We often come across the situation where one of our customers has decided that they need to become certified to the ISO/IEC 27001 standard, but they’re not sure how to go about it. Sometimes their customers have told them that it is a requirement so in order to carry on doing business it’s a must.
This blog article takes you briefly through the journey to certification and sets out the main stops along the way. If you want more detail, download and read our Implementation Guide available from the ISO27001 product page on the CertiKit website and check out some of our other blog articles.
The first and undoubtedly one of the most important steps is to make sure that you have the commitment of the top management of your organization. If the people in charge of the budgets and direction don’t think it’s a good idea then your ISO27001 management system is going to flounder at some point, no matter how much effort you put into it. So make sure they’re on board.
You don’t have to have everything within the scope of your management system so a necessary early step is to draw a ring around what’s included and be able to justify what’s not. You have to get this right because every step from here is affected by it so take your time. Also required is to set out what the standard calls the “context” of your management system – this is really the environment that your organization operates within, both outside and inside its boundaries.
At this point you may like to get in touch with a Registered Certification Body (RCB) who will be in a position to carry out the certification audit later. We would recommend you choose an RCB reasonably early and start to get to know them, including when they are available and how much they charge. This prevents surprises later.
Ok, so the top management is on board, RCB chosen and you know what’s included; now you need to compare how your organization currently does things with the requirements of the standard to see how big the gap is. This will allow you to create a plan to put in place the policies, procedures, controls etc. that are missing. Another early task is to define your objectives for the management system and set up a structure of roles, responsibilities and authorities for information security within your organization.
Now we come to one of the key foundations of an ISO/IEC 27001 management system – the risk assessment. This involves identifying actions you need to take to protect your assets from the various threats that are out there (and within your own organization of course). These actions are often referred to as controls and the ISO27001 standard provides a full set of reference controls within its Annex A. One of the key documents from an audit viewpoint is the Statement of Applicability which sets out which of these reference controls you feel are applicable to your particular organization.
If some of these controls are not yet implemented then there is a piece of work to do to define and embed them and this can often be the longest part of any ISO27001 project.
By this point you will have most of the things you need to show compliance to the standard. Before going for certification you will need to have completed a management review and a complete internal audit of the management system too, so it can be a good idea to get these started as early as you can.
Once these are done you’re ready for the auditor to make an appearance from the certification body which happens in two stages, conveniently called Stage One and Stage Two. Stage One is a document review to see how ready you are and how well your scope is defined. If the Stage One review encounters no major issues then you will be able to set a date for the Stage Two certification visit.
The Stage Two will be a more in depth review which will highlight any non-conformities it finds and make a recommendation about certification. Once these non-conformities are addressed you will then become officially certified to the ISO/IEC 27001 standard.
Of course, it doesn’t end there. The whole idea of the management system is that it allows you to continuously monitor your information security and fill any gaps you find along the way. The auditor will return about 9-12 months later for a surveillance visit and then every 12 months after that.
This has been a very quick run through of the certification journey and in future blogs we will start to fill in some of the detail around specific areas, so come back to the site as often as you can and hopefully we can tell you more.