So, your company has been tasked with ISO 27001 compliance. What exactly does this entail? What steps should you take?
In this blog post, we aim to address these questions, providing you with clear guidance on what needs to be done to get you to certification stage.
ISO 27001 is an International Standard issued by the International Organisation for Standardisation (ISO) for managing information security. It outlines the requirements for establishing, implementing, maintaining, and continually enhancing an Information Security Management System (ISMS). Once you've successfully implemented your ISMS to meet these requirements, you can seek certification from an accreditation body.
Perhaps a customer has inquired about your ISO 27001 certification, or a tender you're pursuing demands it. Alternatively, you might be seeking a competitive edge by demonstrating how securely you manage data.
ISO 27001 offers a framework for creating an ISMS around any information security controls your company may already have in place. It achieves this by utilising a risk-based approach to systematically evaluate your organisation's information security risks. This includes considering threats, vulnerabilities, and potential impacts to design and implement a coherent and comprehensive suite of information security controls, or other risk treatment measures, to address unacceptable risks.
ISO 27001 provides a list of controls that can be implemented, and you can also incorporate controls from frameworks such as the Information Security Manual (ISM) or New Zealand Information Security Manual (NZISM) into your ISMS, either initially or as you expand its scope. Certain government agencies and regulatory bodies may require custom ISMS and control lists like these.
Now that you've decided to implement an ISMS and embark on the path to ISO 27001 certification, it's important to recognise that this process takes time. You'll need to define and establish your ISMS before pursuing certification. Below, we outline a rough timeline of considerations to guide you.
Your first step on the ISO 27001 journey should be to purchase and download the standard from the ISO website: https://www.iso.org/standard/27001. Take some time to read and understand the standard thoroughly to begin planning your ISMS effectively.
Engage with your senior management to secure their support for reducing data security risks by implementing an ISO 27001-compliant ISMS.
To achieve this, you'll need to articulate the benefits of safeguarding your company's data, including customer and staff data, along with your intellectual property. As part of this, top management will need to designate responsibility for the management system and participate in creating an information security policy. Typically, a Chief Information Officer (CIO) or Chief Information Security Officer (CISO) is assigned responsibility for the ISMS.
Additionally, you must determine the necessary project resources before commencing the project.
Project initiation involves starting at the beginning of the ISO 27001 standard, determining the ISMS's boundaries and scope, identifying your information assets, and selecting which assets to protect within your ISMS, to be included on your ISO 27001 certificate.
This may encompass:
Notably, you can expand your scope after initial certification. This allows you to first implement core ISMS processes and procedures and later incorporate elements like software development or other areas of your business.
After determining your ISMS scope, conduct a risk assessment to identify threats and evaluate whether the associated risks are acceptable, and how to treat each risk.
With the risk assessment completed and a plan for risk treatment in place, you can begin breaking down different aspects of the system and assigning responsibilities to the appropriate teams. This involves crafting security and privacy policies and procedures and incorporating any new controls into existing documentation.
Ensure that you collect evidence of controls during this phase. This documentation will be crucial during audits to demonstrate control implementation and performance. Following documentation, proceed to implement the controls, integrating new steps or checks into existing processes and introducing any necessary new processes.
As you implement these controls and processes, be sure to provide training to your staff, educating them on how to use these systems and imparting information security best practices.
Around this stage, you can opt for a Gap Assessment, where an auditor reviews your ISMS against the ISO 27001 standard, identifying any gaps. While this is optional, it can provide peace of mind before commencing the certification audit process.
After implementing new controls, compile documentation regarding their performance and organise it for assessment of effectiveness. Before pursuing certification, you must complete at least one cycle of internal audit and management review to evaluate ISMS performance and identify opportunities for improvement.
Once this stage is completed, you can begin discussions with DQS about certification!
DQS Product Manager - Cyber Security and auditor for the ISO 9001, ISO 27001 standards and information security management systems (ISMS) with extensive experience in software development.
