Phase 1 – Prepare a Project Plan
Gaining ISO 27001 certification can be a long and arduous task. Therefore, to save yourself time and future headaches, be sure to prepare a detailed project plan. During this stage it’s important to set expectations, so that everyone in the team is aware of their roles, responsibilities and project milestones. This is also the time to become familiar with the ISO 27001 standard and the 114 controls detailed in Annex A. Another important consideration to make is whether your team has the skills and experience necessary to achieve certification. Hiring an ISO 27001 consultant to guide you through your Information Security Management System (ISMS) journey may save you time and money in the long run. With all that in mind, it’s not hard to see that a comprehensive and diligently managed project plan can set your business up for success from the get go.
Phase 2 – Determine the Context, Objective and Scope
Your business is unique and your ISMS should reflect that. For this reason, it is important to determine the ‘scope’ of your ISMS. To do this, consider exactly what kind of data your organisation needs to protect. Depending on how sensitive this information is, your ISMS may extend to include the entirety of your organisation or be limited to a specific department, environment or geographical location. The scope will not only be determined by your needs, but also the requirements of your stakeholders (employees, governments and regulatory bodies to name a few). During this phase it is also important that you determine the organisational context, that is all internal and external factors which have the potential to impact upon your information security. This may include (but not necessarily limited to) your company structure, workplace culture, existing systems, current policies and protocols, etc. This evaluation will enable you to pinpoint your ISMS objectives, which will help to set a realistic and achievable project budget and timeframe.
Phase 3 – Conduct a Risk Assessment and Gap Analysis
It is a requirement of the ISO 27001 standard that your business conducts a formal risk assessment. In order to be in compliance, the process must be well planned, with all data, results and analysis meticulously documented. The first step in conducting a risk assessment is to establish the baseline security criteria. This refers to all legal, regulatory and contractual requirements (in relation to information security) your company has an obligation to meet. It is mandatory that your organisation compiles both a Statement of Applicability (SoA) and Risk Treatment Plan (RTA) report, as both will need be reviewed during the registration (certification) audit. Many businesses that lack the in-house expertise to effectively complete a formal risk assessment, will often choose to hire an ISO consultant to provide guidance and guarantee all requirements are being fulfilled.
Phase 4 – Implement Policies and Controls To Mitigate Risks
The risk assessment in Phase 3 will identify the gaps in your current IT infrastructure and any risks that they could possibly result in. In Phase 4, you will have to decide how you will address said risks. The SoA mentioned in the previous phase will identify and summarise the relevant ISO 27001 controls and policies, while the RTA records your organisations response to the risks identified during Phase 3. The ISO 27001 standard outlines four courses of action in dealing with risks:
- Modify – Minimise the possibility of the risk occurring by the implementing controls
- Avoid – Prevent the risk from occurring by preventing the circumstances that would enable it
- Share – Utilise a third party to help deal with the risk, such as outsourcing your cybersecurity needs, purchasing cybersecurity insurance, etc.
- Accept – Risks may be tolerated when the cost of addressing them outweigh the damage they have the potential to cause.
The response you choose for each risk will inform which policies and controls should then be implemented.
Phase 5 – Provide Education and Training
The ISO 27001 standard shares the responsibility of cybersecurity throughout the organisation. It dictates that companies foster a culture of cybersecurity awareness by providing ongoing training for all employees. This helps to both promote good habits and personal responsibility. It also ensures that each member of your organisation fully understands the importance of data security and remains vigilant in their duties.
Phase 6 – Review and Update All Evidential Documentation
As we’ve discussed, supporting documentation of all evidence is paramount to achieving ISO 27001 certification. An auditor will need to review your records in order to verify that you’ve established the necessary ISMS processes, policies, and procedures, and that they’re functioning per the ISO 27001 standard. To get an idea of how challenging this task can be, here are just SOME of the documentation required:
- Scope of the ISMS (Clause 4.3)
- Information security policy (Clause 5.2)
- Information security objectives (Clause 6.2)
- Information security risk assessment process (Clause 6.12)
- Information security risk treatment process (Clause 6.13)
- The Statement of Applicability (Clause 6.13.d)
- Risk Treatment Plan (Clause 6.13.e)
- Risk Assessment Report (Clause 8.2)
- Definition of security roles and responsibilities (Clause A7.1.2)
- Inventory of assets (Clause A8.1.1)
- Acceptable use of assets (Clause A8.1.3)
- Access control policy (Clause A9.1.1)
- Operating procedures for Information Security (Clause A12.1.1)
- Incident management procedure (Clause A16.1.5)
- Business continuity strategy & procedures (Clause A17.1)
- Statutory, regulatory, and contractual requirements (Clause A18.1.1)
- Evidence of competence (Clause 7.2)
- Documented information determined by the organization as being necessary for the effectiveness of the ISMS (Clause 5.5.1)
- Operational planning and control (Clause 8.1)
- Results of the information security risk assessment (Clause 8.2)
- Results of the information security risk treatment (Clause 8.3)
- Evidence of the monitoring and measurement of results (Clause 9.1)
- A documented internal audit process (Clause 9.2)
- Evidence of the audit programs and the audit results (Clause 9.2)
- Evidence of the results of management reviews (Clause 9.3)
- Evidence of the nature of the non-conformities and any subsequent actions taken (Clause 10.1)
- Evidence of the results of any corrective actions taken (Clause 10.1.g)
While collecting and organising all of these records seems overwhelming, documentation templates and compliance automation software for ISO 27001 are available to do (most of) the hard work for you.
