Frequently asked questions about ISMS.online for ISO 27001:2013

If you aim to be independently certified e.g. by UKAS, you will need to show the licence for operating to ISO 27001. If you are just aiming to be compliant, not independently certified, then you don’t need to show that licence to anyone. We still recommend everyone buys at least a single user licence (this costs about £100) to ensure they are operating in a compliant fashion.

For organisations that are new to ISO 27001 we also suggest purchasing the ISO 27002:2013 guidance (also about £100), as it complements our own Virtual Coach programme.

These documents should be purchased through the official ISO store, where you will then get a watermarked licence version downloadable for your organisation’s use:

• ISO 27001:2013
• ISO 27002: 2013

In summary, our documentation and complementary tools, frameworks and methods give you a head start up to 77% progress, so you can quickly Adopt, Adapt and Add to the solution.

Unlike other documentation toolkits you might see online, our package differs as follows:

• Actionable – Where appropriate we go beyond generic descriptions of policies and controls into also providing you with the ability to demonstrate your work in practice. Every tool, framework and feature on the platform is complemented by a pragmatic policy and procedure. Living and breathing the documentation is the most important part, so it needs to be simple, actionable and easily managed. Without an easy to use technology system around it, you’ll probably get stuck with a bunch of files that are a nightmare to use, organise and control!
• Addresses Management Requirements – Other document toolkits typically focus on the Annex A controls. Given we take a business led approach to information security, we have a major focus on helping you meet the Management Requirements. ISMS.online comes with all the policies, guidance and tools needed to allow you to quickly complete that with confidence and run the business the way you want to.
• Up to 77% – not 100% – Much of your ISMS can draw from the proven practices and experiences of others, but some parts will be unique to your organisation and its desired ways of working. Other documentation providers may claim you get everything you need, but in reality you don’t, and you’ll need to change parts to make it work for you. You may also have much of the remaining 23% covered with your existing working practices (e.g. password policies), and find it’s a case of simply documenting them in ISMS.online!

We also offer guidance inside ISMS.online for all Management Requirements and Annex A areas. By following that, and ISO 27002 along with the Virtual Coach resources, you’ll have everything you need to get to 100% quickly.

From the headline area shown in the image above, you will see that any gaps focus around the more technical aspects of ISO 27001 that will be unique to your business. Many of our policies can be adopted straight out of the box. These are more likely to be those around how you manage your ISMS using the features and tools of the platform. You may feel some policies need ‘tweaking’ to reflect your own corporate style and, of course you may choose to adapt them to meet your own approach.

Find out more in our short video below…

In this example of Annex A 18.2.2, you will see we provide some tips which you can delete once you have understood them. You can also see the use of hyperlinks which are a common feature throughout the platform and reflect our holistic approach to the ISMS. This makes the auditor’s job much easier as they can navigate to relevant areas within your ISMS and can clearly access the whole ISMS in one secure place.

In this example, you can also see the small blue icon on the left indicating the Virtual Coach….that’s how simple it is to access expert help when you need it most!

Included in the Virtual Coach is an excellent ISO 27001 Preparation Project that will give you a level of understanding and context before launching into your implementation where, of course, there is further expert guidance for each of the ISO 27001 requirements and Annex A controls.

In this short excerpt from the Virtual Coach, we suggest you work through the ISO 27001 requirements from the top down, before taking a belt and braces look at the bottom (Annex A controls), up.

Simply adapt any of the policies we have written with our tools in mind (if you don’t already have your own) and then link to your tool instead of ours. Whilst we offer an ‘all in one place’ solution, we also recognise that other applications exist so you can adopt as much or as little of ISMS.online as you need for success.

There is also a comprehensive bank of common risks that you can draw down from with suggested links to Annex A controls. This can save you weeks of work when you are starting out!

However, if you have a large number of risks please get in touch to see whether we can script an import programme.

It depends! Anyone that suggests it might take just a few days to achieve ISO 27001 from a zero start point is probably misleading you, but with the right resource commitment and online solution, it could be weeks rather than months or years.

If time is of the essence then we can always help you speed that up, and by using the platform you can immediately demonstrate to your stakeholders that you are on the road to success – much more effectively than by using anything else.

