10 Steps to Help You Prepare For ISO 27001 Certification
The Super Bowl may be the marquee event of every National Football League season, but talk to any of the players who have participated in these championships. They'll tell you that these annual games actually represent the culmination of long hours spent training and planning for The Moment.
The same is true for ISO 27001, which generally entails one of the more labor-intensive preparation periods in compliance.
And while it would be nice for football professionals to skip to just playing (and winning) in a Super Bowl without all those diligent prep efforts, they can’t. It’s a whole process to even get to that pinnacle opportunity, and the same goes for you and your potential ISO 27001 certification.
As an accredited ISO Certification Body, we’ll be upfront–building your ISMS isn’t quick or easy, and it’ll require hefty investment from you.
But in this article, we will provide you with a baseline to get started on this extensive “game planning” period that absolutely must precede the Super Bowl that is your ISO 27001 certification process.
With this understanding, you’ll have a solid starting list of to-dos that will help you map out further construction of your own ISMS.
How to Build Your ISMS
“Plan” is the keyword.
Just as the road to a Super Bowl may take months or even years, a lot of time spent during the ISO 27001 process is on the planning and preparation ahead of the actual audit. Before your certification body even steps in the room, you need to get your required ISMS implemented and operational, and like we mentioned before, that’s not quick or easy.
While this list does not include every single requirement you’ll need to satisfy, we can at least help you get started. Here are 13 things you can do that will ultimately help you construct a compliant ISMS.
1. Develop an ISO 27001 Working Team and Secure Support from Leadership.
2. Design and Build Out Your ISMS, Including Determining its Scope.
3. Perform a Gap Assessment.
4. Define and Communicate an Information Security Policy.
This information security policy helps ensure relevant objectives and requirements can be met. This policy must:
- Be compatible with your strategic direction as an organization;
- Include information security objectives or provide the framework for setting objectives; and
- Include a commitment to continual improvement—this is why buy-in from top management is critical.
But it’s not enough to just establish something—you must also communicate it to both internal and external interested parties. After all, there’s no value in policies or procedures if no one is aware of them. But if in-scope personnel understand the information security policy, their contributions to its effectiveness, and the implications of not conforming with ISMS requirements, your organization will be that much better served (and compliant).
5. Define Information Security Objectives.
You also must define how you plan to achieve them. These objectives should be tailored to your organization based upon the scope and boundaries of your ISMS and your needs, but here’s a quick list of common starting points. You might want to protect the:
- Availability; and
- Privacy of assets within the scope of your ISMS.
As for planning how to achieve them, ensure you define the following for each of your information security objectives:
- What will be done;
- What resources will be required;
- Who will be responsible;
- When it will be completed; and
- How the results will be evaluated.
6. Establish Resources and Determining Competencies.
Ensure you have the appropriate resources in place to support your ISMS including proper resource allocation and defined competencies, which are critical to the successful implementation of your ISMS. It is important to determine these necessary competencies—e.g., education, training, experience—and create a process for properly vetting potential employees as part of onboarding, as well as for acquiring the necessary competencies on the job.
7. Implement a Formal Risk Management Program.
8. Design and Implement Further Controls.
9. Document Everything.
10. Define Measurements to Evaluate and Monitor the Effectiveness of Your ISMS and Achievement of Your Information Security Objectives.
What to Do After You’ve Established Your ISMS: 3 (Bonus) Steps
1. Conduct an Internal Audit.
2. Conduct Management Review.
3. Monitor What You’ve Got, Refine It, and Remediate Problems As Necessary.
Deciding on An ISO 27001 Certification
At this point, you may be dubious about pressing forward with this particular compliance initiative, and that’s completely fair. While ISO 27001 certification would afford you many benefits, you might also like to consider the alternative of a SOC 2 examination, which oftentimes can be turned around quicker.
Plus, there are some overlapping controls with ISO 27001, and SOC 2 is also a widely accepted and popular information security standard. Read more about it here:
But, if you’re set on becoming ISO 27001 certified, you’re likely to have more questions about how the specific variables at your organization will affect your process. Reach out to us so we can help you further shape what your ISO 27001 experience could look like.
About Kristin Semones
Kristin Semones is a Senior Associate with Schellman & Company, LLC. Kristin's experience ranges from a variety of SOX and SOC audits to ISO compliance. As a Senior Associate with Schellman, Kristin is focused primarily on ISO engagements for organizations and across various industries.