Certification to the increasingly popular international information security management standard ISO 27001 is now growing at 91% year-on-year in the USA (ISO survey), which is significantly higher than the global growth rate of 20%. With information security breaches now the new normal, security teams are compelled to take dedicated measures to reduce the risk of suffering a damaging breach. ISO 27001 presents an effective way of reducing such risks. But what should you do to get certified?
Get an understanding of ISO 27001:2013 Reading the standard provides a good background to ISO 27001 and its requirements. There are a number of ways to up-skill yourself about ISO 27001:
- Read a free white paper about the Standard
- Read IT Governance’s free information about ISO 27001 and how to get started
- Purchase a copy of the Standard (the Standard is not freely available)
- You may want to attend an introductory online ISO 27001 Foundation training course
Appoint an ISO 27001 champion It is important to secure someone knowledgeable (either internally or externally) with solid experience of implementing an information security management system (ISMS), and who understands the requirements for achieving ISO 27001 registration. (If you do not have internal expertise, you may want to enrol for the ISO 27001 Online Lead Implementer training course.) Secure senior management support No project can be successful without the buy-in and support of the organization’s leadership. A gap analysis, which comprises comprehensive review of all existing information security arrangements against the requirements of ISO/IEC 27001:2013, presents a good starting point. A comprehensive gap analysis should ideally also include a prioritized plan of recommended actions, plus additional guidance for scoping your information security management system (ISMS). The results from the gap analysis can be provided to develop a strong business case for ISO 27001 implementation.
2. Establish the context, scope, and objectives
It is essential to pin down the project and ISMS objectives from the outset, including project costs and timeframe. You will need to consider whether you will be using external support from a consultancy, or whether you have the required expertise in-house. You might want to maintain control of the entire project while relying on the assistance of a dedicated online mentor at critical stages of the project. Using an online mentor will help ensure your project stays on track, while saving you the associated expense of using full-time consultants for the duration of the project. You will also need to develop the scope of the ISMS, which may extend to the entire organization, or only a specific department or geographical location. When defining the scope, you will need to consider the organizational context as well as the needs and requirements of interested parties (stakeholders, employees, government, regulators, etc.). ‘Context’ takes into account internal and external factors that could influence your organization’s information security, and includes aspects such as the organizational culture, risk acceptance criteria, existing systems, processes, etc. (Consider an all-inclusive Do it Yourself package that includes five days of structured consultancy, in addition to tools, training and software).
3. Establish a management framework
The management framework describes the set of processes an organization needs to follow to meet its ISO27001 implementation objectives. These processes include asserting accountability of the ISMS, a schedule of activities, and regular auditing to support a cycle of continuous improvement.
4. Conduct a risk assessment
While ISO 27001 does not prescribe a specific risk assessment methodology, it does require the risk assessment to be a formal process. This implies that the process must be planned, and the data, analysis, and results must be recorded. Prior to conducting a risk assessment, the baseline security criteria need to be established, which refer to the organization’s business, legal, and regulatory requirements and contractual obligations as they relate to information security. vsRisk, the simplest and most effective risk assessment software, provides the framework and resources to conduct an ISO 27001-compliant risk assessment.
5. Implement controls to mitigate risks
Once the relevant risks have been identified, the organization needs to decide whether to treat, tolerate, terminate, or transfer the risks. It is crucial to document all of the decisions regarding risk responses, since the auditor will want to review these during the registration (certification) audit. The Statement of Applicability (SoA) and risk treatment plan (RTP) are two mandatory reports that must be produced as evidence of the risk assessment.
6. Conduct training
The Standard requires that staff awareness programs are initiated to raise awareness about information security throughout the organization. This might require that virtually all employees change the way they work at least to some extent, such as abiding by a clean desk policy and locking their computers whenever they leave their work stations. A company-wide staff awareness e-learning course is the easiest way to bring across the philosophy behind the Standard, and what employees should do to ensure compliance.
7. Review and update the required documentation
Documentation is required to support the necessary ISMS processes, policies, and procedures. Compiling policies and procedures is often quite a tedious and challenging task, however. Fortunately, documentation templates – developed by ISO 27001 experts – are available to do most of the work for you. Formatted and fully customizable, these templates contain expert guidance to help any organization meet all the documentation requirements of ISO 27001. At a minimum, the Standard requires the following documentation:
- 3 The scope of the ISMS
- 2 Information security policy
- 1.2 Information security risk assessment process
- 1.3 Information security risk treatment process
- 1.3 d) The Statement of Applicability
- 2 Information security objectives
- 2 d) Evidence of competence
- 5.1 b) Documented information determined by the organization as being necessary for the effectiveness of the ISMS
- 1 Operational planning and control
- 2 Results of the information security risk assessment
- 3 Results of the information security risk treatment
- 1 Evidence of the monitoring and measurement of results
- 2 A documented internal audit process
- 2 g) Evidence of the audit programs and the audit results
- 3 Evidence of the results of management reviews
- 1 f) Evidence of the nature of the non-conformities and any subsequent actions taken
- 1 g) Evidence of the results of any corrective actions taken
Read this blogpost for further information about other documents that could be required.
8. Measure, monitor, and review
ISO 27001 supports a process of continual improvement. This requires that the performance of the ISMS be constantly analyzed and reviewed for effectiveness and compliance, in addition to identifying improvements to existing processes and controls.
9. Conduct an internal audit
ISO/IEC 27001:2013 requires internal audits of the ISMS at planned intervals. A practical working knowledge of the lead audit process is also crucial for the manager responsible for implementing and maintaining ISO 27001 compliance. The Online Certified ISO 27001 Lead Auditor course teaches you how to plan and execute an effective information security audit in line with ISO 27001:2013. It also teaches you to lead a team of auditors, and to conduct external audits. If you have not yet selected a registrar, you may need to choose an appropriate organization for this purpose. Registration audits (to achieve accredited registration, recognized globally) may only be conducted by an independent registrar, accredited by the relevant accreditation authority in your country.
10. Registration/certification audits
During the Stage One audit, the auditor will assess whether your documentation meets the requirements of the ISO 27001 Standard and point out any areas of nonconformity and potential improvement of the management system. Once any required changes have been made, your organization will then be ready for your Stage 2 registration audit. Certification audit During a Stage Two audit, the auditor will conduct a thorough assessment to establish whether you are complying with the ISO 27001 standard. How long will it take to get certified? With the right preparation, most small to mid-sized organizations can expect to achieve ISO 27001 certification within 6 – 12 months, depending on the size and complexity of the scope of the management system. To accelerate the implementation process, get an ISO 27001 expert to do it for you. For companies with fewer than 19 staff, you might want to consider a FastTrack™ service, which prepares organizations for registration within three months for well under $10,000.