Undertaking certification against ISO27001 Information Security Management Systems

So you’re considering becoming certified against ISO27001:2013, Information Security Management Systems? Congratulations!

A cliché image to represent data, information and security
  • How technical the standard is
  • Where you should start
  • What documents you’ll need
  • What the overall certification journey includes

What is ISO27001:2013?

Firstly, ISO stands for ‘International Organisation for Standardisation’ which is an independent, non-governmental organisation with a membership of 165 national standards bodies. Together the members share expert knowledge to develop voluntary, consensus-based, market-relevant international standards. ISO27001:2013 is just one of those standards.

Why bother with ISO27001?

Like other ISO management system standards, certification to ISO27001 is possible but it’s definitely not a requirement (unless one of your stakeholders says it is).

  • To satisfy the request of a client or group of clients
  • Improve the marketability of your business and appeal to a wider market
  • Formalise and improve your overall business security posture

How technical is the standard?

The standard aims to assist in taking a risk-based approach to building a systematic and comprehensive management system for information security. The keywords here are ‘management system’. It’s not completely technical and, although it would help, you don’t need to be a tech geek to work through this standard to build your own.

Where to start?

At some point, you’ll also need to grab yourself a copy of the actual standard. You could do the right thing and purchase a copy here for roughly AUD$200. Or you could use your new most-trusted assistant and find that somebody has already made one available. Or you could just click this link here.

What documents form the overall system?

I’d take a guess that you’re not an expert at these security things and that you’re either managing this process solo or part of a small team. The hardest part and most lengthy process is documenting what your organisation is probably already doing.

  • Risk Register (information security related)
  • Information Security Policy
  • Access Control Policy
  • Acceptable Use Policy
  • Secure Development Policy
  • Incident and Corrective Actions Register

What is the certification journey/process?

  1. Get yourself a copy of the standard
  2. Conduct a self-audit against the standard
  3. Build your overall management system
  4. Conduct an Internal Audit (as per Section 9.2)
  5. Induct all current employees into the system
  6. Conduct a Management Review (as per Section 9.3)
  7. Engage with an auditor
  8. Undertake a Stage 1 audit
  9. Correct any non-conformances
  10. Undertake a Stage 2 certification audit
  11. 🍾 🙌 🎉 Revel in your successes 🍾 🙌 🎉
  12. Maintain compliance and the integrity of your system

Is it worth it?

Totally! The conversation has completely changed throughout our organisation. More people are information security-aware and are on the lookout for potential threats and vulnerabilities. After all is said and done, it’s our clients who benefit the most from the entire process.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store