Always Audit-Ready
ISOPlanner™ is certified & Compliant
Stay on top and subscribe
- PlatformControlInsightAdoptionAccelerate
- SolutionsYour SituationFrameworksBy Industry
- ResourcesCommunityDiscover & Learn
What does an ISO 27001 certification project look like? What internal and external people and resources do you need? And exactly which measures are mandatory (or not)? Co-founder of ISOPlanner Ivar van Duuren explains.
To give you an overview of the whole process, here I briefly explain the main steps you need to take. The first step to start with ISO certification is to look at the context of your organization. Which parties are involved with you as an organization? Think about employees, shareholders, clients, suppliers, and other parties like that. And what do those parties expect from you when it comes to information security?The next step is to determine the risks. What risks do you see as an organization when it comes to information security? And then you usually start formulating a policy: you choose the measures you are going to use to mitigate those risks and how you want to implement them in your organization. And finally, you make sure that you periodically check whether you still comply with this policy.
You may wonder if you need help implementing the ISO 27001 standard or if you and your colleagues can do it yourselves. This depends on a few things.First, it depends on how much experience you already have within the organization with implementing ISO standards. If you don't have any, then it might be nice to bring in an external consultant to help you with the implementation.This also helps maintain progress. Implementing ISO 27001 may not always be the highest priority among the various departments involved. There are always things that take priority: customers who need help, and projects that need attention. Bringing in a consultant can help you keep pace with implementation.In addition, your need for help also depends on your decision to purchase a sample documentation package, for example. Such a package already provides a lot of information and sample documents that you need during implementation. It also provides a lot of structure that will help you implement ISO 27001 independently in your organization.
So who within your organization should you involve in the implementation of ISO 27001?First, your management must be involved. This is an important requirement of the ISO 27001 standard. Management must have an active role in controlling information security in the context of ISO 27001.In addition, more roles within your organization are relevant to information security. Very often we see an IT manager involved, from the technical aspects of information security. In addition, we also often see an HR manager. Who has to control who enters the organization as an employee. So for such "in and out" processes, that HR manager is important.And finally, there are often people involved who do executive work, such as making backups and setting them up. These are also people you want to involve in this project.
What external services do you need with an ISO 27001 certification? What you need in any case is an external auditor. This is a party that checks whether you as an organization ultimately meet the requirements of ISO 27001.From the ISO 27001 standard, another mandatory part is an internal audit. 'Internal' sounds a bit confusing, because it seems to imply that you can pick up this part internally. In principle, you can, but you need internal people who have the competencies to perform internal audits. And who therefore have experience in doing so.However, many organizations that start with ISO 27001 certification do not yet have that experience. So many organizations have an internal audit performed by an external auditor. This is not the same party that performs the real external audit. But in most cases, this is an external consultant who helps you implement ISO 27001 and who also takes on the internal audit.Finally, one of the measures in the ISO 27001 standard requires an external check on the technical security of your own developed applications. Many organizations commission a pen test for this purpose. If that applies to you, you will of course need a specialist party for that as well.
Many organizations wonder which ISO 27001 measures are mandatory to implement. The standard contains an annex, Annex A, with many measures that you can implement. These measures aim to reduce your security risks.Yet these measures are not mandatory, they are mere suggestions. The standard says that you must identify risks and take measures to control those risks. But you are not obliged to implement those suggested measures.However, it is mandatory to indicate why you are implementing all these measures. For example, based on risks you see. Also, if you do not implement a measure, you indicate your reasoning. You are also free to create your own measures if you find them more appropriate to manage your identified risks.
An external auditor checks whether your organization meets all the requirements of the ISO 27001 standard set. This is a certifying organization whose purpose is to verify that you meet all the requirements. This is done during the certification audit, which consists of two parts.The first phase consists largely of checking the documentation in place. The auditor checks whether your organization has all the mandatory documents you must have for ISO 27001. And also whether you have started your improvement cycle where necessary.In practice, he or she assesses whether you have a working process, or an information security management system (ISMS). Which involves the following questions:
In the second phase of the certification audit, the auditor not only looks at documentation and the policies that have been written. Now the auditor also checks whether you are complying with the established policy.
Log in to your ISOPlanner™ workspace, or start a free trial.
Log in Start your free trial