6 Steps to get ISO 27000

Getting certified for ISO 27001 certification is not necessarily complicated or super expensive. It needs time, effort and support of senior manager(s). You also need attention to details and proper documentation and forms.

Step 0. Decision

Senior manager(s) need to be behind the decision for ISO 27000 implementation and support it in each and every step.

Step 1. Defining Scope of Implementation

Scope of implementation should be defined as well as the operational and functional boundaries.

Step 2. Documentation

Like ISO 9000, ISO 27000 needs comprehensive documentation in order to address all applicable millstones and administrative, technical, and physical controls/safeguards. These documents will be used to check weather or not the organization meets ISO 27000 requirements. These documents would be a policy (or set of policies), and its related documented procedures and guidelines to ensure the business is adhering to ISO requirements in an efficient and achievable way. ISO 27002 standard would be a huge help to prepare such documentation but in is not necessary to select the controls/safeguards from ISO 27002 text.

At least 15 different documents are required for ISO/IEC 27001:2013:

• Scope of ISMS (item 4.3, Page 1)
• Policy (item 5.2, Page 2)
• IS Risk Assessment process (item 6.1.2, Page 3)
• IS Risk Treatment process (item 6.1.3, Page 4)
• IS Objectives (item 6.2, Page 5)
• Evidence of the competence of the people doing work on IS (item 7.2, Page 5)
• Other documents deemed necessary by the organization for ISMS (item 7.5.1b, Page 6)
• Operational Planning and Control Documents (item 8.1, Page 7)
• Results of IS Risk Assessments (item 8.2, Page 7)
• Results of IS Risk Treatment (item 8.3, Page 7)
• Documented information as evidence of the monitoring and measurement results (item 9.1, Page 7)
• Internal audit program plus audit results (item 9.2, Page 8)
• Documented information as evidence of top management review (item 9.3, Page 8)
• Evidence of nonconformities identified, actions taken and the results (item 10.1, Page 9)
• Other documentations might be needed: A policy about rules for acceptable use of assets (use policy), access control policy, operating procedures, confidentiality and nondisclosure agreements, secure system principles, information security policy for supplier relationships or vendors, information security incident response procedures, regulations and contractual obligations, associated compliance procedures, and information security continuity plan.

Auditors will check that above-mentioned documentation are present, up-to-date and fit to ISMS scope which is defined in step 1

Step 3. Realization

By applying Gap Analysis, comparison of actual performance with desired performance and documentation, it is time to make sure that the company is following all procedures and guidelines. We'd better conduct a pre-assessment in order to make sure that the organization is on the right track. Pre-assessment can be conducted by using pre-assessments forms, gathering of evidences and filling checklists. Another key to have a successful realization step is to communicate with all employees about the processes in place and the need to adopt them fully and report back on all discrepancies.

Step 4. Internal Audit

An experienced (or certified) internal or external auditor is needed for this step. Some audit tools like forms and checklists are needed for such a job.

Step 5. Certification Audit

ISO does not perform certification for ISO 27001. Certification companies like SGS, TÜV Rheinland or BSI can do the audit and issue the certificate for you. The certificates are usually good for 3 years.

Step 6. Maintaining the certification

In order to maintain the ISMS working, the organization should integrate it into daily operations. Continual improvement and change management are other essential parts of this ongoing step.