The Super Bowl may be the marquee event of every National Football League season, but talk to any of the players who have participated in these championships. They'll tell you that these annual games actually represent the culmination of long hours spent training and planning for The Moment.
The same is true for ISO 27001, which generally entails one of the more labor-intensive preparation periods in compliance.
And while it would be nice for football professionals to skip to just playing (and winning) in a Super Bowl without all those diligent prep efforts, they can’t. It’s a whole process to even get to that pinnacle opportunity, and the same goes for you and your potential ISO 27001 certification.
As an accredited ISO Certification Body, we’ll be upfront–building your ISMS isn’t quick or easy, and it’ll require hefty investment from you.
But in this article, we will provide you with a baseline to get started on this extensive “game planning” period that absolutely must precede the Super Bowl that is your ISO 27001 certification process.
With this understanding, you’ll have a solid starting list of to-dos that will help you map out further construction of your own ISMS.
How to Build Your ISMS
We can tell you at least this: building an ISMS is different for everyone. Things like your available resources, your established controls, and other variables will come into play, but to be safe, you should plan a generous timeline for getting everything up to standard.
“Plan” is the keyword.
Just as the road to a Super Bowl may take months or even years, a lot of time spent during the ISO 27001 process is on the planning and preparation ahead of the actual audit. Before your certification body even steps in the room, you need to get your required ISMS implemented and operational, and like we mentioned before, that’s not quick or easy.
While this list does not include every single requirement you’ll need to satisfy, we can at least help you get started. Here are 13 things you can do that will ultimately help you construct a compliant ISMS.
1. Develop an ISO 27001 Working Team and Secure Support from Leadership.
That will mean defining relevant roles and responsibilities and obtaining buy-in from top management. ISO 27001 certification is cyclical in a way that will require a constant commitment that isn’t possible without devoted resources and support that goes all the way up.
2. Design and Build Out Your ISMS, Including Determining its Scope.
ISO 27001 lays out the requirements your ISMS must satisfy in clauses 4-10. Scoping guidance can be found in clause 4, and we break down those requirements in our article here.
ISO 27001 takes a holistic approach to information security, so your ISMS will encompass more than just the hardware, software, and people used to protect your sensitive information–you have to follow a set of rules that govern how you use it too, including how you store and retrieve it, how you assess and mitigate risks, and how you avoid stagnation in your data security through continuous improvement.
3. Perform a Gap Assessment.
As you review the ISO 27001 requirements against what you already have in place, a gap assessment can help you find definitive areas to shore up.
4. Define and Communicate an Information Security Policy.
This information security policy helps ensure relevant objectives and requirements can be met. This policy must:
- Be compatible with your strategic direction as an organization;
- Include information security objectives or provide the framework for setting objectives; and
- Include a commitment to continual improvement—this is why buy-in from top management is critical.
But it’s not enough to just establish something—you must also communicate it to both internal and external interested parties. After all, there’s no value in policies or procedures if no one is aware of them. But if in-scope personnel understand the information security policy, their contributions to its effectiveness, and the implications of not conforming with ISMS requirements, your organization will be that much better served (and compliant).
5. Define Information Security Objectives.
You also must define how you plan to achieve them. These objectives should be tailored to your organization based upon the scope and boundaries of your ISMS and your needs, but here’s a quick list of common starting points. You might want to protect the:
- Availability; and
- Privacy of assets within the scope of your ISMS.
As for planning how to achieve them, ensure you define the following for each of your information security objectives:
- What will be done;
- What resources will be required;
- Who will be responsible;
- When it will be completed; and
- How the results will be evaluated.
6. Establish Resources and Determining Competencies.
Ensure you have the appropriate resources in place to support your ISMS including proper resource allocation and defined competencies, which are critical to the successful implementation of your ISMS. It is important to determine these necessary competencies—e.g., education, training, experience—and create a process for properly vetting potential employees as part of onboarding, as well as for acquiring the necessary competencies on the job.
