With information security breaches now the new normal, security teams are compelled to take dedicated measures to reduce the risk of suffering a damaging breach. ISO 27001 presents an effective way of reducing such risks.
This blog explains how to obtain ISO 27001 certification and looks at the certification process.
Get an understanding of ISO 27001
Reading the standard provides an excellent background to ISO 27001 and its requirements. There are several ways to up-skill yourself about ISO 27001:
- Read a free white paper about the Standard
- Read IT Governance’s free information about ISO 27001 and how to get started
- Purchase a copy of the Standard
- Attend an introductory online ISO 27001 Foundation training course
Appoint an ISO 27001 champion
Gaining an insight into ISO 27001 is a helpful way of familiarizing yourself with the certification process. Still, you need a true expert to help complete the process.
This can be someone within your organization or a third party to manage the process.
Either way, they should have experience implementing an ISMS (information security management system) and understanding how to implement its requirements within your organization.
If you do not have internal expertise, you may want to enroll in the ISO 27001 Online Lead Implementer training course.
Secure senior management support
No project can be successful without the buy-in and support of the organization’s leadership.
A gap analysis, which comprises a comprehensive review of all existing information security arrangements against the requirements of ISO/IEC 27001:2013, presents a good starting point.
A thorough gap analysis should ideally include a prioritized plan of recommended actions and additional guidance for scoping your ISMS.
The results from the gap analysis can be provided to develop a strong business case for ISO 27001 implementation.
2) Establish the context, scope, and objectives
It is essential to pin down the project and ISMS objectives from the outset, including project costs and timeframe.
You will need to consider whether you will be using external support from a consultancy or have the required in-house expertise.
You might want to maintain control of the entire project while relying on the assistance of a dedicated online mentor at critical stages of the project.
Using an online mentor will help ensure your project stays on track while saving you the associated expense of using full-time consultants for the project’s duration.
You will also need to develop the scope of the ISMS, which may extend to the entire organization or only a specific department or geographical location.
When defining the scope, you will need to consider the organizational context and the needs and requirements of interested parties (stakeholders, employees, government, regulators, etc.).
‘Context’ considers internal and external factors that could influence your organization’s information security. It includes aspects such as the organizational culture, risk acceptance criteria, existing systems, processes, etc.
Consider an all-inclusive Do it Yourself package that includes five days of structured consultancy, in addition to tools, training, and software.
3) Establish a management framework
The management framework describes the processes an organization needs to follow to meet its ISO27001 implementation objectives.
These processes include asserting accountability of the ISMS, a schedule of activities, and regular auditing to support a cycle of continuous improvement.
4) Conduct a risk assessment
While ISO 27001 does not prescribe a specific risk assessment methodology, it does require the risk assessment to be a formal process.
This implies that the process must be planned, and the data, analysis, and results must be recorded.
Before conducting a risk assessment, you must establish your baseline security criteria.
This refers to the organization’s business, legal, and regulatory requirements and its contractual obligations related to information security.
vsRisk Cloud, the simplest and most effective risk assessment software, provides the framework and resources to conduct an ISO 27001-compliant risk assessment.
5) Implement controls to mitigate risks
Once the relevant risks have been identified, the organization must decide whether to treat, tolerate, terminate, or transfer the risks.
It is crucial to document all risk responses since the auditor will want to review them during the registration (certification) audit.
The SoA (Statement of Applicability) and RTP (risk treatment plan) are two mandatory reports that must be produced as evidence of the risk assessment.
6) Conduct training
The Standard requires that staff awareness programs be initiated to raise awareness about information security throughout the organization.
You will also be required to implement policies that direct employees towards good habits.
This might include a clean desk policy and the requirement to lock computers whenever they leave their workstations.
A company-wide staff awareness e-learning course is the easiest way to bring across the philosophy behind the Standard and what employees should do to ensure compliance.
7) Review and update the required documentation
Documentation is required to support the necessary ISMS processes, policies, and procedures.
However, compiling policies and procedures is often a pretty tedious and challenging task.
Fortunately, documentation templates – developed by ISO 27001 experts – are available to do most of the work for you.
Formatted and fully customizable, these templates contain expert guidance to help any organization meet all the documentation requirements of ISO 27001.
At a minimum, the Standard requires the following documentation:
- The scope of the ISMS
- Information security policy
- Information security risk assessment process
- Information security risk treatment process
- The Statement of Applicability
- Information security objectives
- Evidence of competence
- Documented information determined by the organization as being necessary for the effectiveness of the ISMS
- Operational planning and control
- Results of the information security risk assessment
- Results of the information security risk treatment
- Evidence of the monitoring and measurement of results
- A documented internal audit process
- Evidence of the audit programs and the audit results
- Evidence of the results of management reviews
- Evidence of the nature of the non-conformities and any subsequent actions taken
- Evidence of the results of any corrective actions taken
8) Measure, monitor, and review
ISO 27001 supports a process of continual improvement. This requires that the performance of the ISMS be constantly analyzed and reviewed for effectiveness and compliance, in addition to identifying improvements to existing processes and controls.
9) Conduct an internal audit
ISO/IEC 27001:2013 requires internal audits of the ISMS at planned intervals.
Practical working knowledge of the lead audit process is also crucial for the manager responsible for implementing and maintaining ISO 27001 compliance.
The Online Certified ISO 27001 Lead Auditor course teaches you how to plan and execute an effective information security audit according to ISO 27001:2013.
It also teaches you to lead a team of auditors and conduct external audits. If you have not yet selected a registrar, you may need to choose an appropriate organization for this purpose.
Registration audits (to achieve accredited registration, recognized globally) may only be conducted by an independent registrar accredited by the relevant accreditation authority in your country.
10) Registration/certification audits
During the Stage One audit, the auditor will assess whether your documentation meets the requirements of ISO 27001. They will also point out any areas of nonconformity and potential improvement of the management system.
Once any required changes have been made, your organization will be ready for your Stage 2 registration audit.
During a Stage Two audit, the auditor will conduct a thorough assessment to establish whether you comply with the ISO 27001 standard.
How long will it take to get certified?
The ISO 27001 implementation process will depend on the size and complexity of the management system, but in most cases, small to mid-sized organizations can expect to complete the process within 6–12 months.
Certification support with IT Governance USA
Are you ready to begin your ISO 27001 project? If so, our range of implementation bundles are the perfect starting point.
With a combination of tools, software, guides, and qualification-based training with up to 40 hours of online consultancy, you’ll receive the expert guidance you need to meet your organization’s requirements.
They’ll help you reduce the time and effort required to implement an ISMS, as well as eliminate the costs of consultancy work, travelling and other expenses associated with traditional consultancy.
A version of this blog was originally published on March 13, 2019.