ISO 27001

ISO 27001 and the related standards are derived from the British Standard 7799 and ISO 17799 standards. The ISO 27000 or ISO 27k standards provide comprehensive guidance for deploying and maintaining a strong security posture across the organization. Stratum uses the requirements outlined in the ISO 27002 document to baseline the organizations security controls and provide guidance for moving toward compliance. Controls in the following areas will be identified and analyzed for effectiveness using a variety of testing techniques.
 
•    Security Policy
•    Organizational Security
•    Asset Management
•    Personnel Security
•    Physical Security
•    Communications and Operations Security
•    Access Control
•    Information Systems, Development, and Maintenance
•    Incident Management
•    Business Continuity & Disaster Recovery
•    Compliance
 
Stratum uses a variety of test methods to determine control compliance, including:
 
- Documentation Review – Stratum reviews policy and procedure documents, as well as artifacts prepared specifically for the audit.  Formal documents include written policies and procedures, forms, and logs. Documents provided which may be prepared specifically for the audit include screen captures of configuration items such as group policy settings in Active Directory, password complexity requirements, etc.
 
- Personnel Interviews – Stratum interviews key personnel to determine standard operating procedures, knowledge and familiarity with documented policies and procedures, and identify controls in place which may not be easily ascertained by document review.
 
- Observation – Stratum observes many controls which may not be formally documented or analyzed using other methods, including door locks, cameras, electronic logs of access control systems, visitor logs, configuration items, etc.