The ISO 27001 Certification Process

What is ISO 27001

ISO 27001 is best explained as a standard that outlines how to develop and implement an effective information security management system. ISO 27001 officially being recognised as ISO/IEC 27001:2013 is basically a specific plan for an Information Security Management System (ISMS).

ISO 27001 Certification Process

When looking at the ISO 27001 Certification Process, we will review a series of different steps that is taken to achieve an ISO 27001 Certification.

1. The first step is preparation where you will need to have a thorough understanding of the standard and be fully aware of its requirements. At this stage when you have secured support of the organisation’s top management, it becomes very important to get an expert on board. This can either be an existing employee or a third party as for example an ISO 27001 Consultant with sound experience. Although, it initially seems to be costly, a certified consultant can be a good guide in tricky areas where you need to be vigilant. Often you end up saving money in the long run with a consultant, as you avoid wasting valuable resources and time.
2. The second step is to register with a certification body which appears to be an obvious task; however it is easily disregarded and then goes pending until the last phases. Therefore, a properly accredited certification body should be engaged and selected at the initial stages of the ISO 27001 certification process. It must be kept in mind that every certification body is different, so you must pick one that suits best for our organisation and its unique requirements.
3. The third step is to clearly establish the context, scope, and objectives of the ISMS. The project objectives must be identified from the early stages along with the timeframe and project expenditures. As far as ‘Context’ is concerned it covers internal and external factors that could impact the information security of our organisation. In the same way, it will be necessary to develop the scope of the ISMS which can cover the overall organisation, or just geographical locality or a particular department. An organisation must be aware of the fact that while defining the scope, the organisational context and the requirements of interested parties such as government bodies, regulators, stakeholders etc. will be considered as an essential component.
4. After that, the establishment of a management framework will be the fourth step. Basically, the management framework explains the set of processes that an organisation is required to follow for accomplishing implementation objectives of ISO 27001. More to the point, these processes consist of activities schedule, emphasizing ISMS’s accountability and regular auditing for assuring continual improvement.
5. Furthermore, our fifth step will be to perform a security risk assessment. Despite the fact that a specific risk assessment method has not been given in ISO 27001, there is a requirement for the ISO 27001 certification that a formal process with set criteria for defining risk has been implemented and the risk assessment is available in documented format. It means that proper planning is needed for the process and proper records must be maintained for data, analysis, and results. Most importantly, an organisation needs to establish the criteria for baseline security before conducting a risk assessment.
6. Afterwards, it is required to implement controls in order to reduce risks as the sixth step. The organisation has to decide whether to treat, bear, stop, or transmit the risks after the identification of the relevant risks. Here it is important to note that documentation of all the decisions about risk responses hold crucial value, as during the ISO 27001 certification audit, the auditor will want to assess them. The two compulsory reports that must be formed as proof of the risk assessment are Statement of Applicability (SoA) and risk treatment plan (RTP).
7. In addition to that the seventh step is to conduct training for the organisation’s workforce. It is a requirement of the standard that awareness programs for staff must be introduced throughout the organisation to increase their awareness about information security. The easiest way to bring across the idea behind the Standard is to launch an e-learning course for the organisation-wide workforce.
8. The eighth step is to evaluate and update the essential documentation. Documentation is a must-have component for supporting the required policies and procedures of an ISMS. An important consideration at this step is to make sure that the documentation is updated because during the implementation process change takes place in controls and processes.
9. Your ninth step will be to conduct internal audit according to the requirement of section 9 of the ISO 27001 standard. The objective of the internal audit is the assessment of performance and compliance. The involvement of top management in internal audits is holds imperative value. Their participation is very essential from approving the process and employing the internal auditor, to agreeing on the audit program and going through the internal audit reports.
10. The last and concluding step is the ISO 27001 certification audit. The auditor will evaluate whether the organisation’s documentation fulfills the requirement of the ISO 27001 standard during the Stage One audit. Here the auditor will draw our attention to any areas of non-compliance and possible improvement of your management system. An organisation will then be all set for its Stage Two registration audit once any sort of necessary changes has been made. The auditor will perform a detailed assessment during a Stage Two audit to establish whether the organisation is acting in accordance with the ISO 27001 standard. The duration of getting certification depends on the management system’s size and complexity of its scope. The majority of small to medium size organisations with the right preparation can expect to accomplish ISO 27001 certification within 6 to 12 months.

If you are considering to get certified to ISO 27001, then contact us for a free consultation to hear how we can support with the project.