Journey to ISO27001 Certificaiton

There are many ways to implement ISO/IEC 27001 certified Information Security Management System (ISMS). Depending on the organization’s current information security management practices, organization culture, team structure, resources, the organization can choose different approach. However, ISO/IEC 27001 certification cannot be achieved without proper planning. When an organization decides to be ISO/IEC 27001 certified, a detailed work plan should be developed as the very first step.

The journey typically starts with a gap assessment of the current state of the organization’s information security management system and/or practices. The assessment will determine the gaps with the ISO/IEC27001 requirements. work packages will be determined, which will close the gaps.

Next the organization will need to conduct risk assessment according to the ISO/IEC27001 requirements to identify the information security risks and determine the mitigating controls.

With the work packages identified in the gap assessment and mitigating controls identified in the risk assessment, the organization can develop a roadmap, which specifies the phases and key work packages to implement the ISMS. A project plan or work plan should be developed to describe the work items, responsible team/person and timeline.

The organization will need to establish an ISMS governance to direct, management and oversee the design, implementation, certification of ISMS. A working group should be setup, which includes the persons/teams that are responsible for the work items identified in the work plan.

Once all work items are executed and completed, ISMS can be switched to operational mode. ISMS must be operated for at least 3 months to produce consistent evidence of the effectiveness of the security controls prior to start the certification process.

Once an effective and consistent ISMS is in place, you can plan for certification. You need to prepare all documented information (e.g. policy, procedures, manuals, records, etc.) that are required for the audit. And it is be beneficial to provide training to the in-scope staff on the certification audit and how to work with the auditors.

The organization will need to engage a certification body who will perform the certification audit. The auditor will be reviewing documented information, visiting each in-scope locations and interviewing in-scope staff to assess the compliance with ISO/IEC 27001. If no non-conformity is identified, the auditor will recommend your organization to be ISO/IEC 27001 certified.

Certification body will review the audit report and evidence, if approved, the ISO/IEC 27001 certification will be issued to the organization.