The bottom line is that ISMS.online helps you get to the goal an awful lot quicker and at lower cost, with fewer specialist resources than other methods. Considerations affecting the time you need to invest include:

• Your starting point and experience around information security
• Complexity of the scope of your ISMS
• If a compliance or independent certification is required
• If you have external drivers or internal ones
• Is it the number one priority for everyone, or will you fit it in when you are not doing everything else?
• The tools and systems you use for success

If you are seeking compliance alone, then you may want to avoid some of the investments e.g. the external audits and deem yourselves compliant much more quickly. However, if your driver for achieving ISO 27001 is external e.g. to meet a customer requirement or part of GDPR assurance then you are much more likely to need independent certification so those external stakeholders can trust it!  

Having an online integrated ISMS makes everything quicker and easier to achieve but if the organisation does not treat it as a priority, then expect it to drift. We recognise that other priorities exist too, so have done the following to make your implementation as smooth and as quick as possible:

• Show progress and performance at all stages of the implementation – research shows the power of small wins motivates better outcomes more quickly
• Got you to a massive headstart with up to 77% progress that you can easily Adopt, Adapt and Add to
• Complemented ISMS.online with an always-on Virtual Coach service that is there when you need it, at any time of day or night

As a final comment, the saying ‘married in haste repent at leisure’ comes to mind too. Your biggest investment in the ISMS is going to be in its ongoing management and sustainability, especially if your goal is independent certification and a trusted, safer organisation. You need an online platform that drives down ongoing management costs and does the heavy lifting on insight, reporting, reminders and other value-add services, so you can make better decisions and limit wasteful administration.

Read our Customer Case Studies to see how we’ve helped organisations just like you achieve their goals quickly.

We do not offer certification. If certification is your goal, we recommend you obtain independent certification so your customers and other stakeholders can trust it. If you are based in the UK you can find a list of UKAS accredited organisations who are able to provide independent certification.

Equivalent certification bodies exist internationally and their sites will also offer a list of accredited auditors as well. For example, in the US it is ANSI-ASQ National Accreditation Board (ANAB).

We suggest you speak to 2 or 3 organisations on the list, looking to see how much experience they have in your sector, your size organisation and where they are based (which will affect things like expenses for onsite audits). It is important to select an external auditor who would be a suitable match for your profile otherwise you might find they are too expensive and not empathetic to your sector or size idiosyncrasies.

Be aware – There are non accredited firms that will provide organisations with a ‘certificate’, typically after having sold them a bunch of policies or consulting work first! You wouldn’t expect someone to be able to mark their own homework and have that trusted by others so please avoid these type of certificates.

They really are not worth the paper they are written on and smarter buyers (perhaps your customers) will not accept anything other than an independent certification, meaning you will have potentially wasted time and cost.

You may be seeking certification of your ISMS to the ISO 27001 standard. There are many organisations that offer a certification service.

But not all Certification Bodies are created equal!

It is possible for any unaccredited organisation that has knowledge of Information Security Management to audit your ISO 27001 and award you a certificate.

However, this will not satisfy more savvy buyers, particularly if you are engaging in business with the UK government. They will be looking for an accredited certification. In the UK, the only recognised accreditation body is United Kingdom Accreditation Service (UKAS). In the US it is ANSI-ASQ National Accreditation Board (ANAB).

If offering the assurance that you can be trusted with information security is important to you, make sure the Certification Body you choose is accredited. Lists of accredited Certification Bodies are available on the UKAS and ANAB websites as above.

We certainly take a huge amount of the legwork out of implementing ISO 27001, giving you a step-by-step method to follow and many of the requirements, policies and controls to easily Adopt, Adapt or Add. We also save you a huge amount of time versus building your own ISMS and ensure you have a simple pragmatic way to manage your ISMS on an ongoing basis.

You can even opt for our effective Virtual Coach Programme that provides expert implementation guidance, eliminating or reducing the need for expensive consultancy services. And if required we and our partners can also provide that consultancy and delivery support (less expensively of course, not least because you need much less of it!)

