10 Steps to ISO 27001 Certification
We are often asked what are the steps to ISO 27001 certification? Whether you do it yourself or ask Agenci to do it for you the process will be the same. Follow this simple 10 step guide to achieve your ISO 27001 Certification.
Senior management need to be behind the decision for ISO 27001 certification. There is definite value in communicating this internally as it enforces the company’s aspiration to pursue best practice.
What you need to do. Concise and positive briefing to senior management outlining benefits and how it provides a platform for business growth.
ISO Management Representative
The company appoints a responsible and knowledgeable manager to run the programme and implementation. This person will become the company’s ISO 27001 specialist, understanding the controls and milestones needed towards accreditation.
What you need to do. Selection of the right individual with a specific job description and knowledge of ISO and ISMS requirements.
Gap Analysis and Risk Assessment
An assessment of risk or a gap analysis is conducted to find out what can go wrong and which threats endanger the confidentiality, integrity and availability of information. This is to understand the maturity of existing controls within the business and to determine the risk profile.
What you need to do. The gap analysis followed by a risk assessment of all in scope people, processes and technology performed by a qualified auditor. Understanding the maturity of controls and risk profile.
Scope & Implementation Plan
The review of output from the gap analysis allows the business to validate the scope of implementation and the functional / operational boundaries. For each risk identified, appropriate controls are set to manage the risk in a systematic way. This will ensure nothing important is missed. Important milestones, time requirements, dates for any pre assessment and staged audits are set.
What you need to do. A step by step concise guide to explain the ISO 27001 process in sufficient detail.
It is important to engage with employees from the beginning to ensure they buy in to the ISO 27001 certification process and respond appropriately. Also to help them to understand the individual, company and client benefits.
What you need to do. A short and easy-to-understand ISO 27001 and security introduction briefing that focuses on how employees are affected and their role in the successful implementation.
Documentation, documentation, documentation!
ISO 27001 certification requires extensive documentation addressing all relevant millstones and individual controls. This forms the criteria the company is measured against to meet the ISO standard.
What you need to do. A set of policies, standards and procedures to ensure the business is adhering to all requirements in an efficient and achievable manner.
With the gap analysis, scope and documentation ready, it is time to put new processes into ‘business as usual’ throughout the company to start realising the many benefits of ISO 27001. At this stage it would be beneficial to conduct a pre assessment to ensure the company is on the right track and validate the evidence.
What you need to do. Pre assessments forms, checklists and the gathering of evidence. Communication to staff about the revised processes, the need to adopt them fully and report back on what isn’t working.
Internal ISO 27001 Audits
ISO 27001 requires an internal audit to assess where the company is at with the milestones and the implementation phase. An auditor will complete documentation assessing the risk, noting controls and remediation to highlight the improvements required.
What you need to do. An experienced internal or external auditor. Audit tools that include forms, complete audit checklists and audit reports.
ISO 27001 Certification
The most important step is to pass the ISO 27001 certification audit. An independent assessor will issue a certificate stating that the business is meeting the ISO 27001 controls and requirements. The appointed internal representative needs to be confident with the process they have followed and consider how to best interact with the assessor.
What you need to do. Employee preparation for the ISO 27001 certification including questions that may be asked and the areas the audit will focus on. An independent assessor from a reputable company.
Maintaining the ISO 27001 Certification
It is important to keep the ISO management system working by its integration into daily operations. The business should focus on continual improvement.
What you need to do. A reinforcement message to employees. Focus on maintaining the standards through an internal champion. Treat it as integral component of the business processes and not a one off project.
Display your ISO 27001 badge with pride! Shout about it to clients.
Steps to ISO 27001 certification summary
- Use the right people and the right tools to evaluate your current security position to assess gaps in relation to people, processes and technologies.
- Apply a pragmatic, no-nonsense, step-by-step plan to assess and score risks.
- Detail, tailor and customise documentation and forms.
- Train and promote ISO 27001 values and best practice security guidelines.