Home | About Us | Services | Clientele | Recognition | Media | Contact Us | Careers | Site Map
 
Quality Systems Services
This includes providing Quality Systems Advisory Services to qualify businesses against the requirements of international quality systems:
Quality Systems Services
ISO 9001
ISO 14001
BS OHSAS 18001
ISO 22000 / HACCP
ISO 22301
ISO 27001
ISO 31000
CMMI
Quality Systems FAQs
Other Quality Systems Services
Services
Economic Consulting Services
Management Consulting Services
Training Services
 
ISO/IEC 27001:2005 Information Security Management System (ISMS) Standard
Global Consultants (GC) Company provides diversified ISO 27001 services in Kuwait, including ISO 27001 consulting, training or certification.
Regarding consulting services, GC as ISO 27001 consultant helps business entities identify clauses of ISO 27001 standard and apply them to your information security to become a standardized management system.
On the ISO 27001 training side, GC transfers know-how to the people (human resources) who will practice and audit the system on a regular basis.
In respect of ISO 27001 certification services, GC as ISO 27001 consultant connects you with all certification bodies, who independently audit your information security management system to ensure its compliance with ISO 27001 standard. Successful audit round leads to granting an international certificate.
ISO 27001 specifies a management system that is intended to bring information security under explicit management control. Being a formal specification means that it mandates specific requirements.
Business entities who have adopted ISO 27001 can therefore be formally audited and certified as compliant with the standard.
Most business entities have a number of information security controls. However, without an information security management system (ISMS), controls tend to be somewhat disorganized and disjointed. Moreover, business continuity planning and physical security may be managed quite independently of IT or information security, while Human Resources practices may make little reference to the need to define and assign information security roles and responsibilities throughout the entity.
The last few years witnessed a lot of successful attempts to penetrate information networks, whether those of government entities (such as what happened in the Pentagon by penetrating its network and publishing its information through WikiLeaks), of oil sector entities (such as penetrating the network of Saudi Aramco) or even of companies from the private sector.
The attacks aim at illegally obtaining information or destroying the information systems, thus negatively affecting the performance of those companies. Such penetrations have taken many forms, including viral attacks, advanced penetration systems or even through the misuse by people working with those entities, whether intentionally or unintentionally. Hence, there is a great need for business entities to maintain the security and confidentiality of electronic and paper information.
Due to the importance of the information security to businesses, the regulatory bodies in Kuwait have issued laws and regulations to those entities under their supervision on maintaining the confidentiality of information, particularly confidentiality of customer information. Among those regulatory bodies are:
a. Capital Markets Authority (CMA)- Kuwait
  Article 149 provides that "licensee shall maintain policies and procedures necessary to maintain confidential or internal information which the licensee obtains while performing the activities of securities. The main purpose is to ensure that information shall not be disclosed except to authorized employees".
b. Central Bank of Kuwait (CBK)
  In its regulations, CBK stresses on information security, including those regulations dated 15 February 1998, regarding the internal control systems of investment companies, which state:
  "Company Management shall maintain policies for information security, including standards, procedures and responsibilities that ensure adequacy and accuracy of arrangements used."
Therefore, IT departments in business entities (banks / companies / government bodies) have become in a dire need to implement information security management systems due to the sensitivity and seriousness of information being circulated through such systems. It has become imperative for business entities to seek international ISO 27001 consultation and certification, which reflect the integrity of the system applied in accordance with international standards in this context.
Global Consultants Company provides diversified services of ISO 27001 in Kuwait to qualify the information security management systems in business entities against ISO 27001 Information Security Management System (ISMS) Standard.
Details of obtaining ISO 27001 certificate on information security management system (ISMS), will be presented according to the style of the Frequently Asked Questions (FAQ) as follows:
1- What is ISO 27001 Information Security Management System (ISMS) standard?
  ISO 27001 Information Security Management System (ISMS) standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the business entity’s overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual businesses.
2- What are the entities that need to be qualified against the ISO 27001 standard?
 
Oil companies
Government agencies
Public shareholding and closed companies (in all sectors, such as telecommunications companies, hospitals, etc.)
Privately owned companies and large individual organizations
Non-profit organizations (NGOs)
International and regional organizations
3- What are the advantages of implementing ISO 27001 Information Security Management System (ISMS) Standard?
 
Compliance with the regulatory requirements of Capital Markets Authority and the Central Bank of Kuwait on maintaining the security and confidentiality of customer data.
Designing the best and most economical internal controls that are commensurate with the business environment and volume.
Establishing documented policies and procedures based on risk assessment and developing systems to address potential risks.
Reducing the cost of re-creating databases and automated systems in case of loss or penetration.
Harmonization of policies and procedures for all organizational units in handling Information Security Management.
Assuming a leading position in the market competitive environment.
Raising awareness among employees within the business entity on the concept of Information Security Management.
Increasing the effectiveness and efficiency of the information security operation and management, thus saving time and resources through activating the process engineering.
Ensuring business continuity in crisis situations.
Adoption of appropriate and adequate security controls to protect information and increase confidence of all parties dealing with the business entity.
4- What is the starting point for any business that decides to proceed on implementing ISO 27001 Information Security Management System (ISMS) Standard?
  Simply, you can approach ISO 27001 consulting company, i.e. Global Consultants Company, where you will be in contact with accumulated practical experience and a team of qualified experts who are holders of specialized certifications such as ISO 27001 Lead Auditor. Such expertise provides Global Consultants Co. with a competitive edge over the competition and allows us to qualify various businesses for certification against ISO 27001.
5- What is ISO 27001 consultancy role played by Global Consultants as a consulting company in qualifying a business for certification against ISO 27001?
  Global Consultants company in Kuwait offers ISO 27001 consultancy services in this area according to the following phases:
 
