The process of getting the much-desired ISO 27001 certification is a complicated and time-consuming endeavor. Nonetheless, the process is worth the effort and time spent. ISO 27001 is the global Information Security Management System (ISMS) standard. When you attain this certification, you can proudly proclaim to your clients and other stakeholders that your organization takes data security seriously.
In today’s business world, being ISO 27001 is no mean feat. It should actually be a requirement of all the enterprises that you do business with. ISO 27001 certification alone isn’t enough. For your organization to be certified, you need to pass an audit besides obtaining annual surveillance audit reports to prove that you still comply.
To attain ISO 27001 certification, your company must pass a demanding audit of all the 114 security controls as contained in the recent ISO 27001 update, the ISO 27001:2013. The security requirements are in 14 general categories. These are:
- Information security policies
- Human resources security
- Organization of information security
- Access control
- Asset management
- Operations security
- Physical and environmental security
- Systems acquisition, maintenance, and development
- Supplier relationships
- Aspects of information security in business continuity management
- Information security and incident management
- Communications security
ISO 27001 lists these controls, while ISO 27002 provides guidelines relating to the implementation of the controls.
Preparation Is Important
It’s quite challenging to audit your entire information management system, including processes, procedures, people, and technologies. It is even harder to do so if you run a big organization. In such a case, the audit findings might be complex, thus delaying certification. However, there are several things that you can do to make your audit less stressful and more effective.
Early preparation helps you to understand the ISO 27001 certification process better, as well as what’s required of you as you seek to comply with the standard. There are various ways of up-skilling yourself about this standard. For instance, you can read a free white paper about the ISO 27001 or purchase a copy of it.
The ISO certification process should be guided by a management framework, whether you are looking to comply with the standard for the first time, or updating your system. The management framework describes the processes that your organization should follow to realize its ISO 27001 implementation objectives. Some of these processes include regular audits to ensure continuous compliance and a schedule of activities to be undertaken. When undertaking an audit, ISO recommends that you use a process-oriented “Plan. Do. Check. Act.” methodology.
This stage of the ISO 27001 audit process mainly entails making preparations for the entire undertaking. Here, you are required to develop your ISMS in advance if you do not have one already. Developing an ISMS entails identifying and documenting all your ISMS business processes and objectives. Systems architecture mapping, value streaming mapping, and ISO 27002 guidelines can come in handy.
You should designate a team of company managers and employees to oversee your organization’s ISO certification initiative. A team leader should be appointed to direct the undertaking. The team leader should be someone with solid experience in the implementation of information security management systems. The organization’s management ought to be involved during the entire undertaking. A project of this scale cannot be successful without the support of senior managers at your organization.
Likewise, use an ISO 27001 audit checklist so that you don’t miss out on anything. During the planning stage of an ISO audit, it’s also advisable that you analyze your security risks. This involves conducting a comprehensive risk evaluation of all your policies and processes, including the organization’s user access control policy. In doing so, it will be easier to establish ways of mitigating or minimizing the risks that you find. After that, formulate a risk treatment plan detailing your organization’s response to the identified risks.
ISO 27001 recommends 4 possible risk responses: modification, avoidance, sharing, and retention. Personnel ought to get trained so that everyone knows about the ISO standard. In case you are renewing certification, employees should also familiarize themselves with any updates that might have been made to the existing standard.
In as much as ISO 27001 doesn’t prescribe a particular risk assessment methodology that you must follow when undertaking an audit, it requires the risk assessment process to be formal. Therefore, you must plan the process besides ensuring that the results get documented for external audit purposes. Before conducting a risk assessment, ensure that baseline security criteria have been established. The security criteria highlight your organization’s legal, regulatory, and business requirements. They also refer to their contractual requirements concerning information security.
Do: Systems And ISO Implementation
At this stage, you are required to implement your updated or new ISO system. This can either be done in-house or by a consultant. After implanting the new or updated ISO standard, you should train employees to familiarize themselves with it, and also know how to use it. Likewise, check the system to ascertain that it’s working as it should and that it follows the proper ISO standard.
The ISO 27001 standard requires you to conduct staff awareness programs. These will raise awareness regarding information security. A company-wide e-learning course for staff members is the easiest way of raising awareness about the ISO standard, and why everyone needs to abide by it.
After implementing the ISO standard, you should conduct an internal audit to determine whether your ISMS risk management controls are working as they should. The internal audit will also help you establish whether your system complies with the ISO standard(s) that you chose for your organization. You can use either an internal audit checklist or self-audit software that will perform the audit automatically.
Act: Sealing Off Compliance Gaps
After testing the ISO standard, you need to make necessary changes aimed at sealing off all compliance gaps. This will help you bring the organization into compliance besides ensuring that everyone is reading from the same page. At this stage, you are also required to explain how your organization will continually maintain its certification since this is one of the core requirements of the ISO standard.
For audit purposes, ensure that everything gets documented, from the first step to the last. Once these steps have been completed, you will be ready for an ISO audit. Always work with an ISO Certification Company that’s accredited by the body’s Committee on Conformity Assessment (CASCO). Failure to work with an accredited company means that your audit is invalid.
Documentation is needed to support necessary ISMS policies, procedures, and processes. Compiling the necessary documents can be tedious. To make things easier, ask your ISO consultant to recommend a documentation template. These templates come formatted and can be customized, thus enabling you to document the entire process effortlessly.
Before an ISO audit, ensure that you gather all the necessary ‘audit trail’ documents. You will need to present them to auditors as proof of your compliance efforts. If you are not sure about what documents to present, be sure to look at Reciprocity Lab’s ISO audit guidebook, Preparing for an ISO 27001 and ISO 27002 Audit. Going through this detailed checklist will put your organization on the path to ISO 27001 certification.