Implementing the ISO 27001 standard is not a one-off project. It is the start of a process of continuous improvement. Strangely enough, this process can become more and more fun. As an organization you are developing more and more clarity, you are scrapping and simplifying things. As a result, you will increasingly work together like a well-oiled machine. In this article we will discuss the steps you must take to get your organization ISO 27001 certified. And we give examples of preconditions you need for this process.

Also read: When do you need ISO 27001 certification?

What is ISO 27001?

ISO 27001 is an information security standard that helps organizations protect their confidential data and maintain the trust of their customers and stakeholders. It describes the requirements for establishing, implementing, maintaining and continuously improving an Information Security Management System (ISMS).

Steps in the ISO 27001 certification process

Implementing an ISO 27001 certification can be a complex process. For a successful implementation, it is important to understand every step in the certification process. Here are the main steps.

1. Obtain management commitment

The first step is to obtain commitment from senior management for the implementation of ISO 27001 certification. This includes understanding its value and benefits and setting up a project team to manage the transition process. This is also the stage where you allocate resources for staff training and set up other activities related to achieving certification.

2. Determine the scope of your ISMS

At this stage you need to establish a clear definition of the scope of your ISMS. In this phase you determine which processes to include in the system and which areas and stakeholders need special attention. To identify these important aspects, many organizations draw up a SWOT analysis that examines the opportunities, threats, strengths and weaknesses of the organization. An example of a weakness is ‘small organization so that responsibilities cannot be divided among many employees’.

3. Assessment of the current state

In this phase you identify risks and weaknesses, after which you choose measures to limit those risks.

Read also: What does an auditor do for ISO certification?

4. Development of policy documents

In this phase you implement the measures from phase 3. Once you have cleared any hurdles, you start developing policy documents that clearly define how you intend to address these issues in the future as part of your ISMS strategy. These documents deal with issues such as incident response, access control policy, and information policy in general.

Read also: Tips for creating an information security policy

5. Implement controls

In this phase you actually carry out the necessary actions. Think of implementing the information policy, installing new software solutions, or updating existing solutions. This also includes training employees in using new solutions and updating documentation.

6. Audit and Compliance Check

At this stage, external auditors carry out assessments against specific criteria of ISO 27001. These assessments ensure that all actions have been carried out correctly. An auditor also checks in this phase whether the measures are effective enough for the security of sensitive data within the ecosystem of your organization. Depending on their findings, auditors recommend corrective action or make further recommendations as necessary.

7. Certification

After successfully completing the audits, you will be nominated for official ISO 27001 certification at accredited bodies. You have then demonstrated how you as an organization meet all the requirements and standards of ISO 27001 before you receive the certificate.

How do you choose the right certificate authority?

Choosing the right certification authority depends on several factors, including the size of the budget and the timeline of the desired end result. In general, reputable certificate authorities offer similar services, but the cost and timeline may vary.

Ensuring long-term enforcement requires ongoing efforts, both internally and externally. Internally you have to set up processes once, but in the long term, you must regularly review and check existing processes. And externally, you need to work closely with your chosen certification body to keep up to date with the latest industry standards.

Which tool do you use during your ISO 27001 certification?

Imagine: you have finally implemented all the rules and recommendations of ISO 27001. But then the responsible compliance colleague in your company leaves. What remains is a folder with Word and Excel files of which no one knows what the connection is anymore.

Actions to be performed periodically are in a sheet that no one looks at anymore.

In practice, this means that the new security officer has to start over. We often hear that this situation is the reason to introduce structure into the certification process with ISOPlanner.

That is of course a shame. For the entire certification process, it is useful if you have a system in which you can easily make connections. For example, by linking policy to standards. And by assigning tasks for periodic checks and reviews to colleagues. This way you keep an overview of the progress. Ideally, all this is integrated into the environment you already work with: Microsoft 365.

Need help implementing ISO 27001 certification?

Need help taking steps to comply with ISO 27001 certification? ISOPlanner prevents financial and reputational damage by providing an approachable way to help organizations comply with increasingly complex laws and regulations. Start a free trial of our software or contact us, we are happy to help!