One of the common questions we’re often asked is “how can we get certified to ISO27001 as fast as possible?”. This question is often driven by the need for an organization to achieve ISO27001 certification for a specific contract or to compete in an aggressive market. If they don’t have ISO27001 then they’re not even in the game, let alone being competitive. In many industries such as hosting and cloud software provision ISO27001 certification is increasingly seen as being a de facto minimum rather than a nice to have. So from a business viewpoint, the sooner an organization has it, the better.
The challenge then, is to get from where we are now to having a certificate that we can use to prove that we have a management system in place, as quickly as possible. And in most cases nothing less than a certificate from a IAF-accredited auditor will do (see our earlier blog post on what IAF is), so no short-cuts there.
Now, in general, there are a number of major factors that will affect how soon an organization can become certified to ISO27001.
So if you have been running a management system for a while, including internal audits, and have implemented most if not all of the controls within ISO/IEC 27001 then really it’s just a case of how soon the certification auditor can get there for a Stage One and then come back for a Stage Two. Even in this case however, you need to bear in mind that there is often a delay of a few weeks in the issuing of the certificate so that the audit can be reviewed by the accreditation body.
But if you’re not in this happy situation then it will take a bit longer. However, there are a number of steps you can take in order to minimize the time taken to get that certificate on the wall or in the hands of your customers. We’ll give you ten of them now.
First, and probably most obvious, is to throw as much resource at ISO27001 as possible. Forget that office move, the desktop refresh and the team-building away day until the certificate has landed on the CEO’s desk. Of course, this is about priorities and only you can decide how important achieving ISO27001 certification is to your organization. But if it’s really that vital, you’ll stop doing everything else (and get everyone else you need to do so too) and live the ISO27001 journey until the auditor smiles and says “Yes”.
How long the job takes depends on how big the job is. Scoping is a tool you can use to make sure that you only do as much as you have to in order to achieve your goal. If ISO27001 certification is only needed for a subset of your business operations, then set your scope accordingly. Don’t cover everything straight away; you can widen the scope later if it makes sense, but that’s after you’ve become certified.
A word of caution here; consider carefully what your customers need from you in terms of certification. What it says on your certificate needs to cover the areas that mean most to your customers and other people that matter, otherwise you’ve wasted your time.
In various places in the standard it asks you to address key areas such as objectives, assets, risks, awareness, management reviews and improvements. But in most cases it doesn’t specify quantities or frequencies. There is a temptation when first implementing ISO27001 to try to address everything and do everything as often as possible. Resist this temptation. By focussing on the most important few items you can simplify your management system and keep the time required to a minimum. Adopting a “top ten” approach to objectives, risks and assets can help to increase understanding of the process without letting it get bogged down in detail. One management review meets the need, a short awareness session is better than none and just a few improvements means the process is up and running. Don’t do more than you have to initially; you can enhance what you started with as part of improvement, but after certification.
There is a concept within ISO27001 of the “risk appetite” of an organization. This refers to the fact that different organizations have differing views on how much risk they are willing to take and accept. You may be in a high risk/ high reward industry such as oil exploration or one that comes lower on the scale such as an insurance company (a few years ago I would have said bank, but…).
This makes a difference in how you decide what to do about the risks you have identified. If your risk appetite is low, then you will want to mitigate even the lower likelihood or impact risks. But if your appetite is high, then this means you are willing to accept some risks that other organizations would want to do something about.
Controls take time to implement. If you accept risks rather than try to mitigate them with controls, then you will need to spend less time on implementing ISO27001 and you will get to certification faster.
Another word of caution here; the standard requires your management to sign off on the residual risks you have left after you have applied your controls so you’ll need to make sure they agree with your definition of risk appetite. I’m definitely not suggesting you set your appetite to “high” if it really isn’t.
Annex A of the ISO27001 standard contains 114 controls. These are “reference controls” which are all good ideas for how to improve your security. However, they may not all apply to your organization and if they don’t, you have no need to implement them. This is where the document “Statement of Applicability” comes in, which sets out which of the reference controls you consider apply to you. Look at each control carefully and decide whether it really does apply to your operation. Remember this is based on your risk assessment (which takes into account your risk appetite, see number 4 above) so if you don’t consider the risk worth treating then you don’t need the control.
The ISO27001 standard requires you to have a set of policies for information security. But it doesn’t say in much detail what should be in those policies. The important thing with policies from an auditing viewpoint is that if you say you’re going to do something, you must do it. The key concept here is to keep your policies simple to start with so that complying with them is relatively straightforward. You can always enhance your policies as part of your improvement activities – after certification.
Ok, we sell toolkits, so we’re bound to say this. I get that, so I’ll keep this one short and to the point. If a lot of revenue is riding on you obtaining ISO27001 certification as fast as possible, why wouldn’t you get as much help as you can with the documentation? Nuff said.
When you’re implementing ISO27001 it can be hard to see the wood for the trees; you don’t know which parts are important or what the auditor will pick up on. It’s tempting to try to make it perfect before arranging your Stage One audit. That’s fine – unless you’re trying to get certified as fast as possible. Holding your Stage One sooner rather than later means that:
This can short-cut a lot of work that maybe you thought was needed but the auditor doesn’t think so. Don’t get me wrong, you still need to have a management system in place before the Stage One, but it doesn’t need to be perfect.
You will need to have carried out at least one management review before you can become certified so you may as well get them started early. This will get the reviews established within your organization and also highlight areas that still need to be completed so it’s worthwhile. It’s also one less thing to worry about as the certification audit gets nearer. If you have time for more than one management review (recommended) before Stage Two then all the better and make sure it covers the required agenda items too.
Similar to a management review, you also need to have completed a full internal audit of your management system before you can become certified. If you don’t have an internal audit function, then you will need to find someone with appropriate qualifications and/or experience to carry out your internal audits. This can be difficult so best start looking now. If your internal audit function doesn’t have the required skills then some urgent training may be needed.
In this article we’ve listed some of the ways you can reduce the elapsed time to achieve certification to the ISO/IEC 27001 standard. Let’s not forget that the purpose of the standard is to make certified organizations more secure, so saving time should never be at the expense of good security, otherwise the only people who win are the bad guys. But getting an information security management system in place is the first step in improving security and the sooner that can be done, the better.