Phase 7 – Undergo a Certification Audit
During this phase, an external auditor will conduct a two-part audit to asses whether or not your ISMS is in accordance with the ISO 27001 requirements.
Stage One: ISMS Design Review
The auditor reviews your ISMS documentation to determine that all policies and procedures are compliant with clauses 4-10 of the ISO 27001 ISMS requirements. Any areas of nonconformity and/or potential improvement will also be identified. Any issues must be rectified and any suggested improvements implemented prior to Stage 2’s commencement.
Stage Two: Certification Audit
The auditor will thoroughly assess your business processes and security controls against the ISO 27001 ISMS and Annex A requirements. This detailed assessment will ascertain if your organisation is in accordance with the ISO 27001 standard.
Once your organisation has passed the Stage 1 and Stage 2 audits, you’ll be issued an ISO 27001 certification that is valid for three years.
Phase 8 – Maintain Compliance
ISO 27001 necessitates continual improvement. This means that the your ISMS must be constantly analysed and reviewed in order to maintain its effectiveness, as well as its compliance with the ISO 27001 standard. In addition, as your business grows so to do the risks. As a result, it’s of the utmost importance that you take every opportunity to make improvements to the existing processes and controls. Periodic audits are key to the ongoing monitoring of your ISMS.
Surveillance audits will need to be conducted multiple times throughout your three year certification period. The purpose of a surveillance audit is to check whether organisation are effectively maintaining their ISMS in adherence to the ISO 27001 standard. They are also done to check that all nonconformists and exceptions found during the certification audit process are resolved.
Recertification audits are done during the final year of your certification term. An external auditor will once again assess your ISMS and determine whether you meet the requirements of ISO 27001. Once completed, another three year ISO 27001 certification will be issued to you.
How long does it take to achieve ISO 27001 certification?
The timespan from the beginning of your ISO 27001 journey to reaching certification can depend on many different variables, such as the resources available, prior experience with the ISO 27001 standard, size and complexity of the ISMS, level of involvement from management, etc. Generally, most small to mid-size businesses achieve certification within 12 months. Any attempts to rush or shortcut the process often result in a sloppy ISMS that does not pass the certification audit, becoming a drain on your time and money until all issues are resolved. It should be noted that auditors look for at least two to three months of documented evidence that speaks to the maturity of your system. So once you get your ISMS up and running you should allow that window of time before seeking certification. Hiring an ISO 27001 consultant can significantly shorten this timeframe, as they have all the tools and knowledge needed to fast-track your success.
How much does ISO 27001 certification cost?
Unfortunately, there is no standardised cost for ISO 27001 certification. The overall cost can differ depending on the specifics of your business and the resources you’re willing to devote to completing this project. In trying to determine your overall budget, it is best to break down the costs into two categories:
- The costs of setting up the ISMS
- The costs of getting externally certified
The Costs of Setting up the ISMS
Setting up an ISMS that is complaint with ISO 27001 can either be done in house or with the help of a consultant. While going it alone may seem like the cost effective option, in many cases it can prolong the process and haemorrhage your finances. Fees and costs can also vary drastically between providers. However, in most cases, the main factors in determining the cost are:
- The size of your organisation
- Number of sites
- The level or risk
- The level of any pre-existing ISMS
- The level of involvement your company has in setting up the ISMS
Something worth considering is that, while the initial setting up of an ISMS can be a costly investment, the integration of any subsequent systems will cost significantly less.
The Costs of Getting Externally Certified
In order to achieve ISO 27001 certification an accredited third-party body must conduct an audit, so this cost must also be accounted for. In Australia, certification of a single standard generally costs between $3000 to $5000 annually. Furthermore, it’s important to view ISO as an ongoing investment, factoring in the periodic audits and re-certifications.