Our client, a municipal government, was pursuing certification of its information security program against an internationally recognized security standard to demonstrate the effectiveness of its controls to its government stakeholders, suppliers, and the public. Its audit department wanted to assess the readiness of the deployed Information Security Management System (ISMS) for certification against ISO/IEC 27001:2013.
Experis Solutions performed a program readiness audit that evaluated the client’s security program to determine its certification readiness; identify significant gaps and improvement opportunities; and develop a roadmap of recommended corrective actions to prepare the program to achieve certification.
We evaluated the scope, policies, controls, and governance capabilities implemented to create the ISMS and assessed the risk-management processes used to identify and drive risk reduction in the departments covered by the ISMS. Experis identified a significant number of compliance gaps and process improvements that would affect the client achieving certification and provided recommendations to address each gap and opportunity.
The readiness audit report included:
- Findings and analysis of the municipality’s current state of readiness
- A detailed list of identified certification gaps and program improvements
- A prioritized roadmap of recommendations to achieve certification readiness
Experis exposed issues with the readiness and identified critical and previously unknown issues with the security controls and risk management capabilities. The accompanying roadmap of corrective actions provided the client with the guidance needed to reduce their risks and achieve certification.
We also suggested improvements to the client’s information protection program beyond the certification readiness audit, reflecting the extended value Experis brings to every client engagement.