Does your organization comply with the ISO 27001/27002 security standards?

The ISO 27002 GAP analysis audit, proposed by DOREA-Consulting is a set of hundreds of control points, all in line with the ISO 27001 controls.

ISO 27002 gap analysis

Audit organization and logistics

DOREA-Consulting provides a detailed reporting and schedule during the complete duration of the audit. For each meeting, off site or on site, DOREA will provide a minute of meeting protocol which summarizes all important subjects discussed during the meeting.

The ISO 27002 gap analysis audit

The ISO 27002 audit provided by DOREA-Consulting GMBH can be divided in several phases. All of these phases are depicted in the description below.

The interviewers

The duration of a typical interview will be about one day per person, depending on the responsibilities and competences of each interviewed person.

DOREA-Consulting will provide for each individual interview 2 senior consultants. The consultants are experienced in one or several fields related to IT security and at least one of them possesses a valid ISO 27001 certification.

The interview

DOREA-Consulting assumes that each person interviewed is in charge of a specific part of the IT organization and within its field of activity can provide adequate responses on all potential sites, concerned by the audit.

Each person of your IT-staff typically responds to one or several of the following criteria below.

Procedure of delivery

Following 10 days after the last interview has been completed, DOREA-Consulting GMBH will provide a detailed audit report to its customer.

Since the audit report is confidential, DOREA-Consulting will provide an encrypted electronic version of the report and it’s attachments in 2 separate e-mails to a single person from your organization.

Structure of the report and content

As part of the ISO 27002 audit report analysis, DOREA will provide several documents.
The interviews are usually done by 2 senior consultants. For each question, the given answer will be summarized in a protocol type style and a scoring for each section or subsection of the question-set will be made available also

All of the interviews will be consolidated into a single “database” or Excel sheet which allows extracting details of each single interview through metrics. The scoring described below is one of the metrics which are used during the complete interview and is left to the discretion of the interviewer. Nonetheless both interviewers will adjust the metrics whenever they should have a different perception of the implied risk identified through a given answer.
Once DOREA has provided its customer with all documents described below, an onsite presentation can be scheduled to highlight some specific sections of the audit report.

Each document provided by DOREA-Consulting can be described as follows:

Interview transcript

Consolidated interview transcript

Final Audit report

Methodology for internal/external penetration test 

The penetration service tests provided by DOREA-Consulting in cooperation with its Swiss partner is a sequence of tests and actions based on a proven methodology which relies partly on specific tools, presented at the end of this document but also on  the individual experience of the consultants. 
Each “Pentest” starts with a detailed scan of the network to identify potential resources and “hacking-vulnerabilities” which could allow taking control of a portion of the strategic resources.

In this context none of the potential harmful attacks will be executed to the end. We inform hereby that any attempt, even a harmless port scan can in some cases a machine crash and DOREA-Consulting and/or its partner is not taking any responsibility which results from such a “standard-action” which is not related to any voluntary attack on the system or its resources itself.  

The consultants provided by DOREA-Consulting for the external penetration test have been participating on a regular basis on several contests worldwide in order to maintain and improve their hacking skills. Any personnel acting on your organizations network has been cleared by our Swiss partner and DOREA-Consulting and can be considered as trustworthy. Before the beginning of any intervention DOREA will provide detailed personal information on each “hacker”, their CV’s as well as a time-frame/schedule in which the attack-attempt will be performed. Our personnel is committed in following specific ethical rules and is trained to avoid any harmful action to our customers information system.

Vulnerability scan - preparation

Vulnerability scan first result


Vulnerability scan - discovery

Intermediate test result presentation (while on-site)

Example of contests and events attended by our consultants

The following is an example of events, our personnel attended in the past for training or “challenge” purposes.