The Journey to ISO 27001 (Part 2)

by [Published on 28 Aug. 2013 / Last Updated on 28 Aug. 2013]

This article continues with the introduction to ISO 27001.

If you would like to read the next part in this article series please go to The Journey to ISO 27001 (Part 1).

Introduction

Many organisations have realised the value of achieving the ISO 27001 accreditation. Several of the disciplines described in the certification and methodologies that should be adopted to achieve this accreditation help in keeping companies secure. In this second article we explore in more detail what the certification is about and in following articles we will cover security strategies to help achieve and maintain the certification. 

Step 6: Develop an ISMS implementation program

The gap analysis and risk assessment should have highlighted problem areas. For each risk identified appropriate controls must be set to manage the risk.

Put together an easy to read concise guide explaining the process for ISO 27001 certification for the team to follow.

Be sure to include time requirements, milestones to be reached, time for allocated pre assessment and audits.

Step 7:Training and ISMS implementation

Before implementation it is beneficial to ensure employees understand the ISO 27001 process and its benefits to the company and its clients. Conduct easy to understand training to employees focusing on the role of the employee for successful implementation.

With the risk assessment undertaken, employees briefed, scope and documentation ready, the new processes can now be implemented.

Once implementation has taken place it would be beneficial to undertake the following to ensure all has gone as planned:

  • Assessment of the ISMS and gathering evidence to review (get everyone involved)
  • Revise processes where evidence shows discrepancies or isn’t working
  • Communicate to employees about the revised processes

Step 8: Post documentation and implementation mandatory tasks

After concluding ISMS documentation and implementation the following mandatory actions need to be undertaken:

  • Internal audit
  • Management review
  • Corrective and preventative actions

Internal ISO 27001 Audits

An internal audit is necessary to assess whether the ISMS is working properly. The audit should include assessing documentation, processes and controls in place and highlight areas in need of improvement. Internal audits are crucial to discover mistakes in the system that otherwise will remain hidden and hinder improvement. The auditor should be independent and qualified with experience in the relevant fields being audited.

Management review

The management review should include all the facts regarding the information security and use the information gained to make informed decisions whether corrective measures need to be taken or if any preventative measures could be beneficial.

Corrective and preventative actions

Once the internal audit and management review has taken place, corrective measures must be undertaken to rectify any snags detected within the security system .All corrective measures must be documented.

Step 9: Certification process

The certification process comprises of two audits. The first is the ‘documentation review’, where the auditor checks if your documentation is compliant with ISO 27001. If successful the audit to follow, the ‘main audit’, allows the auditor to make a comparison of all the activities you perform with both the ISO 27001 and your own documentation to see whether they comply.

Stage one: Documentation Review

The chosen certification body will carry out the audit. The initial audit is an assessment of the documented ISMS. The auditor will determine whether your documentation meets the requirements of the ISO 27001 standard. If the documentation does not meet the standard the company will be advised of the shortfalls. The company will have to rectify any problem areas before a reassessment can take place. If the auditor is satisfied that the documentation meets the standard entirely they will arrange to move on to the second stage audit.

Stage two: Main Audit or conformance assessment

The auditor will assess whether the ISMS conforms to the company’s own documented ISMS and that it has been implemented as stated in the documentation. If the auditor finds errors within the implementation of the ISMS the organisation will need to take corrective action before another audit can be taken. If the auditor is satisfied with his findings you will be granted ISO 27001 certification.

Step 10: Maintaining your ISO 27001 Certification

Post certification

Once you’ve been certified, the journey does not end. It’s important that the company reviews, monitors and maintains the ISMS routinely. The ISO 27001 should be treated as an integral component of the organisation and not as a one-off exercise. The way I normally advise our customers is that this certification is a living certification that needs to be maintained and reviewed often, so many organisations certify and then let the whole system go to ruin because of poor maintenance and focus. If you know beforehand that it’s a commitment going in then hopefully that will prepare you for the long term focus.

After certification the company will undergo surveillance audits annually to ensure that the ISMS continue to conform to the requirements of the standard. Every three years after certification a full assessment of the ISMS will be carried out to decide whether the company has maintained the ISMS and is able to retain their certification.

The continual security management should comprise the following:

  • Review of policies and procedures (administrative controls)
  • Review of firewalls policies (administrative controls and technical controls)
  • Keep staff educated and informed (administrative controls included on this is security awareness training which is an area that is often overlooked or ignored)
  • Regular risk assessments through monitoring (penetration testing, scanning of networks, etc.)
  • Monitoring of access control (technical controls, again monitoring is an area that most organisations are weak in, they might have a monitoring solution or SIEM but if anyone is looking at it or not is a different story. My view is if no one is looking at the monitoring or logging results, then the system is not being effectively monitored!)
  • Threat and patch management (believe it or not this is an area that many organisations still fail at, in this day and age this is unforgivable in the security fraternity.)
  • Data leakage controls and management (a growing area of focus especially in the US and Europe because of compliance and regulation)
  • Encryption (a growing area of focus especially in the US and Europe because of compliance and regulation)
  • Back ups (the most basic principle of computing and probably the one with the least investment and focus, in this day and age even with the cloud around this is even more important!)

The process summarised

Inputs

Procedures   to undertake

What   to Deliver

 

A   Decision is taken to implement ISO27001

 

 

Managements approval obtained

 

 

Project team procured and responsibilities assigned

 

 

Information security policy defined

Security policy documentation delivered

 

Define the ISMS scope

ISMS scope documentation delivered

Identify possible threats and vulnerabilities and there impact on the organisation

Perform Gap analysis/risk assessment

Compile documentation for the risk assessment performed

Assess the existing company approach to potential risk

Put controls in place to manage the risks identified

Document controls and procedures to counter risk and a document who should be held accountable

Inputs

Procedures to undertake

What to delivered

Evaluate required controls needed for ISO27001 certification

Select relevant controls to be implemented

Develop an implementation program and Document the controls to be implemented

 

Internal audit and management review

Document any problem areas. Retain documentation from internal audit and management review

 

Take corrective actions

Document corrective procedures and preventative controls

 

Stage one audit (document review)

If successful prepare for stage two audit, if not take corrective actions before second audit and document actions taken

 

Stage two audit (main audit)

If successful receive certification

 

Review, monitor and maintain the ISMS post certification

 

 Table 1

Conclusion

The journey to ISO 27001 certification is a lengthy process but one definitely worthwhile taking. Once the certification is achieved the journey does not come to an end as continuous maintenance will need to be undertaken to avoid suspension and ensure that you keep hold of the certification and continue to reap the benefits afforded by the certification for the months and years ahead. Look out for more articles on the ISO 27000 series journey that many are on in an effort to improve their security posture.

If you would like to read the next part in this article series please go to The Journey to ISO 27001 (Part 1).

The Author — Ricky M. Magalhaes

Ricky M. Magalhaes avatar

Ricky M Magalhaes is an International Information Security architect, working with a myriad of high profile organizations. Ricky has over 16 years of experience in the security arena covering all ten domains including best practice and compliance. Ricky is a strategist on security and innovating creative ways to achieve compliance and mitigate risk, to many blue chip entities and forms part of the advisory boards to many organisations worldwide.

Latest Contributions

Featured Links