The process and scope of ISO 27001 certification can be quite daunting, so let’s address some of the frequently asked questions.
If you own or work for a growing or well-established organization, you may have come across the fact that you need to be ISO27001 certified and aligned although beware of the ticking box approach eg https://www.bridewellconsulting.com/looking-at-iso-27001-certification-guidance-on-how-to-avoid-the-cowboys
In short, ISO27001 provides a framework known as the Information Security Management System (ISMS), which consists of a set of guidelines and technical controls for information security management systems (ITMS). Many organisations receive their copy of the standard and begin to draw up policies, procedures and technical checks to tick these checks off. They may have a few technical control directives, but they do not know where to start and find it difficult to gain traction in implementing the standards. Here are some general principles that can help you in this situation.
Look at the Scope
The best approach is to spend some time looking at the scope of ISMS. These improvements will bring you closer to the ISO 27001 standard and a better understanding of the scope of your ITMS and its requirements.
It’s not about drawing an imaginary line between financial and human resources, it’s about understanding key processes and interdependencies, understanding your organization from an entrepreneurial perspective, and really immersing yourself in the organization as it moves. This enables you to implement an ISMS that can be adapted and developed to your company in order to provide clarity on definitions and responsibilities, whether as a managed service provider or as an independent business unit.
If not, management must be included in the ISMS, but it does not have to be an all-consuming ordeal, and it must also include management.
By using this standard as a guide to your own expectations, you can better understand what your management team needs. Obtaining ISO27001 certification not only helps you manage information security, but can also enable you to do business in a more secure, efficient and cost-effective way.
Risk Assessment is Key
Sound risk assessment and management processes are fundamental to ISO27001, and having an on-board manager is key to receiving risk mitigation support. Get good data to make sure you have the right representatives from the technical team in your company. Form your actions through a formalised measure, such as a risk management plan, risk assessments and risk analyses.
There are 114 controls in Annex A, ranging from the Access Control Directive to the management of cryptographic keys. It is not necessary to adhere to ISO27001, but the controls should be chosen in such a way as to mitigate the risks identified.
This allows you to use a single framework, even if you want to implement and certify multiple frameworks. For example, you can also use a combination of two or more frameworks, such as an open source framework and a proprietary framework.
The application of controls that mitigate identified risks should also enable you to demonstrate the business benefits to leading stakeholders. This contradicts the fact that ISO27001 provides for a number of rules for carrying out controls, such as the use of a safety management system. There are no binding requirements in ISO 27001 either, so you can offer security to high-level stakeholders, but not to your own employees or customers.
Information Security is Vital
Throughout history, information security has had a negative connotation as a “can’t-do” approach. All too often we see organisations improving their security but not concentrating on communicating it to the general public.
Recognize the good work you are doing and take the time to think about how it will help your organization. Not all organisations are able to do this, so you should check the benefits once a month. Obtaining external support is a really good way to implement the requirements, but make sure that the organization you are using has a good balance of technical experience according to ISO27001. This is a great way for you to expand your business and gain a foothold with the general public and other organizations in your industry.
Avoid the Cowboys
Do not use a company who claims to be able to certify you for ISO 27001 in five days, but in a month or two, or even a few months.Of course, there are various types of vulnerabilities that you need to protect your organization from as soon as possible, although don’t fall into the trap of hiring the wrong provider to help you achieve your goals and find that its suddenly three months and nothing has happened.