As a business owner, you know that ISO 27001 certification is being asked of you more and more. It’s popularity among your clients is growing.
You might have already implemented information security to some extent, like having in place some good technical controls, but you can take it further.
This article looks at 10 steps to ISO 27001 certification you can apply to your business.
Before we move onto that, though, let’s discuss whether ISO 27001 certification works.
Does ISO 27001 Certification Work?
The short answer is a resounding “Yes”. The reason it works is because more and more potential clients will not sign a deal with you unless you have it. You wouldn’t be here if someone hadn’t asked you to have it.
ISO 27001 certification, or the fact of being certified can increase sales.
ISO 27001 certification offers multiple other benefits, too, such as
- Significantly less time spent on security questionnaires
- Higher customer satisfaction and confidence
- A differentiator to your competitors
72 percent of business say they only engage with companies that are ISO 27001 certified, and most customers expect companies to understand their information security needs.
Now you have a picture of ISO 27001 certification and its benefits, let’s move on to the 10 steps that work.
1. Company Buy In
If you do not have buy in from the owners of the company and your colleagues, you won’t have a good starting point for ISO 27001 certification.
This sounds simple enough, but where do you start? By talking to people, understanding their concerns and creating a shared vision based on the benefit.
For instance you could ask them for their
- Pain points
If the goal is to increase sales and win contracts you can share that information and show how an increase in sales can directly benefit both the employee in terms of wage and bonus opportunity and the company in terms of share price, company share price and dividend returns.
2. Create Policies
Information security policies have always been important in the world of information security, but they must be specific for the best results.
For example, they should reflect what you do and they should be based on best practice and industry standards.
You can research the information security standards that are out there and compile your own set of information security policies or you can purchased a trusted, proven pack of policies.
Which ever route you take you want policies that set out what you do, not how you do it, and you want to agree them and share them throughout the business.
3. Build the Information Security Management System
ISO 27001 is an information security management system. The standard is clear on what needs to be addressed but the art is in how you go about addressing it.
You can get a copy of the standard and work through the 114 points of the ISO 27001 ISMS and create documents and processes that satisfy the requirements. The benefit of this is that you will learn a lot about the standard, the downside is it is going to take you a long time to do it and most likely you or your staff will want to take expensive training as well.
You could purchased a trusted Information Security Management System and save your self over a month of time and those expensive training costs to fast track this step.
4. Write down the Business Processes
We can be a little more specific with this step. You want to write down the processes around information security that are required by the standard.
You will already be doing over 90% of what is required in one shape or form. You just need to write down what you do.
Then you need to compare it with the Annex A controls to see if there are any gaps or enhancements needed.
For small companies it is highly recommended to have one document, call it the Information Security Operations Manual and have all your processes recorded in here for ease and convenience.
Don’t forget when writing down the business process to include the exceptions step. The exceptions step is the step in the process when things do not go to plan. What happens if the process throws out and unexpected result? Write that down.
5. Implement the Controls
There is nothing scary or hard in here.
Go through the ANNEX A and record what you do to meet the control and if you do nothing, implement something. If you do something but you could do it better, improve it.
6. Audit Yourself
Audit is the act of checking that something is as it should be.
By this step you have your policies, your information security management system, your controls are in place and your processes are documented.
You have achieved a lot so far. Now it is time to check that it is all as it should be.
7. Choose who will certify you
Certification cannot be performed by any Tom, Dick or Harry. Companies that certify you have to follow some basic rules
- They cannot implement or help you to build or run ISO 27001
- They have to be accredited
They are all regulated in how they certify you and whilst costs will differ, the end result is the same. Choose your certification body wisely. We know the good, the bad and the ugly. You can always ask us if you need a little help.
Most certification bodies use independent contractors to conduct the certification auditors.
Once you have your certification body they will give you a quote and the set the dates for certification audit.
8. Take the ISO 27001 Stage 1 Certification Audit
The certification audit is split over 2 audits, called Stage 1 and Stage 2.
When it comes to the Stage 1 audit, it is going to focus heavily on the information security management system. Make sure all your document versions and version control are correct, all comments have been removed from documents, documents have the correct classification and that you have conducted at least one internal audit.
Having people available for the audit will make things go a lot more smoothly. This part is more about planning and logistics than anything else.
Relax, you have worked hard to get to this point. The auditor is not out to fail you. They are on your side.
9. Take the ISO 27001 Stage 2 Certification Audit
The Stage 2 audit is all about you and how you operate. This part of the process is the ‘Show Me’ step.
The Show Me Step is where the auditor wants to see your processes and controls in action.
They are going to ask you to log into systems, walk them through steps, ask questions – all with the intent of seeing that things are working as they should be.
These are things you do day in day out. There is nothing to worry about. Have the people that do the work available and you will breeze through.
10 You are Certified – Celebrate
You successfully reached the end of the process. The auditor will issue a report and assuming you passed they will recommend that you are certified. You will receive your certificate in 6 to 8 weeks depending on how good their admin is.
What if you didn’t pass?
If you didn’t pass, don’t worry. Most certification bodies will give you a few weeks to fix the things that didn’t and when you show you fixed it they will recommend you for certification.
It is now time to update your marketing and sales to show you are certified and tell the world, your clients and your potential new clients.
Well done. You did a great job.
ISO 27001 Steps Quick Guide
A summary quick guide, recap, to the 10 steps
Time needed: 90 days.
There are 10 simple steps that you follow to achieve ISO 27001 certification. Those simple steps are:
- Buy In
In a meeting secure agreement from the leadership team and a budget to proceed. ISO 27001 certification needs the full backing and support of the board of directors and senior management team.
- Create Policies
- Build the Information Security Management System (ISMS)
The information security management system needs building and writing and there are 27 core documents that are needed. Build the ISMS.
- Build the processes
Business processes that document how you run your business are needed. If it isn’t written down it doesn’t exist. Document your business processes.
- Implement the controls
ISO 27001 refers to Annex A / ISO 27002 which suggests 114 business wide controls that need to be implemented. Select which controls are relevant, record them in the Statement of Applicability and implement them.
- Conduct internal audit
Internal audit is required on an on going basis and before you undertake the certification. Perform an audit of the ISO 27001 policies, the information security management system and the 114 controls of Annex A / ISO 27002.
- Choose your Certification body
The certification is performed by a UKAS accredited Certification Body. There are several to choose from.
- Take the Stage 1 Audit
The cerfitication body will perform a 2 stage audit visiting you on 2 occasions to check things are in place. Stage 1 mainly looks at the Information Security Management System including policies and documentation.
- Take the Stage 2 Audit
Stage 2 is your second and final visit and audit by the certification body. Stage 2 mainly looks at the processes and the effective operation of the Annex A / ISO 27002 114 controls. Book your Stage 2 audit and make sure you can evidence the operation of processes and controls. Make people available as required.
Congratulations! You followed the 10 steps to ISO 27001 certification and all that hard work has paid off and you are now UKAS Certified to ISO 27001. Print your certificate and display it with pride on your website and in your marketing materials. You will now have opened the door to new commercial opportunities and clients.