Much like any other project that needs to be managed, working your way to getting your ISO 27001 certification requires planning and a strong grasp on all the steps that you and your team are going to undertake. Generally speaking, laying out the steps, workflows, responsibilities, timelines, and informing the key stakeholders of the plan, should make everything run smoothly and easily. This might be true for a software development project or for supporting a migration, but not for this. There really is no fast, easy or painless way to implement your ISO 27001 certification process. There are mandatory documents to be produced, records to be disclosed, and plenty of internal restructures that needs to happen. While we can’t offer you a way to streamline the journey to ISO 27001 certification, there is a way to at least outline the key steps along the process to help facilitate a smoother process.
From getting the top management on-board with the incremental costs and effort, to analyzing activities for implementation, monitoring progress, and keeping track of your compliance, this checklist will offer the main steps that your organization will have to follow to achieve this certification without any more stress than necessary.
1) Obtain The Support of Management
While this might seem to be the most obvious first step and should be a given, this request isn’t always taken seriously enough. If you’ve never had a breach or a security incident, or the key stakeholders have a “that’ll never happen to us” philosophy, this may serve as a hard sell. In fact, not taking this certification seriously is the main reason ISO 27001 projects fail - management either doesn’t provide enough people to work on the project, or they don’t allocate enough money to do the job correctly.
2) Treat it as a Project
Implementing an Information Security Management System (ISMS) that adheres to the standards outlined by ISO 27001 is a complex process. There are many different activities, accountabilities, repetitive tasks, and it can last several months to a year or more. As with any other project, you need to clearly define what needs to be done, who’s going to do it, and what the time frame is, and if there are any dependencies. If you don’t rely on a project management process and/or software, you’ll most likely never finish the job.
3) Define The Scope
Depending on the size of your company, you will have to decide if you’ll be doing this company-wide, or just within a part of your organization. You’ll need to define your interfaces, dependencies and endpoints and evaluate based on where your information is stored and accessed. By focusing on a key organizational segment, you’ll lower your project risk significantly, but it will also effectively hamper the flow of information between departments. Think of this this way - if you only implement an ISMS around your core processes that your company offers, but leave out legal or accounting, then there will be restrictions around who can access what between the two.
4) Establish an Information Security Policy
Your ISMS Policy is the highest-level internal document in your ISMS. It should outline some of the basic requirements for information security in your organization, define what management wants to achieve, and how information and security will be controlled. It doesn’t need to be too detailed, but it does have to outline who’s responsible for various aspects of the ISMS and commit to a definition of the objective framework, have a commitment statement for the top management and define communication responsibilities.
5) Define Your Risk Assessment Methodology
This is one of the most complex tasks in your ISO 27001 project. The point is to define your acceptable level of risks and, to outline the rules for identifying your risks, how those risks will impact your organization, and the likelihood and consequences of those risks coming to fruition. If these rules aren’t clearly defined for your organization, across all departments, you’ll end up with unusable results.
6) Perform Your Risk Assessment And Risk Treatment
It’s here where you’ll put the risk assessment from the previous step into practice. For larger organizations, this might take a little longer, so you should take exquisite care in coordinating the effort. The point is to get a comprehensive picture of the external and internal dangers to your organization’s information.
Your intent here is to decrease the risks that are not acceptable, and it’s usually done via the controls outlined in the ISO 27001 Annex A. By the end of this step, you should have a Risk Assessment Report written which will document all the steps taken during the risk assessment and risk treatment process. Also, you should have an explicitly outlined approval of residual risks - risks that the management knowingly takes - either in a separate document, or as a part of your next step - the Statement of Applicability.
7) Write The Statement of Applicability
Once you’re done your risk assessment, you’ll have a strong comprehension of which controls from Annex A you’ll need. The purpose of this document, frequently referred to as SoA, is to:
- List and define all the controls that are applicable.
- The reasons why you’ve decided on these specific controls.
- The objectives to be achieved with the controls.
- A description of how they are implemented within your organization
8) Write the Risk Treatment Plan
Now, for the final piece of the risk analysis - the risk treatment plan. The purpose of this plan is to define exactly how the controls from the SoA are to be put into practice. This is an implementation plan that will outline who will do what, when, with what budget, etc.. This document is crucial to your ability to coordinate further steps in your certification project.
