Bulletproof’s range of cyber security, data protection and compliance services are your best defence against threats to your business. With nearly a decade of providing trusted security services, we’re continuing our mission of solving the greatest cyber security & compliance challenges through innovation and simplicity. Explore our range of services and find out how Bulletproof can help your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you.
Discover CREST penetration testing & continuous security
Internal & external infrastructure, network & system testing
Manage multiple tests & get external security assurance
Thoroughly assess your web apps & APIs for security flaws
Test your response to a simulated real-world cyber attack
All cloud platforms & services tested, including Azure & AWS
Test your human cyber defences with social engineering
Android, iOS & custom mobile application security testing
Find out more about penetration testing – what it is, when you need it, and why it’s a core component of any business. Discover how pen test helps with compliance, powers best practices, and helps your organisation win new business.
Gap analysis, implementation, audits & more from GDPR experts
On-going support to easily manage your data protection obligations
Consultant-led support to meet all levels of DSPT submission
Flexible & engaging data protection training from certified experts
Get peace of mind that your data protection is being managed by trusted, certified consultants. All Bulletproof data protection services are delivered by our highly trained, experienced and qualified staff.
Gap analysis, implementation, audits & more from dedicated ISO consultants
Find the next step in your strategy with this consultant-led assessment
Get quick & easy CE certification with a range of feature-packed packages
Flexible access to top-tier information security strategy & management
Experienced SOC 2 consultants, AICA audits & compliance automation platform
On-site, remote and video-based security training to boost your resilience
Affordable expertise & support to help you meet & maintain PCI DSS compliance
Go beyond compliance with information security services that are designed to give real operational benefits to your business. All delivered by seasoned, certified Bulletproof security consultants.
24/7 defence against cyber attacks with proactive threat detection
Get help responding & recovering from cyber incidents
Detect, analyse and stop cyber attacks with real-time prevention
Forensic support & data recovery following cyber attacks
Stay on top of new vulnerabilities with powerful, flexible scanning
Evaluate your wireless network for security weaknesses
Discover how your business can identify & manage cyber threats
Comply with regulations, meet certification standards & best practices
Train and test your staff for security resilience, data protection & compliance
No matter what your cyber or compliance challenges, Bulletproof is here to help. We like to work with you as a trusted partner to solve problems, not sell services. No pressure tactics and no false promises.
Learn about our mission to make cyber & compliance accessible to all
Grow your business with high-margin, high-value & partner-ready services
Become part of the Bulletproof team & supercharge your career
Bulletproof’s in-house SOC powers our Managed SIEM & MDR services
We love to talk. Tell us about your cyber & compliance challenges
At Bulletproof we love to solve problems with simplicity & innovation. It’s our mission to make compliance & cyber security services accessible to all. We take pride in building and nurturing teams of exceptional talent, so we’re confident that our cyber security & compliance services are the best way to stay one step ahead of the hackers and protect your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you, no matter what you have to say.
Get the latest news, views & expert insight in the world of cyber security, data protection & compliance
A helpful index of cyber security terms, compliance acronyms and industry terminology to make life easy
Discover what we have to say about the threat landscape & what businesses need to know to get ahead
Find out how we can make companies like yours Bulletproof. Don’t take our word for it, hear direct from our clients
Detailed insights & helpful tips for understanding penetration testing, data protection & more
Interesting data & top tips at a glance, with insightful infographics covering all areas of cyber security & compliance
Watch our experts talk through their thoughts & opinions on a variety of security & compliance topics
See when & where we’re going to be bringing Bulletproof insight to an event near you
Ayisha Bari
Find out what ransomware is, how attacks work & types of attack to help you get started with keeping ransomware out of your business.
Read More
As the leading international standard on information security management, ISO 27001 is an important certification for businesses and is increasingly being demanded by customers as part of their supply chain management. With its standardised processes and reputational status, ISO 27001 shows interested third parties and prospective clients that you take the confidentiality, integrity and availability of their data seriously.
ISO 27001 is more than just an accreditation. It’s a way for you to transform your business practices by implementing an effective and strategic information security management system (ISMS). A well-planned ISMS can help to improve the security of your business operations, manage risk, and bring existing policies and procedures in line with information security best practices.
We have put together the following guide to help your business build an effective ISMS, including key considerations and next steps after you’ve implemented an ISMS, as you work towards ISO 27001 certification.
One of the biggest considerations for implementing an ISMS is time and money. For example, scheduling meetings with key stakeholders, providing resources to implement and manage an ISMS, facilitating cross-department collaboration, and accounting for system and process reviews, will all place considerable demand on your time and budget. You will also need to account for external consultation and certification fees. So, having a breakdown of costs is essential for ensuring that you can carry out the project in full and secure internal funding.
