The ISO 27000 series, a universally recognized framework (also one of the most popular as seen in a previous article) is often adopted for information security management purposes. Within the ISO 27000 family, a member that stands out is ISO/IEC 27001:2013 (ISO 27001).
Many organizations find value in achieving ISO 27001 certification in particular as it provides a useful model to assist them with protecting their information by using actionable methods to establish, implement, operate, monitor, and maintain information security.
Additionally, once this certification is achieved, a solid foundation is set for many other compliances and regulations (the GDPR is one of these) making them easier to satisfy. As it is a globally recognized standard, ISO 27001 is a great way to demonstrate your business’s overall attitude to security.
Why your organization should consider the certification
So, why do you need it — why go through the arduous task of getting ISO 27001 certified?
Well, in our current highly connected world, the focus has rapidly shifted to information and the security of that information. We want to (and must) protect our data and the information that we process on behalf of others. Adversaries want to compromise or steal that information, every chance that they get to benefit from its value.
So, mostly, everyday business revolves around information and cybersecurity. Data breaches are a daily occurrence; everyone is fighting to keep their organization safe and out of the headlines. So, if your business revolves around data — information security is vital, but not only must your organization take information security seriously, it needs to demonstrate that as an organization it does.
This is why ISO 27001 certification is essential. It is a means to announce to everyone that you interact with that your business takes information security seriously and you have the certificate to prove it. Not quite, but you get the message right — and so does everyone else.
So, it is more than only a security decision, but also a commercial one.
If a competitor is certified and you are not, then chances are your competitor will be selected over you. Moreover, it is globally recognized, so everyone will know what it means when they see it — no further explanations will be necessary. Simply put, it gives people and businesses comfort and makes their decision to work with you that much easier. However, achieving the certification is not a walk in the park, which is another reason why having it is so valuable.
Follow these steps to certification
Many guides exist for how to achieve ISO 27001 certification, some more complicated and long-winded than others. The process does take time and effort; however, if you focus on the most critical aspects, it may help to push it along with more fleetingly, even if it only feels that way. So, let’s focus on the most important aspects.
Step 1: Get an expert on board
With management on your side, it’s time to get going! If this process is one that you’d like to achieve as quickly and smoothly as possible, you should enlist an expert (unless you are one). A consultant that has many certifications under their belt and who has the knowledge to guide you through the process; who knows the tricky areas and knows what to look out for.
Yes, it may be the costlier option, but the time and effort that might be spent without this invaluable advice may be costlier in the long run. So, depending on your priorities, resources, and budget, this may be the right approach to take.
Step 2: Register with a certification body
This seems like an obvious task, but is easily overlooked and then left until the end. You should engage and choose a certification body early on in the process. Be sure that the certification body is accredited. In other words, make sure they are licensed to certify your organization with the ISO27001 standard. All certification bodies are different, so choose one that best suits your organization and its requirements, perhaps one that allows a degree of flexibility.
Step 3: Take the time to define the scope
Defining the scope of the Information Security Management System (ISMS) is probably one of the most important aspects of this process and needs to be deliberated right in the beginning. The scope is essential because it gives focus and structure. It gets everyone on the same page.
This planning process is vital to achieving the end goals within a determined time frame. It involves getting the right people involved — pulling together a super team, especially management, and outlining specifics relating to the certification. It involves looking at the organization (will the scope extend to the whole organization or be limited to a department?) and the needs of stakeholders, employees, and regulators. It considers the factors that could impact information security (both internal and external) and the processes, systems as well as the degree of risk acceptance.
By getting the scope right from the start, the ISMS can be appropriately aligned with the business strategy. Also, the most critical aspects of the business can retain the focus — the most vital systems, processes, and information. This is important as this is where the highest risk is.
Remember that the aim is to manage and secure information, so it’s important to determine the information assets and systems of the highest value and importance and align the strategy and focus to address these appropriately. By looking at the business strategy and its goals as well as identifying the information assets to keep the focus on them, it becomes more apparent as to the type of resources you will need to achieve this. The type of people to entrust in the process.
Involving the right people is crucial to success. Each department will have expertise in their area. So, although it’s good to have the IT team as an integral part of the process, people from other departments who know their systems, information, and risk bring value and knowledge to the group. A cross-section of people from throughout the organization (HR, legal, sales, etc.) is essential. It’s important to involve all these areas and educate at least someone in each area, to encourage awareness of information security across the entire organization. This is crucial to the successful implementation of the ISMS.
