Schellman becomes The First ISO 42001 ANAB Accredited Certification Body!

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

How to Create Efficiencies in Your ISO 27001 Certification

ISO Certifications | ISO 27001

Ever been on the road with Google Maps or something similar handling your navigation? Whether you’ve driven the route from Point A to Point B before, or if this is your first time making your way, we’re grateful for the assistance and confirmation that we’re taking the right steps.

One of the arguably best features of these navigation maps is when they call out “faster route available. Would you like to reroute?” Who wouldn’t want to get to their final destination successfully and more efficiently? The same is true in business, particularly for ISO 27001 certifications.

Being such a comprehensive standard, ISO 27001 has been skyrocketing in popularity in recent years as a framework of choice for many organizations and their information security. But just as its holistic approach provides many advantages, there’s also a lot to consider and prepare for—as well as a lot of potential stumbling blocks.

Just as Google Maps helps you navigate where you need to go, we—as an accredited ISO certification body that regularly assesses those working to achieve this certification—are going to provide some insight to help you do that more painlessly. In this article, we’ll discuss three common challenges organizations often encounter during ISO 27001 and how you can better avoid them.

Consider this your “faster route available”—with this information, you’ll be able to navigate ISO 27001 more efficiently.

3 Big Challenges with ISO 27001 (and How to Avoid Them)

While every organization is different, preparation to go for this certification will be a big lift for anyone. Though there’s plenty of guidance out there to help you get from start to finish successfully, the following represent some of the common hurdles encountered by organizations undergoing ISO 27001 certification, knowledge of which will help you to prepare that much more thoroughly to clear them more quickly or avoid them altogether.

1. Lack of Leadership and Commitment from Top Management

 

As with any compliance initiative, you obviously must get approval from leadership before proceeding with ISO 27001 certification. But where this particular standard is concerned, it’s about more than just getting the go-ahead to tap the budget—top management must play an active, large role in your information security management system (ISMS) if you’re to succeed in becoming certified.

Not only does ISO 27001 feature specific requirements regarding leadership, but the holistic nature of the framework means that leaving out their input could lead to even more problems and nonconformities you have to address.

While there are other management system requirements to consider, here are some other ways a specific lack of leadership commitment could derail your ISO 27001 certification:

ISO 27001 Requires…

Not Involving Management Would Mean…

The creation of an information security policy and information security objectives.

Potentially creating a policy and objectives that don’t align with the greater strategic direction of your organization.

The establishment of a comprehensive ISMS.

ISMS requirements and controls may not be successfully integrated into the organization’s processes (beyond IT).

Clearly delegated ISMS information security roles and responsibilities.

No assignment of relevant responsibilities and authorities as they relate to the ISMS implementation, maintenance, and improvement, a.k.a. a control failure.

Also, without designated roles and support to those personnel, folks may not be adequately motivated and able to direct and support information security activities within their areas.

Continual support of information security management processes.

If this is not overseen by top management, your ISMS may not achieve its intended outcome(s).

To avoid these pitfalls, top management must be the driving force behind your ISMS and its achievement. Make sure they are, starting with:

  • Assigning someone from top management (e.g., the CEO) who should understand completely the strategic issues around IT governance and information security and the value to your organization.
  • Ensuring they pay specific attention to monitoring the progress of the ISO 27001 implementation plan as they do to monitoring all other key business goals.

2. Lack of Documented Information Regarding Your ISMS

 

Though documentation can be a common problem across all compliance initiatives, this standard’s comprehensive nature again can throw a spanner in the works. ISO 27001 directly requires a lot of documentation—more than perhaps organizations expect—and this lack of knowledge regarding the standard oftentimes can result in nonconformities during the certification process.

Regarding your ISMS, you must document (and communicate):

  • The scope of your ISMS
  • Your information security policy and objectives
  • Your risk assessment and treatment processes, as well as the results of said processes
  • Your Statement of Applicability
  • Evidence of your audit program/results, monitoring and measurement results, management reviews, and nonconformities/corrective action

In our experience, we find that it’s specifically a lack of documented information related to recording actions, decisions, and outcome(s) of ISMS processes and information security controls that throws organizations off. For others, it’s that the information they do write down is not sufficient enough to allow the performance evaluation requirements to be carried out.

But, if you thoroughly record all of these items, not only will you be that much closer to compliance with 27001 requirements, but you’ll avoid a lot of instability surrounding your ISMS if when persons in key roles change.

To make sure you create adequate documentation that meets ISO 27001 requirements:

  • Take care to establish a complete understanding of the standard and the exact requisite documentation.
  • Ensure that appropriate individuals review all documentation where required before releasing the information into general circulation.
  • Control access to that information so that it cannot be changed accidentally, corrupted, deleted, or accessed by individuals for whom it is not appropriate.

3. Lack of a Sufficient Internal Audit Program

 

In addition to extensive documentation, ISO 27001 also requires the establishment of an internal audit program as an important contributory factor to your ISMS’s (required) ongoing effectiveness.

Because 27001 requires recertification and continuous improvement, that means you’ll need to figure out how to conduct these periodic internal audits, but sometimes, organizations won’t realize this is a mandate, and other times, they don’t have the resources or budget to maintain anything effective.

Unfortunately, for those undergoing certification, this could lead to more nonconformities during internal and external audits, as well as the potential problems that could arise in leaving your high-risk controls and/or sites unassessed on a more frequent basis.

While we can’t offer any advice on getting around financial constraints, we can tell you that, to avoid getting caught out by this requirement, consider:

  • Establishing a complete understanding of the ISO 27001 standard.
  • Documenting a well-defined internal audit plan that covers each ISMS clause, each applicable Annex A control activity, and each high-risk in-scope location at least once throughout the 3-year certification cycle. (Do this through collaboration with management and control owners.)
  • Ensuring the internal audit program is reviewed at least annually for accuracy and completeness.
  • Confirming that the results of the internal audits are reported to top management.

 

Other Considerations for Your ISO 27001 Certification

We all know the feeling of being en route only to drive up into a bottleneck of red tail lights that we wish we would’ve anticipated—had we known, we might’ve taken an earlier exit or a different way.

ISO 27001 is a complicated and comprehensive standard that can present a variety of problems to organizations looking to provide assurances to their customers. Though learning about these particular challenges of ISO 27001 certification won’t guarantee you get through the entire process without any difficulty, this awareness will help you do what you need to for a better experience.

To make sure you have the easiest time with such a complex standard, make sure you check out our other content on the different aspects, including important information regarding the latest big update to ISO 27001 and the related ISO 27002:

About Emirhan Ozsoy

Emirhan Ozsoy is a Senior Associate at Schellman. Prior to joining the firm, Emirhan was an IT auditor with KPMG, and later a senior IT auditor with Ernst & Young, where he had the opportunity to gain varied experience, including regarding SOC reporting, Sarbanes-Oxley 404 compliance reviews, and ERP controls implementation projects. Since joining Schellman in 2008, Emirhan has been dedicated to performing SOC reporting projects for clients. To date, Emirhan has provided services to clients in the financial services and information technology industries, among others. Emirhan has also provided professional services to companies of all sizes during his career, including Fortune 1000 and publicly traded companies.