1. Decision
Senior management need to be behind the decision for ISO 27001 certification. There is definite value in communicating this internally, it enforces the company’s aspiration to pursue best practice.
What is needed? Concise and positive briefing to senior management outlining benefits and how it provides a platform for business growth.
2. ISO Management Representative
The company appoints a responsible and knowledgeable manager to run the programme and implementation. This person will become the company’s ISO 27001 specialist, understanding the controls and milestones needed towards accreditation.
What is needed? Selection of the right individual with a specific job description and knowledge of ISO and ISMS requirements.
3. Gap Analysis and Risk Assessment
An assessment of risk or a gap analysis is conducted to find out what can go wrong and which threats endanger the Confidentiality, Integrity and Availability of information. This is to understand the maturity of existing controls within the business and to determine the risk profile.
What is needed? The gap analysis followed by a risk assessment of all in scope people, processes and technology performed by a qualified auditor. Understanding the maturity of controls and risk profile.
4. Scope & Implementation Plan
The review of output from the gap analysis allows the business to validate the scope of implementation and the functional / operational boundaries. For each risk identified, appropriate controls are set to manage the risk in a systematic way. This will ensure nothing important is missed. Important milestones, time requirements, dates for any pre assessment and staged audits are set.
What is needed? A step by step concise guide to explain the ISO 27001 process in sufficient detail.
5. Employee Introduction
It is important to engage with employees from the beginning to ensure they buy in to the ISO 27001 certification process and respond appropriately. Also to help them to understand the individual, company and client benefits.
What is needed? A short and easy-to-understand ISO 27001 and security introduction briefing that focuses on how employees are affected and their role in the successful implementation.
6. ISO Documentation, documentation, documentation, documentation!
ISO 27001 certification requires extensive documentation addressing all relevant millstones and individual controls. This forms the criteria the company is measured against to meet the ISO standard.
What is needed? A set of policies, standards and procedures to ensure the business is adhering to all requirements in an efficient and achievable manner.
7. Realisation
With the gap analysis, scope and documentation ready, it is time to put new processes into ‘business as usual’ throughout the company to start realising the many benefits of ISO 27001. At this stage it would be beneficial to conduct a pre assessment to ensure the company is on the right track and validate the evidence.
What is needed? Pre assessments forms, checklists and the gathering of evidence. Communication to staff about the revised processes, the need to adopt them fully and report back on what isn’t working.
8. Internal ISO 27001 Audits
ISO 27001 requires an internal audit to assess where the company is at with the milestones and the implementation phase. An auditor will complete documentation assessing the risk, noting controls and remediation to highlight the improvements required.
What is needed? An experienced internal or external auditor. Audit tools that include forms, complete audit checklists and audit reports.
9. ISO 27001 Certification
The most important step is to pass the ISO 27001 certification audit. An independent assessor will issue a certificate stating that the business is meeting the ISO 27001 controls and requirements. The appointed internal representative needs to be confident with the process they have followed and consider how to best interact with the assessor.
What is needed? Employee preparation for the ISO 27001 certification including questions that may be asked and the areas the audit will focus on. An independent assessor from a reputable company.
10. Maintaining the ISO 27001 Certification
It is important to keep the ISO management system working by its integration into daily operations. The business should focus on continual improvement.
What is needed? A reinforcement message to employees. Focus on maintaining the standards through an internal champion. Treat it as integral component of the business processes and not a one off project.