So, by defining the scope, before doing anything else, you’ll have defined the where, what, and how — the location to focus on, the information assets and the technology. You’ll have everyone on board (a good team) that can move the process forward and who will be beneficial to the process. You will know how to align the business strategy with the ISMS properly, and you will have identified the critical information assets that you need to secure. You should have all the entities necessary to work together effectively for a successful outcome, just like a well-oiled machine! All are working effortlessly toward the same goal.
Important documents to develop and deliver for this step include:
- Security policy documentation.
- ISMS scope documentation.
Step 5: Gap analysis and security risk assessment
You need to identify the risks to manage them. A risk assessment is important to highlight areas of potential risk that could impact the confidentiality, integrity, and availability of information.
First, you need to gauge the existing state of the organization’s information systems. Look at where you want to be — that is looking at the future state. With both in mind, you can identify the gaps and establish the controls or improve existing controls to bridge the gaps and to get you to where you want to be.
This involves analyzing the physical environment, processes, information system infrastructure, resources, people and assets. Also, considering the potential threats and weighing up the effectiveness of the existing controls. Additionally, determining the risk level and the level that is acceptable to the organization. Finally, considering any additional or new controls required to manage the risk or mitigate it.
ISO does require the risk assessment to be a formal process. So, it must be planned appropriately, and every aspect of it recorded — the data, analysis, and results. Before starting, the baseline security criteria must be established in respect of the information security for all areas (business, regulatory and contractual obligations).
Important documents to develop and deliver for this step include:
- Document the risk assessment performed.
- Document controls and procedures to counter the risk.
- Document who’s accountable.
Step 5: Evaluate and select controls and develop an implementation plan
After identifying the risks, it’s decision time! Do you implement controls to mitigate the risks? Which risks can the organization tolerate? Can any of the risks be transferred?
Risk responses must be thoroughly thought through and documented; this is required as evidence and for the certification audit.
The process of carrying out the recommendations shaped by the risk assessment may involve adjusting organizational procedures as well as technological changes. This is likely to include staff training and encouragement to change behaviors.
Important documents to develop and deliver for this step include:
- Document implementation program.
- Document controls to be implemented.
Step 6: Training and ISMS implementation
All employees must have a good understanding of the ISO 27001 process, why certification is necessary and important to the organization and the role that they play relative to achieving it and maintaining it. Benefits to reiterate include:
- It demonstrates our security competence.
- It helps us to meet our regulatory and compliance requirements.
- It provides customer assurance.
- It gives our organization a competitive advantage.
- It manages and reduces our exposure to risk.
- It secures our information assets; upholds confidentiality, integrity, and availability.
New processes can now be implemented. Continue to assess the ISMS and review and revise procedures as necessary. Keep everyone updated with regards to adjustments or changes in processes and keep everything documented.
Step 7: Documentation
Documentation development is a central part of the certification process. Documentation required includes policies, standards, and procedures that ensure the business is adhering to the requirements of ISO27001 standard in a competent manner that is attainable.
The documentation must apply to the needs of the organization, and whatever is documented must be put into practice too. It’s important to ensure documentation is updated as controls and processes change during the implementation process.
Part of the certification audit involves checking the documentation produced against the ISO standard as well as the organizational processes against this documentation and the standard, to make sure that what is written is practiced and that everything complies.
Step 8: Internal/test audits and final audits
Test audits are an essential step in the process of certification. They are recommended as a way to get the organization and employees ready for the real thing. Going through the motions under strict conditions will make the official audit seem not as daunting. The more practice audits that can be done, the better prepared everyone will be. Challenge employees and processes, rectify any problems or areas that need improvement. Remember to update the documentation and the employees of changes that have been made. Test audits should be done starting a good few months before the official one — six months prior if possible.
To help the official audit to run smoothly, have everything and everyone prepared and ready. The auditor will check all documentation to make sure it is compliant against the standard. Once satisfied, the auditor will move on to assessing whether the ISMS conforms to the organization’s documentation as well as the standard.
If either the documentation or practices don’t wholly comply, any shortfalls will be highlighted, and corrective actions will need to be implemented before a repeat audit is done. Once the auditor is satisfied that the ISO 27001 standard is met, you will achieve your certification.
Documents to develop and deliver for this step include:
- Document any problem areas.
- Document corrective actions and preventive controls.
- Continue with this process, until compliance is satisfied.
Congrats — you have ISO 27001 certification, but the work does not stop here
With ISO 27001 certification, maintenance is key if you want to keep it. Make sure you stay on top of your ISMS. This means to review, monitor and maintain it methodically.
After certification, annual audits will be done to ensure the organization continues to conform and must continue to satisfy the requirements to keep the certification.
Remember, continue to document any changes affecting your ISMS — all of the time, so you are prepared and ready for when the next audit comes around. It will come around quicker than you think.
Featured image: Pixabay