7. Implement a Formal Risk Management Program.
This is an ISO 27001 requirement—one that will help ensure that your ISMS can achieve its intended outcome(s), prevent and mitigate undesired effects, and continuously improve. Perform a risk assessment against the scope established by your organization with consideration of the internal and external issues and interested parties/their requirements that impact the ISMS.
This is why the definition of your scope is so important – it directly impacts all downstream activities within your ISMS.
8. Design and Implement Further Controls.
The results of that assessment will help you identify risks to your organization and determine the appropriate course of action.
Then, determine the appropriate method(s) for risk treatment—e.g., acceptance, avoidance, mitigation, transfer, etc. From there, you can establish the control(s) necessary to mitigate each risk to an acceptable level. Those results will become the foundation of your statement of applicability (SOA).
Your SOA should include the ISO 27001 Annex A controls that apply to your organization, along with a corresponding justification for inclusion or exclusion and whether or not they are implemented.
Work from the risk assessment results first to ensure those necessary controls are all captured, but you should also mark applicable any other controls that serve other organizational needs and requirements—things like best practice, legal requirements, contractual obligations, etc.
Make sure you get it all because your SOA will play a big part during the Stage 2 review of your initial certification.
9. Document Everything.
ISO 27001 requires documentation, and that includes your:
- Procedures; and
- Records, as they all relate to information security.
This is arguably the most arduous part of the preparation process, but down the road, it’ll help to have everything written down—even beyond your audit activities.
10. Define Measurements to Evaluate and Monitor the Effectiveness of Your ISMS and Achievement of Your Information Security Objectives.
At this point, you’ve established your ISMS and defined relevant information security objectives and requirements – the next step is evaluating and monitoring the effectiveness and performance of your ISMS against these defined objectives and requirements. Think key performance indicators, targets, and tangible metrics.
What to Do After You’ve Established Your ISMS: 3 (Bonus) Steps
1. Conduct an Internal Audit.
This will help you determine whether or not you meet the requirements of the ISO 27001 standard. The goal here is to identify areas of nonconformance and opportunities for improvement—the exact things your auditor will be looking for, only the stakes will be much higher when they’re involved.
2. Conduct Management Review.
Management should review your ISMS at planned intervals to help ensure continued suitability, adequacy, and effectiveness. This kind of management commitment to the ISMS will provide you the opportunity to make changes based on their review.
3. Monitor What You’ve Got, Refine It, and Remediate Problems As Necessary.
This step is easy to skip, but you shouldn’t.
Taking this time ahead of your initial certification will ensure you’ll be able to fix anything you need to, including significant problems that—if missed—could cause you to fail your review.
This doesn’t stop at your initial certification – the ongoing correction of nonconformities and the implementation of continual improvement activities are imperative to successfully maintaining your ISMS.
Deciding on An ISO 27001 Certification
As extensive as it seems, we can’t overstate how critical this pre-audit period is. We can’t tell you for certain how long it’ll take you to take the step to your Super Bowl of certification, but one thing we can tell you is that diving straight into ISO 27001 is rare.
Thanks to the ramp-up time you’ll need to accommodate the comprehensive nature of the requirements, this is one compliance effort that usually cannot be done if you’ve got a short turnaround looming or if your resources are not yet in place.
At this point, you may be dubious about pressing forward with this particular compliance initiative, and that’s completely fair. While ISO 27001 certification would afford you many benefits, you might also like to consider the alternative of a SOC 2 examination, which oftentimes can be turned around quicker.
Plus, there are some overlapping controls with ISO 27001, and SOC 2 is also a widely accepted and popular information security standard. Read more about it here:
But, if you’re set on becoming ISO 27001 certified, you’re likely to have more questions about how the specific variables at your organization will affect your process. Reach out to us so we can help you further shape what your ISO 27001 experience could look like.
About the AuthorMore Content by Kristin Hric