ISO 27001: The Four Most Common Post-Certification Pitfalls
Author: Gene Geiger, CPA, CISSP, CCSK, QSA, PCIP, ISO 27k LA, and Partner at A-LIGN.
Becoming ISO 27001 certified is a rigorous process for most organizations but the work should not stop after receiving the sought after certification. We want to ensure that your organization does not fall victim to these common pitfalls so that your information security management system (ISMS) continues to operate as designed and subsequent audits flow smoothly. Take a look at the four most common problems to help your company stay on track after certification.
Failing to Schedule the Internal Audit and Management Review
The completion of the internal audit and management review are critical to the success of the ISMS. A-LIGN reviews these activities during each audit activity and looks to ensure the quality-level and completeness are in line with the requirements. These activities build on each other as the internal audit feeds into the management review, and then both feed into the continuous improvement cycle.
You should ensure that the internal audit is scheduled well in advance of the surveillance audit, so the management review and continuous improvement activities have time to be performed. We start the surveillance audit approximately nine months after initial certification is received, so a typical timeline would be to start the internal audit six to seven months after certification.
Changes in Key Personnel
Many times the ISMS is implemented by an individual who fields many of the questions during an audit and has overall responsibility for the ISMS. If that person leaves the company, the ISMS can fall apart. In order to help prevent this, we recommend that all companies designate a back-up person who has a general understanding of the ISMS. If your primary ISMS manager moves into a different position or to another company, ensure that the designated backup steps in to ensure that the ISMS continues to function.
Failing to be Vigilant
It is common for organizations to breathe a sigh of relief upon receiving the initial certification, but at times they may go too far into “relaxation mode.” ISO 27001 defines the ongoing processes that should be in place throughout the year, not just during the audit. The management controls, including periodic meetings, documented approvals for decision, meeting minutes of oversite committees, etc., must be maintained to evidence that the ISMS continues to function. This is also true of controls defined in the statement of applicability.
Companies should ensure the ISMS is a living process that is built into the culture of the organization so that it continues to function as designed after certification is received.
Not Considering Environmental Changes
ISO 27001 requires that any changes in the environment be considered through the risk assessment process and any new or modified controls flow in to the statement of applicability. It also requires that A-LIGN be notified and a new certificate issued if there are changes to the scope or statement of applicability. When changes are considered in the environment that may impact the scope of certification, it is important to review and update the ISMS documentation to ensure it correctly reflects the environment post-change.
These top pitfalls are all easily remedied through management oversight and following the controls as defined in your ISMS. Establishing a long-term ISMS framework can help to create an ongoing culture of security in your organization and help to ensure smooth surveillance audit cycles.