customers, partners, and otherwise
     

  • Map personal data flows throughout the organization to understand security of personal data at rest, in transit, or processing
     

  • Conduct a data privacy risk assessment to benchmark current personal data security practices against requirements, generating a gap analysis that can be prescriptively mitigated
     

  • Design a data privacy and protection programme that addresses administrative, technical, and physical controls to meet regulatory requirements

How We Can Help

 

Legal & Regulatory Compliance

 

Data breaches are surging upward at a startling rate and over one hundred countries around the world have enacted data protection laws. These require organisations to understand statutory obligations and implement best practice safeguards to protect the information with which they’re entrusted.

 

Laws such as the EU’s GDPR and California’s CCPA have raised the bar, extending extraterritorial reach to protect data subjects by processors abroad.
 

3D-Letter-L-Blue-Lo.png

How We Can Help


At Allendevaux & Company, we advise our clientele to take an inventory of geographic and sectoral regulations affecting data subjects and data processed. We help build a legal register from which statutory obligations are tracked and policies are created, framing the components of a strong information security management system.

 

For multinational companies with complex compliance obligations, we untangle and demystify regulatory confusion, combing through data protection, transborder flow and data localisation obligations that organisation must understand and implement.
 

 

Marketing & Global Privacy

If you’re engaged in sending marketing emails, you should know your statutory obligations in areas of the world where your emails are received. By implementing a marketing policy that takes into consideration the statutory obligations of applicable territories, you will avoid costly pitfalls.

3D-Letter-M-Gold-Lo.png


When undertaking activities to promote the buying and selling of products and services, organisations often send messages to other businesses (B2B marketing) or potential consumers (B2C marketing). Yet laws around the world have implemented heightened requirements for lawful marketing, often requiring complex consent and opt-in practices.

Allendevaux and Company can help provide guidance for 111 territories around the world, building policies and procedures to ensure your organisation understands its obligations, avoiding costly enforcement actions. We track opt-in and opt-out consent countries, including some that have unique practices. We can audit your messaging and help contour your practices to ensure lawful praxis. We will review your consent requests process, provide consent language to meet the requirements of territories, third-party sharing notices, messaging for joint controller marketing, checklists for managing consent and more. We can also develop data subject requests policies and procedures for individuals exercising their data subject rights, including opt-out requests, objections to processing, and the right to be forgotten, to name a few.

How We Can Help

 

Data Protection Officer-aaS

HIPAA compliance is required for any organization handling a person's medical data. The Department of Health and Human Services means business and non-compliance can result in deep fines, reputation damage, and even 3rd party oversight. 

 

We help organizations to understand what's required of them and implement a framework to fulfill that scope.

3D-Letter-D-Blue-Lo.png

How We Can Help

​We provide several scopes to ensure HIPAA compliance. Some of these include the following:

  • HIPAA Gap Analysis – Measuring an organization’s current practices against HIPAA requirements, and specifying any gaps that must be addressed to pass a compliance audit. This is also useful for an organization that wants to identify a mapping between HIPAA and an enterprise compliant framework such as ISO/IEC 27001.
     

  • HIPAA Risk Assessment – This includes searching for any risk, specifying it, then suggesting a treatment plan. This could also involve performing a HIPAA gap analysis noted above. The assessment may also involve a cybersecurity assessment to validate internal and external hardening. The cybersecurity audit identifies any vulnerabilities so that weaknesses may be addressed and demonstrates due care and due diligence should a breach ever occur.
     

  • HIPAA Audit – An onsite auditor reviews the administrative processes, technical controls, and physical security practices of an organization along with evidence of practice. This will produce an attestation of compliance or non-compliance.
     

 

Information Security Training

If you’re engaged in sending marketing emails, you should know your statutory obligations in areas of the world where your emails are received. By implementing a marketing policy that takes into consideration the statutory obligations of applicable territories, you will avoid costly pitfalls.

3D-Letter-i-Hold-Lo.png


Privacy compliance and data protection services offered:
 

  • Determine geographic and sectoral data privacy regulatory requirements and create a matrix
     

  • Conduct a personal data inventory and a sensitive information inventory to identify personal and sensitive data of employees, contractors, customers, partners, and otherwise
     

  • Map personal data flows throughout the organization to understand security of personal data at rest, in transit, or processing
     

  • Conduct a data privacy risk assessment to benchmark current personal data security practices against requirements, generating a gap analysis that can be prescriptively mitigated
     

  • Design a data privacy and protection programme that addresses administrative, technical, and physical controls to meet regulatory requirements

How We Can Help

 
BWGradient-Vertical_edited_edited_edited

Get In Touch

Have any questions? Feel free to contact us with any questions you have and we’ll get back with you.

arrow&v
Sent!