Implementing ISO 27001 requires considerable commitment from your existing teams so it’s not a decision many businesses can take lightly. That’s why it’s important to secure buy-in from both senior management and key stakeholders early on. This will allow you to communicate why ISO 27001 is a worthwhile investment for your organisation. You will also need to set expectations and agree on the scope of the work to be carried out with senior management.
With your budget in place and your implementation plans signed off, it’s time to pull together your project team. When allocating responsibility, you’ll need to find staff with expertise in information security. This should include both physical and cyber security, and ideally, they should also have prior experience with auditing and ISMS implementation.
If these skills don’t exist within your workforce, consider hiring external experts who are qualified ISO 27001 lead implementers and auditors. Their experience of implementing and auditing an ISMS can bring valuable insight and provide methods to ensure you implement an ISMS in the most effective and time efficient manner.
Once you have secured support from senior management and allocated resources to your team, use the following steps to guide your ISO 27001 implementation:
Leadership has a critical role to play in the implementation of ISO 27001. If senior management are not on board, it’ll be incredibly difficult to implement an effective and functioning ISMS that will become part of business-as-usual activities. Leadership will have a key role in:
Here, the company should be identifying internal and external factors that may impact on its ability to achieve the intended outcomes of its Information Security Management System. By understanding the organisation and its context, you should be able to define the purpose of your ISMS.
The scope should be well defined and manageable according to the resources available. It’s important to remember that the scope doesn’t necessarily have to cover the entire organisation. The scope of your ISMS should consider:
A crucial part of ISO 27001 implementation is your risk assessments and Risk Management Framework (RMF). They play a key role in helping to identify where additional controls are needed. Establishing an RMF allows a business to identify, understand and manage risks in a structured and consistent manner, and align the actions needed with your business’s objectives.
The risk assessment can be carried out using many different methods as ISO 27001 does not define a specific methodology. However, the key is to identify risks that can affect the confidentiality, integrity and availability of information assets. The risk assessment will enable your business to identify those risks that need to be addressed. From this, a risk treatment plan can be developed to define what needs to be done to address the risks. For example, apply new controls, decide to accept the risk or terminate the activity that is causing the risk, along with timescales.
Once the risk assessment and treatment plans are developed, a Statement of Applicability (SoA) can be created. A SoA clearly outlines the controls the organisation has and isn’t applying.
Once the controls that are needed have been identified, it’s time to implement them. This can require several different activities and will need input from a wide variety of people across different parts of the organisation. It’s important to remember that controls can be:
Certain policies and procedures will need to be documented as this is a mandatory requirement of ISO 27001. For example, the information security policy is a mandatory document, but it’s important to remember that not everything needs to be documented and organisations should always take care to ensure their documentation is manageable.
Monitoring and evaluating your ISMS is critical to ensure it is working correctly and continuous improvement is taking place. During implementation, this activity will involve conducting an internal audit which involves testing and evaluating the controls the organisation has implemented and identifying any areas where there are non-conformities.
Corrective actions can then be identified and implemented. Additionally, the standard requires, as part of monitoring activities, that your management team review the ISMS at periodic intervals. This is known as a management review and will cover areas such as:
The last step in the process is to achieve certification by undergoing a two-step auditing process conducted by a certification body. You will need to be able to provide the auditor with details of your ISMS and prove to them that it is a working system by demonstrating what you are doing. Many people get nervous about these audits, but if you’ve implemented your ISMS well, and can evidence that you are doing what you say you are doing, your road to certification will be a lot smoother.
You may now heave a sigh of relief having achieved certification BUT it’s important to remember that your work is not complete. An ISMS is a continuously evolving system, and your organisation must ensure that it is running as part of your business-as-usual activities. That means there will be an ongoing set of activities to carry out to maintain your ISMS and ensure that there are no problems when it comes to the annual audits. This is often the most difficult part for organisations as the focus moves away from the ISMS and resources get re-allocated. It is critical at this stage that there is a clear plan of activities to maintain the ISMS and adequate resources are in place to deliver this.
At Bulletproof, we can support your business through the entire process of implementation and beyond. Here’s how we can help:
Book your 1-hour free consultation with us today to speak with an ISO certified expert who can provide you with guidance on the next steps.
As Managing Director of Bulletproof, Nicky’s responsible for innovating and evolving Bulletproof’s compliance services. With a varied and interesting career, Nicky shares amazing insight that directly helps businesses overcome their security and compliance challenges.
At Bulletproof, we have the expertise your organisation needs to successfully implement ISO 27001. We may need to start with a Gap Analysis to identify which areas of your information security need to be improved and create a tailored implementation plan to deliver the most cost-effective compliance possible.
If you are interested in our services, get a free, no obligation quote today by filling out the form below.
I'd like to receive Bulletproof communications about relevant services and events
For more information about how we collect, process and retain your personal data, please see our privacy policy.