Phase I : Analysis of the gap between the current situation and the ISO 27001 Information Security Management System (ISMS) standard requirements.
Phase II : Documenting the system according to the ISO/IEC 27001:2005 Information Security Management System (ISMS) standard requirements.
Phase III : Supervising the system implementation.
Phase IV : Internal audit and management review.
Phase V : Training on the principles of ISO 27001 standards.
Phase VI : Following-up with the Certification Body.
Phase VII : System Maintenance during the Certification validity.
 
6- What is the relationship between information security system and information risk management and internal control systems?
  The information security system, according to the requirements of the ISO 27001 Information Security Management System (ISMS) standard requirements, is based on the following:
 
A. Information Asset Identification
B Risk assessment
C. Developing risk treatment plan by designing a set of Internal Controls that are commensurate with the nature and volume of business.
D. Residual risk assessment and monitoring.
E. Internal Controls performance assessment.
7- How long does it take a consulting company to qualify a business for certification against ISO 27001standard?
  The period required for consultation to qualify a business entity for certification against this standard ranges from 3 to 6 months, depending on the outcome of Phase I above, i.e. analyzing of the gap between the current situation and the ISO 27001 standard requirements.
8- What is the Certification Body? What is the role played by them in certifying a business entity against ISO 27001 standard?
  The Certification Body is an internationally accredited entity that pursues the process of independent external audit and the system implemented by the business entity. The role of the Certification Body is limited to auditing the system that was created by the business entity in accordance with the ISO 27001 standard requirements. If the audit results in the system compliance with those requirements, the business entity shall be certified against ISO 27001 Information Security Management System (ISMS) standard.
9- What are the International Accreditation Bodies?
  Each certificate issued by the certification body must be approved by an international accreditation body. The accreditation bodies are often governmental or non-profit agencies working to develop standards for audits to be done by the certification body to ensure their commitment to quality service. Examples of accreditation bodies include the United Kingdom Accreditation Service (UKAS), the American National Standards Institute (ANSI), among others.
10- What is the validity period of the ISO 27001 certificate obtained by a business entity?
  The Certificate is valid for three years from the date of successfully passing the audit by the Certification Body.
11- Does the certification body perform any periodic audits during the validity of the certificate? Is this optional or mandatory?
  Yes, the certification body performs mandatory periodic audit throughout the validity of the certificate, once or twice a year, depending on the certification body’s estimation of the size of information security management system maintained by the business entity.
12- Does the consultancy service provider have any consulting role to offer to the business entity during the certificate validity period?
  This depends on the needs of the business entity itself. However, based on our experience with many business entities, commitment of the consultancy service provider in providing their services to internal audit team and to all organizational units on the implementation mechanisms ensures the effective implementation of the system and minimizes the chances of non-compliance with the ISO 27001 requirements. Non-Compliance may result in withdrawing the certificate. Even if valid in the period, withdrawal of the certificate requires the business entity not to use the certificate or its trademark and to discontinue disclosing its validity to any third party. Otherwise the entity shall be subject to legal accountability in this regard.
13- When the certificate expires, how is ISO 27001 Certification renewed?
  Upon expiry, a substantial audit of the system shall be conducted again to ensure its safety and comprehensive updating. If the audit results in the system compliance with the requirements, the certificate shall be re-issued to be valid for another three year period.
14- Does Global Consultants offer any ISO 27001 training courses?
  Yes, Global Consultants provides three types of ISO 27001 training courses on Information Security Management System (ISMS) standard, as follows:
 
A. ISO 27001 awareness training courses on the requirements of Information Security Management System (ISMS) standard. These courses are designed in the form of specific hours a day to fit the work system at the business entity.
B "ISO 27001 Internal Auditor" training courses, which are delivered over periods of three days, from 8:00 a.m. to 5:00 p.m., and end with an exam administered by Global Consultants.
  Accredited "ISO 27001 Internal Auditor" training courses, which are delivered over periods of three days, from 8:00 a.m. to 5:00 p.m., and end with an exam by a certification body.
C. Accredited “ISO 27001 Lead Auditor" training courses, which are delivered over periods of five days, from 8:00 a.m. to 5:00 p.m., and end with an exam administered by a certification body
If you require any further information not mentioned in the above questions, kindly contact our Business Development Department and we would be happy to answer all your queries regarding ISO 27001 information Security Management System (ISMS) Standard.
 
GLOBAL CONSULTANTS
KUWAIT		   Call
Tel: +965 1828283
Fax: +965 22426532 		  Contact Us
info@gckw.com		   Accredited in training by the "International Accreditation Organization"