The 10 steps to ISO 27001 certification is a guide to how to go about it and what needs to be done.
Time needed: 90 days.
- Buy In
In a meeting secure agreement from the leadership team and a budget to proceed. ISO 27001 certification needs the full backing and support of the board of directors and senior management team.
- Create Policies
- Build the Information Security Management System (ISMS)
The information security management system needs building and writing and there are 27 core documents that are needed. Build the ISMS.
- Build the processes
Business processes that document how you run your business are needed. If it isn’t written down it doesn’t exist. Document your business processes.
- Implement the controls
ISO 27001 refers to Annex A / ISO 27002 which suggests 114 business wide controls that need to be implemented. Select which controls are relevant, record them in the Statement of Applicability and implement them.
- Conduct internal audit
Internal audit is required on an on going basis and before you undertake the certification. Perform an audit of the ISO 27001 policies, the information security management system and the 114 controls of Annex A / ISO 27002.
- Choose your Certification body
The certification is performed by a UKAS accredited Certification Body. There are several to choose from.
- Take the Stage 1 Audit
The cerfitication body will perform a 2 stage audit visiting you on 2 occasions to check things are in place. Stage 1 mainly looks at the Information Security Management System including policies and documentation.
- Take the Stage 2 Audit
Stage 2 is your second and final visit and audit by the certification body. Stage 2 mainly looks at the processes and the effective operation of the Annex A / ISO 27002 114 controls. Book your Stage 2 audit and make sure you can evidence the operation of processes and controls. Make people available as required.
Congratulations! You followed the 10 steps to ISO 27001 certification and all that hard work has paid off and you are now UKAS Certified to ISO 27001. Print your certificate and display it with pride on your website and in your marketing materials. You will now have opened the door to new commercial opportunities and clients.