Accelerate your organisation to first time ISO 27001 success
Our Assured Results Method, ARM, is your simple, practical, time-saving path to first-time ISO 27001 compliance or certification. It breaks the whole process down into 11 steps, then guides you through them one by one.
It starts at your very first sign-in and ends as you celebrate your assured success.
- Helps you achieve ISO 27001 first time, like every other organisation that’s followed it
- Shows you how to take advantage of every shortcut and avoid every pitfall along the way
- Shares simple, practical guidance right through to certification or compliance
It simplifies team and project management too.
- Keeps your ISMS implementation team on the same page at every step
- Orders your ISO 27001 progress for peak efficiency
- Gives you clear oversight of what you’ve achieved and what’s still outstanding
We make ARM available to all our customers. It’ll be ready and waiting for you when you first sign in to ISMS.online. It’s backed up by our:
- Adopt, Adapt, Add Content, which starts you off 77% of the way to ISO 27001
- Optional 24/7 Virtual Coach, which offers context-specific help whenever you need it
That’s just your first line of support. You can chat with our Helpdesk from within our platform. And our Service Delivery Team and your Account Manager are only ever a phone call away.
All the guidance you’ll need
Achieving ISO 27001 means completing about 140 separate tasks. We’ve broken them down into 11 simple steps. They’re an integral part of ISMS.online. Each includes specific, pre-set work areas and tasks all ready to go.
You’ll start by describing your current information security environment:
- Lay firm foundations by understanding your organisation’s infosec needs
- Describe any infosec policies and controls you already have in place
- Add in any policies or controls you’re missing
Then you’ll go live with your ISMS and carry out your first internal audit:
- Formally launch your ISMS and move it into operational mode
- Conduct your first internal audit by reviewing your ISMS’ documentation
- Go through and prioritise any improvements you need to make
Finally you’ll complete the audit process to achieve compliance or certification:
- If you’re going for certification, get ready for your first external audit
- Find the right certification body
- Complete your first external audit, which checks your ISMS’ documentation
- Carry out your second internal audit, focussing on how your ISMS works in practice
And once you’re compliant or certified, we’ll still be with you. Our platform will have helped you build a highly sustainable ISMS that will evolve and grow with your business.
How ARM’s 11 steps work
1. Lay firm foundations
You’ll start by understanding your organisation’s infosec needs. Then we’ll help you understand which parts of it fall within the scope of your ISMS. Our Risk Bank, pre-populated with over 100 common risks, makes defining the risks you face a simple matter.
2. Describe your current infosec policies and controls
You probably already have some infosec policies and controls in place. We’ll help you:
- Import them into your new ISMS
- Show how they’re already meeting some of ISO 27001’s key needs
Our platform will link them back to the risks you identified in Step 1. It’ll draw on our Adopt, Adapt, Add policies and controls to show you how we’d approach them. And it automatically tells you which controls could relate to a particular risk, saving much time and effort.
That’ll help you:
- Fine tune your approach to risks you’ve already covered
- Easily protect your organisation against newly-identified risks
Our pre-loaded Adopt, Adapt, Add content covers all 114 ISO 27001 controls, getting you 77% of the way to completion before you’ve even begun. If one of them works out of the box, just adopt it. If it doesn’t meet your organisation’s unique needs, it’s easy to adapt or add to.
3. Adopt or adapt remaining core requirements
Now you draw on our Adopt, Adapt, Add content to fill in any other blanks you have left. As ARM moves you through this stage of the process you’ll tick off all the rest of ISO 27001’s core requirements, defining your:
- Day-to-day operational administration
- Ongoing improvement processes
- Specific leadership roles
It’ll also ease you through some potentially painful administrative tasks. For example, our platform automatically creates and updates your Statement of Applicability. We’ll help you pin down a process for making sure you’re meeting your infosec objectives too.
4. Formally launch your ISMS and move into operational mode
Your ISMS will start working bit by bit. We recommend setting a date marking its full, formal launch. That’ll help focus minds within your organisation. And If you’re going for certification, it gives your auditor a clear start point to work from.
ARM will guide you through your ISMS launch process. You’ll record the date in your ISMS Board Area, alongside all your other management decisions. You’ll announce it to your staff via our Group Communications feature and create Policy Packs to help them stay compliant.
