New ways to target your information security management security are emerging each day, making an ISO/IEC 27001 certification all the more important. But where do you begin? Check out our guide to ISO 27001 implementation for your organization.
What is ISO 27001 and why does it matter?
ISO 27001 is a standard created by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) that focuses on establishing and developing a strong ISMS within organizations.
It is an internationally used security framework that focuses on data confidentiality, integrity, and availability. ISO 27001 prepares organizations to create a stronger, more holistic approach to data security.
Step-by-step guide to ISO 27001 implementation
Now that you’ve learned why ISO 27001 is important, you can dive in.
ISO 27001 implementation is a long process, but the result will bring your organization customer trust and protection for your most sensitive data. Here’s how we recommend you get started:
Understand the standard
Go deeper. Understanding the ISO 27001 requirements is key to a successful ISO 27001 implementation. Read up on (or hire an expert to teach you about) the clauses and annexes in this standard and consider which controls apply to your ISMS. This understanding will help you gain buy-in across the business to the importance of this certification. Your organization’s compliance, executive, and IT teams should all be on board to execute changes to meet the standard and complete your ISO 27001 implementation.
Turn to the professionals
After you’ve learned about ISO 27001 and earned buy-in from relevant stakeholders, it’s time to work with the professionals: certification bodies, also called audit firms or audit partners.
Certification bodies come in two forms: accredited and unaccredited.
Accredited certification bodies have completed a rigorous certification process themselves to appropriately issue ISO 27001 certificates while unaccredited certification bodies have not.
This difference can determine which certification body your organization completes its audit with. It’s important to learn whether any of your clients require a certificate from an accredited certification body. Plus, it’s good to know what your audit partner is made up of: their processes, certifications, and more before choosing to work with them on your ISO 27001 implementation.
Beyond these certifications, there are a number of considerations to keep in mind when choosing an audit partner. From experience on the team to the number of certifications the auditor has issued for your chosen framework, there’s a lot to consider. Check out this ISO 27001 buyer’s guide to learn more about what to look for in an assessor.
Select your auditor
After evaluating all your options, it’s time to make a decision. Ensure you’ve picked an audit partner that holds your organization’s values and has experience auditing for companies in your field. Plus, choosing a quality partner is key.
After notifying your chosen partner, you can expect a series of steps to take place:
- Signing the contract: During this step, you can expect to receive a contract that defines the scope of work you can expect from your auditor. This will detail the systems they plan to test and for what purposes along with legal elements like terms and conditions of the audit.
- Project kickoff: Kicking off your audit and aligning on timeline is essential. This step ensures every party on either side is in the know about when you can expect certain parts of the audit cycle to take place. Plus, it gets your project moving.
- Meeting your audit team: Like any successful organization, the most important part of your audit cycle is the people. These relationships are going to carry your organization through your audit and beyond as your auditor becomes a trusted member of your team.
- Acquaint yourself with the tech: Whether you’ve implemented a GRC platform or your auditor uses in-house technology, it’s beneficial to familiarize yourself with the platforms you’ll be using during the audit cycle to streamline the process.
Begin your audit cycle
Now it’s time to begin your audit cycle for ISO 27001 certification. Your audit partner should walk you through the steps it takes to complete ISO 27001 certification. This is a multi-pronged process, but the general steps include:
- Optional Pre-Assessment
- The Stage 1 Audit
- The Stage 2 Audit
- A Surveillance Audit
- Recertification
Step 1: Pre-assessment
The pre-assessment is designed for companies that are undergoing the certification process for the first time. This assessment is only performed on an as-needed basis but is highly recommended prior to the actual audit.
The pre-assessment involves performing a review of an organization’s scope, policies, procedures, and processes to review any gaps in conformance that may need remediation before the actual certification process begins.
Step 2: Stage 1 audit
During a Stage 1 audit, an auditor reviews the high-risk clauses and annex controls of an organization’s ISMS to confirm that it has been established and implemented in conformance with the ISO 27001 standard. This audit also checks to see if the mandatory activities of an ISMS have either been completed prior to starting Stage 2.
Upon completion, the Stage 1 audit will reveal if an organization is ready to move forward to Stage 2 or if there are any areas of concern regarding policies, procedures, and supporting documentation that may need to be remediated before proceeding.
Step 3: Stage 2 audit
The Stage 2 audit tests the conformance of an organization’s ISMS against the ISO 27001 standard. Upon completion of Stage 2, the auditor will determine if an organization is ready for certification.
If any major nonconformities were identified during the audit, they will need to be remediated by the organization before a certificate can be issued.
Stage 4: Surveillance audit
The ISO 27001 certification process doesn’t simply end after a certificate has been issued. For the two years following certification, the auditor will conduct annual surveillance audits to ensure an organization’s ongoing compliance with the ISO 27001 standards. This step ensures your cybersecurity practices are operating at the highest possible level.
Stage 5: Recertification
An ISO 27001 certification is valid for three years after the certificate’s issue date. Organizations need to recertify before the certificate’s expiration date or be required to begin the certification process again. Recertification audits review the entire management system, similar to the Stage 2 audit.
This process may require that you make changes to your ISMS and your processes to earn full ISO 27001 certification. This process will not take place overnight, and you will need to keep in close contact with your audit partner to learn how your team handles client information going forward.
After ISO 27001 certification
After your ISO 27001 certification, it’s time for continual improvement. This model is a part of the ISO 27001 standard and ensures that as you add new products or services, these additions are accounted for in your ISMS and the controls you have in place to stay compliant with ISO 27001.
The other follow-up step for ISO 27001 implementation is recertification. An ISO 27001 certificate is valid for three years after the issue date and organizations must recertify before the expiration date or begin the certification process again. Recertification is similar to a Stage 2 audit and reviews the entire management system.
Ready to get started on your ISO 27001 implementation?
As an accredited ISO 27001 certification body, A-LIGN can provide your organization with the experience and guidance needed to achieve certification. Contact us to get started today.