Paying lip service to information security is not an option for achieving a certified ISMS, so your leadership will need to ‘demonstrate’ management commitment to it (which we also make far easier with ISMS.online collaboration tools). It will also need to provide access to relevant resources in the company to ensure your policies and controls reflect the relevant culture and risk appetite.

If your organisation does not have the capacity or desire to actively manage your ISMS then using a Virtual Chief Information Security Officer (VCISO) is simple with ISMS.online. Simply ‘team’ them into your ISMS and the rest can be done remotely or at least with very infrequent onsite activity. Increasing numbers of our partners are developing VCISO services through ISMS.online so get in touch if you’d like to learn more about that.

Joking aside, we see 3 areas where consultancy help might be required:

• Confidence issues: Follow our Virtual Coach Programme and implement ISMS.online in the manner we suggest and you’ll see that confidence grow very quickly. Optionally complement the Virtual Coach with other physical support too.
• Capability issues: There are lots of acronyms, strange language and other mysterious issues that might cause you to think you are not capable. Virtual Coach and the materials inside ISMS.online will mitigate a large amount of the capability issues, and if you need further help, just get specialist help by exception from us or one of our partners.
• Capacity issues: We’ve done all we can to help save time and keep your resource investments to the ‘must do’ aspects that are unique to your organisation. If capacity is still an issue, or you perhaps want to outsource more of the implementation or ongoing support anyway our partners can help there too.

Failure is a big word, and whilst there are firms out there that will sell on fear of failure, we see hope as a better way – and that old saying of ‘failing to prepare’ rings loud for your ISMS. If you have a systemic issue e.g. complete lipservice to your ISMS policy stuck on a shelf somewhere then the failure of an audit is more likely, but there are levels of failure and you’d be going some to completely fail!

There are different types of audit and different severity levels within audits that could lead to failure of different types. Let’s just break them down a bit to understand what ‘failure’ could mean:

Internal audits – you’ll be expected to undertake internal audits through the lifecycle of your ISMS to demonstrate it conforms to the requirements and is delivering on its promise. ISO 27001: 9.2 covers that off. If you need an external audit for independent certification, not doing the audits will likely lead to a major non-conformity failure – so please do your internal audits!

As it says on the tin, these audits are internal, usually conducted by your own resource. So you also have the chance to cheat and not ‘fail’ them if you want, but cheating is not a good idea! The aim is to also treat these exercises as learning opportunities as well as celebrating success for things working well.

External Auditors will want to also see the results of your internal audits and perhaps drill into some samples. They will quickly smell a rat and dig deeper if you have no issues reported at all. You can follow the language of external auditors in your findings and talk about minor/major non-conformities, corrective actions, observations and broader improvements.

If you are using ISMS.online you’ll be able to follow our pragmatic internal audit policy, use the audit area to show your workings and link that easily to the corrective actions and improvements Track if you need to conduct more significant action post-audit.

External audits – unless you have given the right of audit to a customer, we’ll assume that your external audit is for ISO 27001 independent certification.  The external audit follows a lifecycle and includes:

• Stage 1 audit
• Stage 2 audit
• Surveillance audit
• Recertification audit  

At any stage, an auditor could ‘fail’ you in this journey, but it’s rarely a straightforward fail unless you really are missing something fundamental in your ISMS or your ISMS has not been managed very well over its life. We have helped mitigate both those factors by architecting the ISMS.online environment to help you focus on the things that matter and clearly show your progress.

Stage 1 audits are looking more at the desktop review of your ISMS, and asking some of the fundamental questions about the goals and checking that you have the right intent, scope, leadership commitment etc. They will want to be sure that your ISMS is complete in terms of the describing requirements, objectives, risks, information assets, policies and controls, statement of applicability etc.

They will want to see that your early stage activity around the ISMS is working e.g. management reviews are being undertaken, staff managing the ISMS are trained and competent.  Feedback comes in the form of a report with levels of ‘failure’ in the language of non-conformities, minor, major and more general observations. You might get a clean bill, or be asked to make a few changes before progressing. It can be scary like sitting your driving test, but remember you are in a great place to demonstrate you are in control of your ISMS.  Assuming you get through that then you go to Stage 2 audit.