And it’ll all be recorded for future audits. That makes it easy to show you’re completely on top of your organisation’s information security, whether you’re talking to:
- Your own senior management and other stakeholders
- Current and potential customers
- External ISO 27001 auditors
5. Conduct Internal Audit 1 – ISMS documentation review
Whether you’re going for compliance or certification, you’ll need regular internal audits to make sure your ISMS is working properly. We’ve mapped out two pre-certification audits for you. They start with your first documentation review.
We’ll help you make sure you’ve:
- Clearly and comprehensively documented every aspect of your ISMS
- Noted any changes or improvements in your Corrective Actions Track
- Achieved the right level of internal audit competency
6. Review and prioritise identified improvements
Now’s the time to look back over your brand new, fully functional ISMS and make it even better. You’ll have noted some changes and improvements during your first internal audit. ARM also makes sure you record them as you work through every other step.
You’ll draw on your Corrective Actions Track to action those changes. We’ll guide you through:
- Reviewing each potential change or improvement
- Assigning an owner to each one
- Prioritising them for action
- Setting target dates for completion
7. Get ready for your Stage 1 Audit
If you’re going for certification, you’ll need to prepare for your Stage 1 Audit. It’s an external version of the Internal Audit 1 you’ve just completed. So you should already have all the documentation you need ready to go. ARM makes sure you double-check it all.
We can help with our own audit readiness checks. And if you’ve been with us for a while but decided to stop once you reached compliance, ARM will swing back into action here. You can reactivate it to reach full certification whenever you need to.
8. Engage a certification body and complete your Stage 1 Audit
ARM gives you some tips on finding the right ISO 27001 certification body for your organisation. We can recommend ones that have experience of working with our platform.
Then it explains every aspect of the certification process. It starts by walking you through your Stage 1 external audit. It’s a documentation review that gives your auditor a basic sense of:
- Your organisation
- Its infosec posture
- Its approach to infosec management
These days it’s often done remotely, to drive down costs and speed up the process. Once it’s complete, your auditor will either:
- Recommended that you’re ready for your Stage 2 Audit
- Highlight issues to address before you can progress
Organisations following ARM usually go straight ahead to their Stage 2 Audit.
9. Carry out Internal Audit 2
Whether you’re going for certification or just compliance, you’ll need to carry out a second internal audit. Carrying out two audits helps you test out your audit process and show that you carry it out consistently across multiple audits.
You’ll draw on our second pre-documented audit. We’ll help you’ll look at either:
- A specific process, giving it a full top-to-bottom audit
- One or more of the focus areas identified during your Stage 1 Audit
10. Get Ready for your Stage 2 Audit
If you’re going for certification, your Stage 2 Audit is the last big hurdle to cross. Our ARM checklist will help you get ready for it. And our platform will present all the information you’ll need to share in a clear, accessible, transparent way.
11. Your Stage 2 Audit
The Stage 2 Audit is usually a thorough on-site inspection. Your auditor will check that your ISMS is:
- Operating as described
- Following the requirements of the standard
- Delivering the right level of security for the risks your org faces
Their inspection will include everything from interviews with staff members to deep dive inspections of your logs, records, processes and controls. And if your business is spread across more than one site, they’ll look to visit some or all of them.
The audit’s very much auditor-led. And by the time your auditor arrives, you’ll have done pretty much everything you can apart from getting their tea, coffee and biscuits ready. So ARM doesn’t offer too much guidance at this final stage.
But of course our platform will be by your side through the audit process. It’ll make it easy to show your auditor how thorough and comprehensive your work has been, and how robustly and efficiently you’ve protected your organisation’s information security.
And you’ll have the confidence of knowing that every organisation that’s followed ARM all the way through has passed their certification audits first time.
- Peer review
- Accreditation body review
And that’s that. Celebrate! Then get ready to maintain your certification through its three year lifespan. Our platform will help you through your:
- Annual surveillance audits
- Regular internal audits
- Ongoing maintenance and improvement
- Re-certification audit
Because it’ll be ISO 27001 certified, it’ll also help you:
- Give your customers and stakeholders infosec certainty
- Win new business, enter new markets and grow your organisation
- Safeguard your organisation’s brand, results and stakeholders
You’ll see how we’re the most practical, easy to use and comprehensive path to ISMS success, every single day.