Have you been tasked with organising ISO27001 certification within your organization and unsure where to start?
We take a look at the key steps in the process –
Before embarking on a project to achieve ISO27001 certification (or simply just comply to the standard), it is very important to secure the commitment of top management to the idea. This is probably the single most significant factor in whether such a project (and the ongoing operation of the ISMS afterwards) will be successful. Indeed, “Leadership” has its own section within the standard and without it there is a danger that the ISMS will not be taken seriously by the rest of the organization and the resources necessary to make it work may not be available.
The first questions top management are likely to ask about a proposal to become certified to the ISO/IEC 27001 standard are probably:
Performing a gap assessment is a great way of indicating whether your organization currently meets the requirements of the ISO27001 standard, and allows you to gain a better appreciation of how much work may be involved in getting to a point where a certification audit is possible. The key to making the gap assessment as accurate as possible is to get the right people involved so that you have a full understanding of what is already in place. The gap assessment will provide hard figures on how compliant you currently are by area of the standard so you can update the management team easily. We advise repeating the exercise on a regular basis during your project in order to assess your level of progress from the original starting point.
The CertiKit ISO27001 toolkit includes a comprehensive gap assessment excel workbook to assist the process and show audit readiness, and the accompanying workbooks ISO27001 Toolkit Index and ISO27001 Assessment Evidence show you how the various documents in the Toolkit map onto the requirements and what other evidence may be appropriate to show compliance. This can help when deciding whether a requirement is met or not.
Having gained an accurate view of where you are against the standard at the moment, you are then armed with the relevant information to assess how much effort and time will be required to achieve certification. This may be used as part of a presentation to top management about the proposal and a template ISO/IEC 27001 Benefits Presentation is provided in the Toolkit for this purpose. Note that budgetary proposals should include the costs of running the ISMS on an ongoing basis as well as the costs of putting it in place.
As part of your business case you may also need to obtain costs from one or more external auditing bodies for a Stage One and Stage Two review and ongoing surveillance audits.
Having secured top management commitment, you will now need to plan the implementation of your ISMS. Even if you’re not using a formal project management method such as PRINCE2® we would still recommend that you do the bare essentials of defining, planning and tracking the implementation effort as a specific project.
We have provided a template Project Initiation Document (or PID) which prompts you to define what you’re trying to achieve, who is involved, timescales, budget, progress reporting etc. so that everyone is clear from the outset about the scope and management of the project. This is also useful towards the end of the project when you come to review whether the project was a success.
Having written the PID, try to ensure it is formally signed off by top management and that copies of it are made available to everyone involved in the project so that a common understanding exists in all areas.
It’s fair to say that in general if you implement your ISMS in the order of the ISO/IEC 27001 standard from section 4 to section 10 you won’t go far wrong. This isn’t necessarily true of some of the other management system standards we have mentioned such as ISO/IEC 20000 but for ISO/IEC 27001, because it includes much of the information security content within a separate Annex A, it actually flows quite well.
There are some steps along the way to certification that need to be done in a certain order otherwise the right information won’t be available in later stages. An example is that you need to complete your risk assessment before completing your Statement of Applicability because otherwise you won’t have enough information to assess whether each control applies to your organization.
The approach shown opposite effectively steps through the standard in order although it starts with the foundation for the project (and for the ongoing ISMS) which is obtaining management commitment.
Once a project manager has been appointed, the project has been planned and started, it’s a good idea to keep an eye on the gap assessment you carried out earlier and update it as you continue your journey towards certification. This updated measurement of your closeness to complete conformity with the standard can be included as part of your regular progress/highlight reports and the CertiKit ISO/IEC 27001 Toolkit includes a template for such reports.
The timing of when to go for ISO27001 certification really depends upon your degree of urgency (for example you may need evidence of certification for a commercial bid or tender) and how ready you believe the organization to be. Certainly you will need to be able to show that all areas of the ISMS have been subject to internal audit before asking your external auditing body to carry out the stage two (certification) assessment. But you don’t need to wait until you’re “perfect”, particularly as the certification audit will almost certainly throw up things you hadn’t thought of or hadn’t previously regarded as important.
Editor’s note: The original post was published in June 2015, and updates have been made in January 2022 for accuracy and comprehensiveness.
Download our free ISO27001: 10 steps to certification guide to learn: