What does an ISO 27001 certification project look like? What internal and external people and resources do you need? And exactly which measures are mandatory (or not)? Co-founder of ISOPlanner Ivar van Duuren explains. ISO 27001 certification in a nutshell To give you...
1. Who are responsible for implementing ISO 27001?
The standard states that the management of an organization has primary responsibility in the information security of the organization. On the one hand, this means making budget available and setting a good example. But in principle, it also means that the management should designate one or more employees within the organization to be given responsibility for implementing the standard.
The most commonly used role is that of Information Security Officer (CISO). This person is often given primary responsibility for implementing the Information Security Management System (ISMS). This is not the person who has to do everything, but who is given responsibility from management. And the ability to actually involve other people and take up their time.
There are also other people involved in the implementation. Think, for example, of someone from HR who looks at whether the responsibilities, rights and obligations are also well defined in the contracts. Also, people from software development are ideally involved to see if best practices in secure development have already been implemented.
And, for example, a software engineer who is involved to see if the setup of the cloud environment is going well. So in addition to the role of Security Officer, other people within the organization are also involved in ISO implementation.
2. Can you implement ISO 27001 and NEN 7510 together?
Many customers ask us if it is convenient or possible to certify the organization for ISO 27001 and NEN 7510 at the same time. This is indeed very convenient to do. If only because the overlap of the Information Security Management System (ISMS) is 100%.
Not familiar with NEN 7510? This is a Dutch-language standard in the field of information security, specifically for application within healthcare. And it is also a standard that has a legal obligation. So healthcare providers within the Netherlands are required by law to implement NEN 7510. Incidentally, this should not be confused with NEN 7510 certification, because that is not mandatory. Nevertheless, you see that many parties in healthcare and their service providers often proceed to certification, because that is the crowning glory of their work.
3. Can you substitute or ignore ISO measures?
If you look at the list of control measures from the Annex A of the ISO 27001 or NEN 7510 standard and you don’t support the measures, are you allowed to choose other measures? For example, because you want to come up with them yourself or because you want to use a different set of measures? The short answer is: yes, you may.
The ISO standard provides measure suggestions in Annex A that you can use as a checklist. To make sure you don’t forget anything. However, the measures you ultimately choose may come from anywhere. And if at some point you think: I need an additional measure, it would be weird if you didn’t take that measure.
If you continue along that line, then you can also decide that you don’t think the whole list of measures from Annex A is appropriate for your organization. And that you use a different set of example measures, for example from another ISO standard such as the 27017 or 27018.
The standard also wants you to prepare a Statement of Applicability. In that Statement of Applicability you indicate what measures you have taken, but you must also indicate what you have done with the measures from Annex A. And when you decide to completely ignore the measures from Annex A and apply, for example, the measures from the SIS controls, then you state in your Statement of Applicability which measures from the SIS controls you are using.
4. Is ISO 27001 also suitable for small businesses?
Many people think that ISO 27001 or ISO 9001 is suitable only for very large organizations. But the standard is written in a way that doesn’t actually make that distinction.
In fact, if you read the standard carefully, it sets requirements, for example, for the documentation that an organization must have. It explicitly states that the amount and manner in which that documentation is maintained must be appropriate to the organization.
That explicitly leaves open the possibility for a very small organization to also implement the management system. Be it without a huge pile of documentation. But with just some smaller policy documents, some simpler processes. That makes the standard perfectly applicable for a small organization.
5. How long must an organization exist for certification?
How long an organization must exist for ISO certification is a very interesting question. It has to do with the fact that during an audit you want to give the auditor the feeling that the processes you show and the policies you have written have been alive and well within your organization for a certain period of time.
So an organization that has just been in existence for two weeks and whose management system was also written two weeks ago, won’t give the average auditor the warm feeling that this is a well-rooted system.
If you look at what the standard says about it, there are no hard timelines in there. The standard only says that a management system qualifies for certification if it can be shown that all components have been implemented at least once (Chapter 4 through Chapter 10).
If all components of the Plan-Do-Check-Act cycle have been demonstrably implemented at least once, then you can certify the management system. In practice, we find that most consultants and audit firms do apply a minimum period of 3 months for this. But that does not come from the standard.
Failures in ISO certification
In practice, we still see many situations where processes run across multiple systems and involve multiple people. There is no proper transfer from one system to another. And what can go wrong is that things are simply forgotten.
So someone does enter an employee into the HR system, but forgets to inform another person that a ticket is needed to grant certain rights to that new employee.
Then the result is not what it should be, requiring remedial work afterwards. And the organization is shaken up wondering why something is not working and what went wrong.
What does an ideal compliance process look like?
In an ideal world, a new employee enters the organization or there is a new supplier. Where the process begins the moment that new employee or supplier is entered into the first system.
And where all subsequent steps resulting from that one process flow automatically from one system to another. Where each time the employees who need to do something are triggered at the place where they work. For example, with a Teams Notification, that something is ready for them to do. And if a step is skipped, the person concerned automatically receives a notification or reminder to still do the work.
In the ideal world, the result is also recorded in a central location in a system that everyone is already working with.
Set up compliance automation workflows in 3 steps
Want to automate compliance within your organization? How do you set up those compliance automation workflows and how do you properly maintain those processes? First, it is important that you make sure you have one system where you record the result of all those automated processes.
Second, it is good to identify which processes you want to automate. And when you have an idea of that, start quietly with one process. A process that perhaps now takes the most work in the organization. Or where perhaps the most mistakes are made. Or where you as an organization suffer the most mistakes. And then you start by automating that first process. Then you grab the next process and that’s how you slowly build on.
Finally, it is important to see which systems touch the processes. Which systems are involved in the various workflows? And what possibilities do those systems offer to link and collect information in a central system, allowing you to keep an overview of all the processes?
More tips on ISO certification?
Feel free to contact us. We’d like to help you out!
About Maurice Pasman of Instant 27001
Maurice Pasman is founder of Instant 27001, which helps organizations implement ISO 27001 efficiently by using sample documentation and templates. Since its launch in 2018, Instant 27001 already helped more than 1,500 organizations (in the Netherlands and abroad) optimize their information security, prevent data breaches and improve their competitive position.
About Ivar van Duuren
Ivar van Duuren is a co-founder of ISOPlanner. He’s had experience with the fragmented ISO certification approach with separate documents and the pressure to do it within a certain deadline.
A simpler system that provided an overview and insight into the required measures and planning was the answer to this frustration. With its unique integration with Microsoft Outlook and Microsoft Teams, ISOPlanner provides a simple and clear tool during certification processes.
Are you choosing to implement ISO 27001 standards for your organization? In this article, the co-founder of ISOPlanner Ivar van Duuren explains all about the benefits, challenges, duration, and costs of implementing ISO 27001. This way, you know what you're getting...
In our daily practice, we’ve noticed that companies often work across multiple systems to meet certain compliance standards. For example, consider entering a new employee into an HR system. Often, it starts with one HR system, after which the HR person asks another...