How Do We Get ISO 27001 Certification?
One of your customers has asked you to get ISO 27001 certification and you have never even heard of it, never mind know how to go about doing it or where to even get started?
You have so many questions and it’s stressing you out!!
How do you do it?
How long does it take?
What do you actually need to do?
Take a deep breath and count to ten and with that in mind we will talk you through ten easy steps to achieving ISO 27001 Certification.
What is ISO 27001 Certification?
It’s a set of processes for managing your information security and protecting your data and the standard provides you with guidance around implementing and managing those processes.
Achieving certification demonstrates to your customers that you take cyber security seriously and it provides other third party companies that you work with the assurance that you have robust data protection processes in place, it can also help you comply with laws and regulations.
So what are the 10 Steps required to achieve ISO 27001 Certification?
1. Prepare
First and foremost, make sure you have plenty of strong coffee in stock as you are going to need it. But all joking aside you should get to know ISO 27001 first, read as much about it as possible. There is plenty of information online. You might even consider purchasing a copy of the standard but it’s quite a beast of a document and it is not recommended for bedtime reading.
Getting an idea of what is involved in the certification process will make your project run more smoothly.
Securing senior management backing and commitment is imperative as somebody’s got to foot the bill.
Scramble the A team! Get a cross functional team of people together who are enthusiastic, willing, and able and know their stuff.
If you are doing it yourself get a good car and get out of here or enlist the services of a good consultant!
2. Establish the Context, Scope, and Objectives
It is important to establish some high level objectives from the start of the project including timeframe and costs.
At this stage you can work out what level of support you will need. Do you need external help, or can you manage some of the project with internal resources?
You will need to define objectives for the Information Security Management System (ISMS), develop the scope of the ISMS which may encompass the whole of the business, or it may only include a specific entity or geographical location.
And you will need to consider the organisational context and the needs and requirements of interested parties (stakeholders, employees, government, regulators, etc.).
‘Context’ considers internal and external factors that could influence your organisation’s information security. It includes aspects such as the organisational culture, risk acceptance criteria, existing systems, processes, etc.
3. Establish Accountability and Responsibilities
ISO 27001 specifies the processes required for the management of your organisation’s information security.
These processes include responsibilities and accountability to implement, drive and continually improve these processes. The CEO might be accountable for cyber security and data protection but it’s probably going to be the Information Security Manager/Officer or Information Security Team or whoever draws the short straw that will be responsible and actually implement and run the ISMS.
4. Identify your Assets
Assets are anything of value to your company. For example, data, people, infrastructure and reputation.
List the assets and look at each asset in turn and identify the risks. What data have you got? Where is the data stored? Who has got access to data? Who might try to steal the data?
5. Conduct a Risk Assessment
Identifying your risks is the crux of ISO 27001. There is no mandatory risk assessment methodology but the standard requires the risk assessment to be formal and documented. Don’t bite off more than you can chew. Keep it simple. Use a 3 x 3 matrix. Identify threats and vulnerabilities. Look at the impact and likelihood and if the overall risk score is above your risk acceptance criteria, then it needs to be treated with a control from Annex A of the standard, there are 93 controls to choose from!!
The SoA (Statement of Applicability) and RTP (risk treatment plan) are two mandatory docs that must be produced as evidence of the risk assessment. These docs will show which of the 93 controls you have in place and how you’ve implemented them.
Once the relevant risks to confidentiality, integrity and availability have been identified for each asset, you must decide whether to accept or treat the risks. You only have to treat a risk if it’s above your risk assessment criteria. Perhaps you have risks around availability e.g. your most critical system could fall over during the night, and you treat that risk by writing a business continuity plan and a disaster recovery plan and testing those plans.
6. Conduct Staff Cyber Security Training
Staff training is required as part of the standard. You should educate all employees on ISO 27001 and why your organisation is implementing it and the role that they can play in cyber security. Cyber security training needs to happen on a regular basis and most importantly when new staff join the company.
7. Produce the Required ISMS Documentation
Documentation is required to support the implementation of ISO 27001. There is a fair bit of documentation to compile but have no fear we can take care of this for you, with our documentation toolkit. You will need docs like an Information Security Policy, Acceptable Use Policy, Encryption Policy, Risk Treatment Plan and an SoA.
8. Measure, Monitor, and Review the ISMS
Continuous improvement is key. The standard requires that your ISMS is monitored and reviewed for effectiveness and compliance. This also provides the opportunity to improve existing processes and controls. So you’ll need to set up some control effectiveness measurements and KPI’s so you can monitor that the ISMS is doing what it should be doing.
9. Conduct an Internal Audit
Internal audits of the ISMS should be carried out at regularly. Think of them as part of the ongoing risk assessment cycle. Internal audits are one of the best ways of checking you’ve got everything in place before your certification audit and ongoing that you’re identifying risks and mitigating those risks.
10. Conduct a Management Review Meeting
At least annually and prior to your stage 2 audit you are required to conduct a management review meeting with one of the senior management team. The standard sets out the agenda for this meeting which also needs to be documented.
What Happens at an ISO 27001 Certification Audit?
At stage one, the external audit body will check that you have all of the required ISMS documents and records in place.
At stage two, the external audit body will check that you’re actually carrying out the processes that you’ve documented in your ISMS documents and that you can provide evidence that these processes are taking place.
How long will it take to get Certified?
The quickest we’ve ever helped an organisation to get ready for certification is 8 weeks but we wouldn’t recommend it for you or for the consultant. Most companies take between 4 to 9 months to achieve ISO 27001 certification, but it all comes down to resources, effort and your current cyber security posture.
ISO 27001 Consultancy
If we’ve not put you off with our ISO 27001 10 steps and you think you need some help in implementing ISO 27001 then we can support you every step of the way and we will take the stress out of the whole process. You can rest assured that we will look after you!
For further information visit our services page or contact us today to speak to an ISO 27001 expert.