Step 1. Understand the reason and find a project sponsor.
So, you’re thinking about getting your company ISO 27001 certified. But why? Defining clear reasons for certifying the company helps to gain the support of management and find a project sponsor. Like any other project in the company, an ISO 27001 certification project requires resources, and without the proper business support, the project’s chances of success will be slim.
There are several ways to identify why a company may need the ISO 27001 certification. One reason is the financial benefit of certification, which can boost sales. There’s also a strong business case, as winning potential customers is key for any company. Check with the sales team if customers are requesting the company’s cyber security certification. Another compelling reason is compliance with regulatory requirements, as companies must adhere to these standards. The challenging part is that the regulatory requirements don’t specify the exact certification that must be complied with. Instead, there are broad requirements to protect the confidentiality and privacy of customer information. Therefore, you will need to analyse which regulatory requirements apply to your company that have obligations related to information security. Another common reason why the company may need ISO 27001 certification is efficiency in cyber security management. By implementing the standard’s requirements, the company can significantly increase the efficiency of its cyber security resources, which will have a positive effect on the business.
After identifying the reasons, the next step is to find a business sponsor for the project. The ISO 27001 certification process requires resources and involves people from various business units, including the senior management team. A business sponsor will help significantly in allocating resources and involving people from other business units.
Next is communication. The leadership’s communication about the project is crucial in setting the right tone and emphasising the importance of the project. It also demonstrates the leadership’s commitment to protecting the company’s customers and information.
Step 2. Gain insights.
After successfully securing the leadership’s commitment and finding a project sponsor, you will need to understand the company’s readiness for ISO 27001 certification. To do this, you can perform a self-evaluation using various resources available on the internet, hire a professional consultant or use our tool to obtain expert recommendations.
Using a professional tool to help you gain insights and manage the project will significantly improve project outcomes and simplify the processes of obtaining ISO 27001 certification.
Step 3. Make the change.
In the next step, you and the project team will design and implement changes to the organisation’s processes to meet the standard’s requirements. Changes start with defining the ISO 27001 certification scope and identifying risks related to the scope. Furthermore, you will need to identify the documents that describe the organisation’s processes and controls for securing information, systems and processes. This step takes longer than the others as you will discuss the standard’s requirements with the different process owners, design the changes and implement them.
Depending on the organisation’s size, this can take a couple of months to a year. Here our tool can help you simplify the process and expedite the project.
Step 4. Check the result.
Once you and the team have implemented the changes identified in the previous step, it’s time to evaluate the results. At this point, you may want to consider enlisting external professional consultants to assess the company’s readiness and schedule the ISO 27001 certification audit. A professional consultant will review the project’s current status with “fresh eyes” and provide you with an actionable report within a few weeks.
Scheduling an ISO 27001 certification audit takes several months. Therefore, it’s a good time to enter into discussions with a certification body when you have finished implementing the changes. The certification body is accredited to issue the ISO 27001 certificate to customers after its assessment.
Step 5. The path to success.
The last but not least step in the process is an audit to obtain the ISO 27001 certificate. As mentioned above, the certification body will assess the company’s adherence to the standard’s requirements. Usually, there are four steps to complete this process.
Planning. This is when you provide information to the certification body to evaluate the company and the audit scope, including duration and cost.
First audit. The certification body will review the company’s structure and business processes to assess whether the certification scope is adequately defined. Also, an auditor will review all policies, procedures and statement of applicability documents, training and communication plans, and other formal documents. This phase assesses whether a company meets the requirements of the ISO 27001 standard.
Second audit. If the auditor does not find any non-conformities during the previous phase, they can schedule a second audit shortly. During the second audit, the auditor assesses the implementation of the controls to address the risks identified by the company. Typically, the auditor will meet with the control owners to verify that the controls documented in the policies or risk remediation plan are adequately implemented. Also, the auditor evaluates whether the control owners understand the ISO 27001 requirements. Therefore, it is essential that control owners receive training on ISO 27001 or the information security management system.
Audit report. The final phase is the issuing of an audit report. Usually, you will know the audit result at the end of the second audit. The auditor discusses with you all non-conformities and observations that were identified. If the auditor identifies non-conformities during the audit, you will have to provide an action plan to address them, including the timeframe and responsible person. Once you and the auditor agree on the final result, they will prepare an audit report.
After successfully completing the audit and obtaining the ISO 27001 certificate, the project becomes a process. From this point on, you will monitor your company’s risk profile, design and implement new controls and measure the effectiveness of current controls and processes.