9) Define How to Measure The Effectiveness of Your Chosen Controls
This is one of those tasks that is generally underestimated by some organizations and management systems, but it’s essential. If you can’t measure what you’ve done, how can you be sure you’ve done it and fulfilled the purpose? Therefore, you need to clearly define how you will measure the objectives and outcomes of your ISMS, your security processes, and your controls
10) Implement Your Controls And Mandatory Procedures
It’s in this step that you need to start implementing the documents and records required by the ISO 27001 standards list of clauses, which is usually clauses 4-10, and the applicable controls from Annex A. This is the hardest and the most risky. It’s here where you start to enforce new behaviour in your organization. In almost all cases, new policies and procedures are needed, and things will have to change. Generally, most people are set in their ways and resistant to change, therefore, expect some pushback.
11) Implement Your Training And Awareness Programs
At some point, you will have to get everyone on board and start training. If you want your personnel to implement these new procedures and policies, then you’ll have to explain why they’re necessary and instruct your teams to be able to perform as required. There’s no sense in going through the first 10 steps on this list, and then failing to train your staff on what they should be doing and who will be responsible for each task.
Employees missing these mandatory training sessions, or any absence of sign off from management is the second most common reason for ISO 27001 project failure.
12) Put your ISO Compliant ISMS Into Play
This is the step where ISO 27001 needs to become an everyday routine in your organization. But there’s a catch - you need records that people are doing what they’re supposed to do. ISO 27001 certification auditors need to see all this new activity recorded. Without records, you won’t be able to definitively prove that some activities have been completed as planned. But there’s a silver lining to the requirements that you document everything. By keeping a record of the new procedures in-situ, you’ll be able to internally monitor what’s happening. You’ll know with certainty that your employees and suppliers are performing their tasks to the requirements.
13) Monitor the ISMS
At any given moment, you should be able to give an approximate answer to what’s happening within your ISMS. Are there any incidents? What kinds? Is everyone following the new procedures?
It’s here that the objectives for your controls and measurement methodologies should become apparent. You have to be able to check that the results you’re getting are what you’ve set in your objectives. Is information getting backed up regularly? Is it a full, differential or incremental backup? Have new firewalls been updated and new cyber security protocols put into place? Has someone implemented a more robust cryptography protocol? If nothing is going as planned, and something is wrong, you’ll have to start some corrective and preventative actions as soon as possible.
14) Conduct an Internal Audit
It’s a fairly common occurrence that sometimes people aren’t aware that they’re doing something wrong. Or, on the other hand, they know they’re doing it wrong, but don’t want anyone to find out about it. But, from a high level, if you are unaware of existing or potential problems, you’ll end up hurting your organization. You have to conduct an internal audit to find out if your staff are performing their duties properly. The point is not to initiate disciplinary action, but to gain enough intelligence to determine if you need to take corrective or preventive actions.
15) Conduct a Management Review
This is easily the most important step in the ISO 27001 certification process, and shouldn’t be taken lightly or treated as an activity that just needs a checkmark to satisfy your certification auditor. This is a chance to bring your executives into the fold and ask them to make crucial decisions about your ISMS, and by extension, your Business Continuity Management System (BCMS), which is a part of ISO 22301. The key here is to call a meeting of your top decision makers with a specific topic: the information security and business continuity of the company.
Whether this means you need a larger Infosys budget, or to move your off-site secure storage to a new location, you need to walk away with having had the following discussions:
- Whether or not your ISMS or BCMS has fulfilled its objectives.
- Which improvements are needed.
- If there are any changes to the scope or the workflows.
- Approval of any required resources.
- Modifications to the main documents.
This is also a good opportunity to educate your executives on the basics of information security and continuity, and how you can achieve compliance with ISO 27001 with their help.
16) Corrective And Preventative Actions
The purpose of this final step is to demonstrate that you’re making continuous improvements on a daily basis. As per ISO standards, you just need to perform these corrective actions in a systematic and apparent way, so it’s known exactly where the problems (or nonconformities in ISO terms) are to be reported, who is responsible to review them and decide how to resolve them, and then who will be responsible for eliminating said nonconformity. By having a transparent system, everyone can see what the problems are, how they’re being solved, and who’s doing the solving. Then document it, of course.
Time For Your Audit
It’s our hope that this ISO 27001 checklist can help clarify the tasks that need to be accomplished. This certification is definitely not an easy one, but it’s not all that complicated, and it is achievable. It just goes back to planning and staffing your project properly, and taking it one step at a time.
You’ll see that ISO 27001 certification soon, and will be able to partner with clients that need the secure solutions only you can provide.