Stage 2 audits are where the external auditor is testing and examining your ISMS in practice.  This includes sampling your own audits, reviews and incidents, undertaking interviews and observations with staff in scope, testing processes to see they demonstrate what was described in the ISMS policies and controls.  This is why it is so so important that you have actional policies and controls, designed to work the way you want to, securely.

If your ISMS has inconsistencies in the description of a policy and demonstration of practice then you’ll see those non-conformities appear. The severity of the non-conformity and the number of them in total is what will lead to an auditor giving you a certificate and time to improve certain parts for the next surveillance audit, or deciding not to issue a certificate at all i.e. failure.

Surveillance audits are more like Stage 2 audits and will have flavours of the month areas where auditors are being asked to look more deeply e.g. around supply chain, GDPR related matters etc. And then the cycle goes again with a more in-depth recertification audit at the 3rd year.  None of this should be surprising or hard to achieve successful outcomes if you are following the management practices in ISMS.online and have developed your ISMS policies and controls with your culture and the end users needs in mind.

All of the above, and more is covered in our Virtual Coach programme and If you need any further help at any stage of your implementation, we are available with simple and flexible support packages to suit the requirement.

• Content
• Process

In terms of content covered in the review, ISO 27001 9.3 says the management review shall include consideration of six elements as follows:

1. a)  the status of actions from previous management reviews;

1. b)  changes in external and internal issues that are relevant to the information security management system;

1. c)  feedback on the information security performance, including trends in:

1) nonconformities and corrective actions;

2) monitoring and measurement results;

3) audit results; and

4) fulfilment of information security objectives;

1. d)  feedback from interested parties;
2. e)  results of risk assessment and status of risk treatment plan; and
3. f)  opportunities for continual improvement.

The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system.

When ISO says ‘shall’ it generally means ‘must’ and when it says ‘consideration, it means you must be showing your working on those six elements and retaining evidence as documented information.   

Frequency of management reviews is important as well; too frequent and its costly to run if you have to bring everyone involved together for meetings and production of reports etc, whereas too infrequent and you are probably losing control of your ISMS and will suffer either in having assets at higher risk, or end up with a bigger maintenance overhead than a ‘little and often’ alternative would deliver.

If you are running an ISMS online with all those areas covered as part of your integrated system, the actual process of conducting the Management Review become really easy too.

ISMS.online also has preconfigured workspaces where you are encouraged to follow the management review agenda that aligns with ISO 27001:2013 9.3 and you can quickly link to evidence from the initiative areas, saving huge amounts of time in the production of reports.

One of the other things that work well with ISMS.online is the work that gets done in preparation for management reviews, online discussions, tasking, external documents being uploaded to aid decisions, and a future schedule of reviews.  All the actions and decisions are easily noted too – no need for verbose reports and minutes to follow weeks later, it all happens in real time.  The auditors love to see that level of engagement and take great confidence from the process and content demonstrating your ISMS is working.

• During first implementation to get to a steady state operation
• Ongoing management and delivery of the ISMS thereafter

You’ll want to ensure that you have the Confidence, Capability and Capacity to successfully implement your ISMS and we can help with all of those too over the whole life if you need it:

• Confidence issues: Follow our Virtual Coach Programme and implement ISMS.online in the manner we suggest and you’ll see that confidence grow very quickly
• Capability issues: Virtual Coach and the materials inside ISMS.online will mitigate a large amount of the capability issues, and if you need further help, just get it by exception from us or one of our partners
• Capacity issues: We’ve done all we can to help save time and keep your resource investments to the must have work. If capacity is still and issue, or your perhaps want to outsource more of the implementation, or get support with ongoing management e.g. as a virtual CISO, our partners can help

‘Roles and responsibilities’ is just one of many videos in our ISO 27001 Virtual Coach Programme but you too can watch it below…

You’ll have the option of staying with the current variant or migrating as and when new versions are released.  This could be as simple as you tweaking existing frameworks if changes are minor, or for more substantial changes we will look to offer help to customers and keep your costs of change to a minimum.

Afterall, we will also need to migrate our own ISO 27001:2013 certified ISMS too!  Bear in mind that ISO is well versed in evolving its standards and migration periods can be 2-3 years meaning plenty of time for a shift if you need a bit longer to change.