Blog

A Pathway to Achieve ISMS Cert

  • Sep 6, 2022, 1:04:40 PM
  • 769 Times

How to get ready to achieve ISO/IEC 27001:2013 (ISMS) Certification – Step by step guidance

Getting ISMS certification helps you to not only improve your cyber resilience but it creates credibility for your organisation and provides you with a significant advantage against your competitors

 

Introduction

Implementing an ISMS, using its systematic approach, helps you identify, manage and mitigate threats to your companies information. Having an ISO/IEC 27001 certification has many benefits to organisations. Firstly, it improves your cyber resilience, it creates credibility for your organisation and provides you with a significant advantage against your competitors.

Below are the important steps to prepare for getting ready for one of the most popular cybersecurity standards, ISO/IEC 27001:2013.

1) Preparation 

This is a significant change in your organisation so senior managers should get prepared for whole process. Without having their full support, it’s will not be a successful project at all. After securing the management support, a champion should be appointed to manage the whole process and he/she should be familiar with this standard to oversee and plan this project.
The first step is to conduct a gap analysis, which comprises a comprehensive review of all existing information security arrangements against the requirements of ISO/IEC 27001:2013. This can be done by the champion, a lead auditor, or using Rezilens GRC tool.

Through this step followings should be developed: 1) a prioritised plan of recommended actions and 2) a guidance for scoping your ISMS, which Rezilens GRC can provide you with such a plan through using Artificial Intelligence. 
At the end of this step, a reliable and strong business case for ISO 27001 implementation, should be prepared to share with project stakeholders. 

2) ISMS context, scope, and objectives

After the previous step now it’s time to define objectives as well as project costs and timeframe. To do so you should decide whether you need to consider using external support from a consultancy or have the required in-house expertise. However, Rezilens GRC tool makes this decision much easier and affordable. 
The scope of the ISMS is another critical decision which may extend to the entire organisation, only a specific department, geographical location, or a software. To define the scope the context of organisation plays a significant role as well as requirements of interested parties (stakeholders, employees, government, regulators, etc.).

3) A management framework

In general, a management framework describes the processes which need to be followed and this is required for implementing your ISMS project. This framework should address the required processes from asserting accountability of the ISMS, RACI matrix, roles and responsibilities, activities’ schedule, and regular auditing process.

4) Risk Management 

The risk management a major part of ISMS project by which the risk assessment process and risk treatment should be addressed. ISO27001 does not have a risk management methodology, and this will be your responsibility to adopt or develop an appropriate risk management methodology.
Before conducting a risk assessment, a security baseline should be defined to address the operational, legal, regulatory requirements, and contractual obligations related to information security. 
The asset risk register and the associated threat and vulnerability assessment is an important part of this process by which the required controls are selected to manage the recognised risk. 

5) Statement of applicability (SOA) 

Once the relevant risks have been identified against their respective assets, the risk treatment strategy must be selected from followings: Ignore, Accept, Transfer, Mitigate. This process will be to develop a document which called “Statement of Applicability”, by which you justify which one of ISMS controls (out of 114) you have chosen to manage your risk. This is a mandatory document which will play a key role during your external audit.  

6) Controls implementation and Training

Once you decided which controls are required, based on SOA, it’s time to start developing and then implementing those controls such as Password or Access Control policy. Also, the standard requires that staff awareness programs be initiated to raise awareness about information security throughout the organisation.
In this step you must make sure that you have implemented all required controls and provide the right resources to make them effective.  

7) Documentation

Documentation is required to support the necessary ISMS processes, policies, and procedures. At a minimum, the Standard requires the following documentation:

  • The ISMS scope 
  • Information security policy
  • Information security risk assessment process and results 
  • Information security risk treatment process and results 
  • The Statement of Applicability
  • Information security objectives
  • Evidence of competence
  • Operational planning and control
  • Evidence of the monitoring and measurement of results
  • A documented internal audit process
  • Evidence of the audit programs and the audit results
  • Evidence of the results of management reviews
  • Evidence of the nature of the non-conformities and any subsequent actions taken
  • Evidence of the results of any corrective actions taken

8) Monitor and control

After implementing the selected control and managing training programs, you should have a process to support your continues improvement. This means that the performance of the ISMS must be constantly monitored and reviewed for effectiveness and compliance purposes.

9) Conduct an internal audit

One of the ISO/IEC 27001:2013 requirement is a planned internal audit which should be managed in a regular manner. To apply for the certification, you must have this audit plan, measures, KPIs as well as at least a conducted audit report. Also, you must manage numbers of corrective actions as the outcome of the audit report to prove as an evidence to the external auditor. 

10) Registration for certification audits

Once you found a certification body, such as BSI, you should get in touch with them to prepare for the Stage One audit, in which the auditor assesses whether your documentation meets the requirements of ISO 27001 or not. Also, the area of nonconformity and potential improvement of the management system will be provided at the end of this stage. Once any required changes have been made, you will be ready for your Stage 2 registration audit which is also called “Certification audit”.
During this audit, the auditor conducts a thorough assessment to establish whether you comply with the ISO 27001 standard, and it provide a positive report if he/she is satisfied. 
Depend on the size of the company and the complexity of environment, the whole process can take between 6-12 for a mid-sized organisation to get the certification, but it can vary. 
Rezilens GRC tool can help you to expedite the whole process and gives you a transparency across the organisation. It also could give you great features to engage your team, seamlessly. 

Rezilens has collectively more than 40 years of experience in cybersecurity and implementing information security standards such as ISO 27001. We have not only developed an automated GRC tool to enable our clients to manage the whole process of being certified, but we have valuable resources, ISO27001 lead auditors and implementors, to assist you for these types of journeys.

Please contact us for further assistance.