ISO 27001 registration/certification in 10 easy steps
Enrolling for ISO 27001 is a best practice in terms of data security for any business regardless of its size. This can prompt significant cost saving as well. This Global standard delegates the improvement of management of data security systems along with arranging and execution and checking as well. You need to follow the specific steps for getting certified.
1. First you need to get an understanding of ISO 27001 by reading the standard. This would provide a background knowledge and the requirements it asks for.
You can read a free white paper about the standard
Reading the free information about ISO 27001 can provide insight about how to get started
You can purchase a copy of the standard
You can attend an online introductory class of ISO 27001.
You need to appoint an ISO 27001 expert to secure the knowledge with solid experience about the information security management system.
2. You need to establish a context, scope and objective. This would help you pen down the objective and include the project cost and time frame required. You need to maintain a control over the entire project.
3. You need to establish a management framework that describes the process the organisation needs to follow to meet the objectives of ISO 27001.
4. You need to conduct a risk assessment. This process would imply that the process is planned and all the data and analysis and results are being recorded. Because conducting this risk assessment, the security criteria's baseline needs to be established. This would refer to the organisations regulatory requirements including business and legal and contractual obligations since they relate to the information security.
5. You need to implement control to mitigate the risk. After the successful identification of the risk the organisation needs to decide whether they want to tolerate or terminate the risk. Even they can transfer the risk. The documentation of the decision taken regarding the risk is very important as the auditor may want to see it.
6. According to the standard, the staff awareness program should be initiated to raise awareness about the information security throughout the organisation. Some changes in the way all employees work needs to be done like clean desk policy and locking the computers while leaving their work stations.
7. You need to review and update the documentation that is required. The documentation is necessary to support the ISMS processes and policies. The standard required a minimum documentation which is stated as follows.
3 The scope of the ISMS
2 Information security policy
1.2 Information security risk assessment process
1.3 Information security risk treatment process
1.3 d) The Statement of Applicability
2 Information security objectives
2 d) Evidence of competence
5.1 b) Documented information determined by the organization as being necessary for the effectiveness of the ISMS
1 Operational planning and control
2 Results of the information security risk assessment
3 Results of the information security risk treatment
1 Evidence of the monitoring and measurement of results
2 A documented internal audit process
2 g) Evidence of the audit programs and the audit result
3 Evidence of the results of management reviews
1 f) Evidence of the nature of the non-conformities and any subsequent actions taken
1 g) Evidence of the results of any corrective actions taken
8. You need to measure, monitor and review to support the process of continual improvement. Constant analysis and reviewing of the performance of ISMS if necessary to identify the improvements of the existing process and control
9. The ISO/IEC 27001:2013 would need the internal audits of ISMS at the planned time interval. The manager responsible should have a practical working knowledge of the lead audit process for the maintaining and implementation ISO 27001 compliance. There are many lead auditor courses online which teach the process of planning and execution open effective Internet Security audit in line with ISO 27001.
10. At last comes the registration or certification of audits. These audits would verify if your documentation meets the requirement according to the ISO 27001 standards. Once all the required changes had been made by the organisation after then it would be ready for stage 2 registration of audit. In the certification audit process the auditor would establish after assessment to establish your compliance.