The Journey to ISO27001 Certification
20th November 2019
There are many reasons why an organisation may want to implement an effective Information Security Management System (ISMS), and the vast majority choose to proceed to have this independently assessed for ISO27001 certification to give their stakeholders, customers and employees confidence in their approach. This evidence demonstrates a responsible approach to information security, which is important for customer confidence, legislative compliance and also helping to keep the organisation safe from the ever increasing range of cyber threats.
Whilst some organisations will complete their ISMS implementation and certification project entirely through internal resources, this is unusual as there are some great methodologies, tools and resources available. These can help increase the chances of improving cyber resilience and certification success. It is important to understand that time and effort will be involved to develop the “information security culture” that is required to achieve ISO27001. That’s why we’ve created an ISO27001 checklist to help your organisation to adapt.
The steps for an organisation to change their culture:
- Senior management needs to be committed to the project, and the achievement of its objectives.
- Appropriate resources (and time) need to be allocated to the project, including any training needed to deliver project tasks and an understanding of the security needs of the organisation’s interested parties – customers, partners, regulators etc.
- Creation of required information security documentation and records – clear and concise policies, procedures and work instructions need to be produced.
- Implement an effective approach to risk management to identify the organisation’s assets and assessing their levels of risk to vulnerabilities and threats.
- Implement an effective approach to risk treatment, to implement security controls to manage risks which have been identified.
- Plan and deliver an effective information security education, awareness and communications.
- Select an external assessment organisation, and understand the specifics of their approach.
- Complete an external audit: Gap Analysis, Stage 1 Assessment (management framework), Stage 2 Assessment (implementation activities).
- Continuing post-certification activities, continued internal audits, risk management, training programmes etc.
How long and how much?
Most organisations will typically take between 9-12 months from project inception to the completion of certification activities. This is only a guide however. It will vary depending on the complexity of the business, the number of employees and the amount of resources and time that has been assigned to complete the project.
So how much will this cost? That depends on the cost of the organisation’s labour resource, the use of external specialists, expenditure for implementing controls, fixing risks, undertaking technical tests and the certification process itself. Most credible UKAS audit companies will charge in the region of GBP £5,000 for initial certification, and an ongoing day rate for surveillance audits each year. This is neither a quick nor cheap activity to undertake, but the value of the benefits of customer confidence and business resilience are widely acknowledged as far outweighing the costs of achieving an ISO27001 certificate.
InfoSaaS can support you through the whole process
We’ve been implementing successfully certified information security management systems for over twenty years. Our experience over that time has allowed us to develop and deliver a variety of resources, which continue to support successful ISO27001 certification projects to this day. It’s also why many of our new customers are pleased to have been referred by those we already work with. Our “Eight Steps to ISO27001 Certification” below provides a graphical overview of the different steps involved in the implementation and certification process.
Eight Steps to ISO27001 Certification
Get a head start …
… with our extensive competitively priced documentation packs, which provide a solid foundation for customising to meet your organisation’s specific information security and risk management requirements. Be wary of suppliers who may claim that they can write documentation without taking time to understand the nature of your business, or those who may have pre-prepared documentation that is claimed to be fit for all purposes.
It’s embarrassing and time consuming to find out that your ISMS documentation is not meeting the mandatory requirements of ISO27001 during the certification phase. If you require support in customising InfoSaaS documentation please get in touch – we have a number of experienced and friendly partners who would be pleased to assist you.
Confident risk management
The main elements of the ISO27001 standard are to implement approaches to the management and delivery of effective systems for the identification, management and treatment of risks – both to information assets (data) and any supporting assets upon which they rely for their security (e.g. premises, hardware, software etc). That’s why we developed InfoSaaS, which has at its core our proven risk management methodology and workflows.
Achieve and maintain certification with InfoSaaS
Already deployed in many countries around the world and with a healthy portfolio of successful customer certifications to its name, InfoSaaS provides an intuitive and user-friendly means of complying with Sections 6.1.2/8.2 (Information Security Risk Assessment) and 6.1.3/8.3 (Information Security Risk Treatment) from the standard (as well as many others!) The best means of seeing InfoSaaS in action is to explore our demonstration environment, or ask us for a guided tour. We also have a training materials available to help you and your colleagues become familiar with the many features of InfoSaaS quickly and easily.
If you would like a helping hand with setting up or using InfoSaaS, our experienced network of partners (in the UK, North America and Australia) would be pleased to discuss your requirements with you. InfoSaaS systems have formed the cornerstone of successful audits undertaken by some of the world’s largest and most credible certification organisations. As a Gold-level Consultant of the assessment company Lloyd’s Register, we are pleased to recommend their certification services, and we can also provide discounts for LR ISO27001 training for you or your colleagues.
The journey towards ISO27001 does not need to be daunting. Our advice is always free, and our services are here to help you when you need them.