ISO 27001 Certification Guide

The cost for obtaining ISO 27001 certifacation can depend on many different factors within your business such as people, processes and technology. Therefore, it's incredibly important to find out before you go ahead with your implementation processes.

Step 1 - Assign/Implement a team to carry out the project

It may not be financially achievable for your business to build your very own internal team – it could be beneficial to seek an external institution to manage this project for you as hiring suitable staff with the necessary experience, qualifications, and certifications can take a lot of time, management, and funding to acquire. If you would like to know more about how JC Cyber Security can help your business become ISO 27001 compliant, contact us and one of our Cyber Security Experts will be happy to assist you.

Once you have implemented a suitable candidate to serve as project lead, they will be responsible for overseeing the implementation of your ISMS, and creating a project mandate, answering the following questions:

• What are we attempting to achieve?
• How long will this process take?
• How much funding will this project cost?
• Do we currently have to correct amount support to complete the work?
  

Step 2 - Produce an Implementation plan

Once the project mandate from step 1 has been agreed with senior management, the team will now create a more detailed outline regarding the plan, information security and any identified vulnerabilities from the initial risk assessment.

At this stage, high-level policies will be thought out for the ISMS that establish:

• Staff roles & responsibilities
• Managing the ISMS post-launch (to ensure it doesn’t become obsolete)
• Ensuring minimal business disruption when implementation is complete
• Necessary staff/departments that may require training and awareness courses to ensure staff competence

Step 4 - Define the scope of your ISMS

Understanding the scope and defining the overall scale is crucial. This process involves documenting how your ISMS will tackle the following questions:

• What level of reach will it have in your organisation?
• What impact will this have on your day-to-day operations?
  
• Will the ISMS meet all our needs?
• Where do we store our data?
• What type of data do we process?
• What infrastructure do we have in place?
  
  

If your scope is too small, you will not appropriately protect your organisation and its stakeholders

If your scope is too big, your ISMS will not efficiently protect your organisation

Step 5 - Identify your security baseline and mitigating risk

Identify the minimum level of activity required to conduct business in a safe and secure fashion – to identify this, use the information gathered from a ISO 27001 risk assessment

Step 6 - Implement a risk management process

Risk management is a core aspect for your organisation and becoming ISO 27001 compliant as it will help:

• Establish a risk assessment framework
• Identify risks
• Analyse risks
• Evaluate risks
  
  

Once a risk has been identified, you must address it. You can either

• Tolerate the risk
• Remove the risk by implementing the appropriate controls and safeguards
• Avoid the risk by using an alternative method
• Transfer the responsibility of the risk to another party through an agreement
  
  

Complete a SoA (Statement of Applicability) document concerning the controls you have selected and omitted – detailing why you made the choices you have

Step 7 -Implement a risk treatment plan

to build security controls and safeguards that will protect your information so that

• Security Controls are effective
• Staff can operate your ISMS controls
• Staff understand their information security obligations
  

Step 8 - Review your ISMS

Once you have successfully implemented your ISMS, you must ensure that it is working appropriately – to do this you must review it.

• To undertstand whether or not you are ready to apply for certifacation
• You can use a quantitative analysis (where you assign values to risk) determining how devastating they can be if exploited by a threat-actor
• You can use a qualitative analysis which is based on contextual judgment
  
  

Conduct internal ISMS audits

• One department at a time (to prevent company-wide loss in productivity and ensures your auditing staff are not stretched too thinly)
• Results from the audit can feed your continual improvement process
  

Step 9 - Certification

Once all the necessary processes and documentation has been implemented, you then can seek ISO 27001 certification. You should only apply for certification once you are confident

• As the overall process can be time consuming
• You will still be charged if you fail
  
  

Certification requires an external audit which is conducted in two stages by a third-party certification body who must be a member of the IAF (International Accreditation Body)

• The first audit determines whether your ISMS has been developed in line with ISO 27001 requirements – if the criteria is met, the auditor will conduct a more thorough investigation. This stage requires evidence to be provided of all critical aspects of your ISMS.
  
  
• If you pass the first stage, the auditor will conduct a more thorough assessment. This will involve reviewing the actual activities that support the development of the ISMS. The auditor will analyse your policies and procedures in greater depth, and review how the ISMS works, with an on-site investigation. The auditor will also interview key members of staff to verify that all activities are undertaken following the specifications of ISO 27001.
  
  
• If certification is achieved, it is valid for 3 years. However, your ISMS will need to be managed and maintained throughout that period. Auditors from the CB will continue to conduct surveillance visits every year while the certification is valid.