Increasingly, information security management is becoming a critical, top-priority issue for organizations of all sizes. Whether you serve a domestic or global customer base, protecting your ISMS infrastructure against both internal and external risk is critical customer service and compliance issue.
To that end, IEC ISO 27001 standard certification has become an internationally recognized set of tools and requirements that most companies are choosing to incorporate into their audit and assessment process.
Clarify Your Scope and Objectives
Before implementation of the ISO 27001 certification process can begin, you must first specify the ISMS and project objectives, including the costs, time frame, and the identities of everyone on the assessment team.
Second, you need to get a grasp of the project’s scope: who will the ISO 27001 certification process affect, what facilities or locations are to be involved and what are the requirements of stakeholders, regulators, partners, employees, and others.
Finally, other important factors such as the organizational context and culture and pre-existing protocols and controls should figure into your description of objectives.
Decide Upon a Management Framework
Next, you need to establish the set of processes your company needs to follow in order to meet the implementation objectives of the ISO 27001 certification process. Factors to consider should include who is to be held accountable, a realistic time frame for completion, and how and when regular audits will be conducted to verify that progress is being made.
Enact a Risk Assessment
ISO 27001 offers organizations a great deal of leeway when meeting this standard. Even so, the project that you implement must be a formal one: well-planned and with records of all data, analysis, and results. Before undergoing any new procedures, ISO 27001 requirements dictate that you establish your company’s baseline security criteria, including all mandatory contractual and regulatory security requirements that you are expected to follow.
Address Identified Risks
Once you know the risks that threaten you, you must start implementing your next steps. In short, you have four options: transfer, treat, terminate, or tolerate the risks. At some point, a decision must be made about each risk separately, with documentation written for all. When the time comes for a certification audit or registration, you will be required to produce Statement of Applicability and risk treatment plan documents that demonstrate this compliance.
Even the most robust information security measures amount to very little if staff have no knowledge of them and do not receive training. In many cases, employees will be required to modify familiar behaviors and use extra precautions to keep the infrastructure secure, and staff awareness sessions can be key communication tools that can help employees to recognize the vital security governance role they play.
Review and Update Documentation
There are several written reports that are required for isms certification:
- Scope of the ISMS
- Information security policy and objectives
- Risk assessment and risk treatment methodology
- Statement of Applicability
- Risk treatment plan
- Risk assessment report
- Definition of security roles and responsibilities
- Inventory of assets
- Acceptable use of assets
- Access control policy
- Operating procedures for IT management
- Secure system engineering principles
- Supplier security policy
- Incident management procedure
- Business continuity procedures
- Statutory, regulatory, and contractual requirements.
In addition, mandatory records include:
- Records of qualifications, skills, training, and experience
- Results of monitoring and measuring
- Internal audit program and results
- Results of the management review
- Results of corrective actions
- Logs of user activity, exceptions, and security events.
Your organization may also provide additional, non-mandatory documents and records.
Continous Review, Measurement, and Monitoring
The performance of your ISMS is not static; it must be regularly reviewed and monitored, with the results of the analysis carefully documented. In the event that risks are identified, corrective action should be implemented and documented.
Conduct an Internal Audit
Another aspect of demonstrating compliance with the standard involves conducting regular internal audits of your ISMS. Although he or she does not need to take an ISO 27001 certification exam or know how to get ISO 27001 certification, the manager in charge of ISO 27001 compliance should possess a basic understanding of the lead audit process.
There are two stages involved in registration/certification audits that you must successfully complete before you can receive an ISO 27001 certificate:
- Stage one. The auditor reviews all of your documentation for ISO 27001 compliance, pointing out any nonconformities that you will be required to fix.
- Stage two. After all errors in the documentation are remedied, you are ready to move onto a more comprehensive compliance check. The ISO 27001 certification process can usually be achieved anywhere from six to 12 months depending on the size of your company and the complexity of your systems.