Follow the path laid out by Sam Peters, our Head of Products and Services, for a straightforward journey to certification success.
Always start with a plan
The ISO 27001 certification process can be quite complex and challenging. You’ve got to keep a lot of plates spinning. So before you start out you need an implementation plan to take you through it all. Ask yourself questions like: How do we implement ISO 27001? What do we need to think about at each stage of the audit process? What will our workload be like and when do we want to achieve this by? You should have a good idea of what you want and need to achieve before, during and even after certification.
Treat it as a business improvement exercise
There’s a lot to take in with ISO 27001. Seeing it as a business improvement exercise, rather than just ticking lots of boxes, will help you take it all in and engage with it. It can help you create business processes and approaches in more structured, thoughtful ways. We’ve seen massive improvements in our own business from doing that. You won’t get as much out of it if your approach is: ‘I’m only doing this to meet these requirements of the standards’.
Bring your organisation along with you
Everyone needs to understand and follow your infosec policies and controls. Your organisation’s people will be its biggest security strength. But only if you equip them with everything they need to be competent and capable. And you need leadership buy-in, it’s a key part of the standard. In fact, it’s an audited part of the standard.
So your policies and controls can’t be too technical. They’ve got to tell people with no idea about the technical stuff what they’ve got to do and why it’s so important. And your senior managers have to engage with it all and sign it all off. The easier you make it to follow, the more likely you are to comply, both internally and with the certification process.
Share the right information with the right people
At first we asked all staff to read through every single policy and control. That’s a lot of reading! And then you’re asking them to work out what matters to them. So over time we’ve refined that. We only ask people to read the policies and controls that are relevant to their roles. So you’re only asking people to take in what’s relevant to them, what they actually need to know and act on. I think that’s quite key. Oh, and of course they can still read the rest of it if they want to.
Remember that it’s all about risk
ISO 27001 is a risk-based standard. That’s easy to lose sight of when you’re deep in certification. So everything you do should mitigate a risk your organisation faces. Sometimes you can get it the other way around, you end up thinking: “I’ve got to implement this control because that’s what the standard says”. But the standard only says it because of a real risk. You’re not ticking imaginary boxes, you’re actually protecting your organisation. So sometimes starting with the risks and working back from them will help you think about it all in a more constructive way.
Sam Peters – Head of Products and Services
One of the longest serving members of the ISMS.online team, Sam has nearly twenty years experience bringing SaaS solutions to market. Prior to specialising in information security, Sam held digital roles in both the public and private sectors, working in finance, education and law enforcement. In what little spare time he has, Sam enjoys cycling and spending time with his young family.