We’re often asked how to become certified to the ISO/IEC 27001 standard as fast as possible. Sometimes this is due to pressure from current or prospective customers, sometimes it’s from a regulator and sometimes it’s just because the organization wants to get on with it. As well as using the CertiKit ISO/IEC 27001 Toolkit, there are a number of quick tips we usually give to make the process of certification as fast and painless as possible and we’ve summarized them here.
This is probably the biggest single source of confusion and misunderstanding around the ISO standard. In essence you can choose the scope of your certification by service (or technology), by geography or by business area (including customers). The smaller the scope, generally the less work involved so adjust your scope according to how quickly you want to be certified. A single service to a single customer at a single location is perfectly acceptable and scoping small will allow you to learn the lessons early and apply them when you gradually widen the scope post-certification.
So consider your scope carefully.
This may sound obvious, but to implement an ISMS you need to familiarise yourself with the standard and understand what is expected of you. Sometimes we hear of people who are going for certification without having bought the ISO/IEC 27001 standard at all – not a good idea. The ISO/IEC 27000 family is a big one, but the more you read around it, the clearer the requirements will seem so getting hold of additional codes of practice such as ISO/IEC 27002, ISO/IEC 27005 and ISO/IEC 27017 can be helpful. Download our free Implementation Guide from our product page if you need more info.
Success will be much easier if you can get direction and motivation from the top. Even if you are convinced it is the way forward for the organisation, you have to convince senior management and get their commitment before you roll it out to your staff. The standard requires effective leadership from top management so it will be a definite barrier to certification if this is not in place and evidenced via various forms of communication. Resources will be easier to obtain too if the right people are behind you.
It’s been said many times before that the best people to achieve change are the people that actually do the job and that’s still as true today as it ever was. Make sure everyone has a copy of the sections of the standard that are relevant to their job and that they understand the urgency. Get them involved in the risk assessment process and delegate as much as possible of the work on relevant controls etc. to them (whilst accepting that they may have a day job too, of course).
Leading on from your scoping decision, make life easy for yourself and choose a business unit or customer that is already friendly to the idea of improving information security and open to participating in the various activities you will need to start doing such as risk assessment, reporting and review meetings. They will then also be your best supporter when widening the scope to less receptive parts of the organisation or customer base. A little goodwill goes a long way when you’re trying to change the way you manage your information security.
So in a nutshell that’s our quick top 5.