Before I joined the Pivot Point Security team, I worked with them on the client side. My former employer engaged Pivot Point on an ISO 27001 implementation project. I was the project manager and primary contact.
Having no prior experience with ISO 27001, I had to go from knowing almost nothing about the information security management system (ISMS) implementation process to being my company’s de facto expert.
ISO 27001 is a detailed and lengthy standard that requires specialized knowledge to implement, and the initial phases of the certification process can seem overwhelming.
Here are 7 tips I wish I knew before beginning my first ISO 27001 implementation.
- Purchase both the ISO 27001 and ISO 27002 standards.
The need for the former is obvious, but ISO 27002 is also valuable as it offers some descriptive guidance on the controls in Annex A of ISO 27001. The controls in ISO 27002 are named the same as those in Annex A, but ISO 27002 provides a lot more detail about each one.
- Identify a resource with expertise you can tap into.
This could be a consultant or a member of a certification body, for example. Keep that knowledge base on tap, and don’t be afraid to ask “silly” questions—there are none. If this was easy you’d be done already…
- Certification first, understanding second.
It might seem backwards, but I recommend that clients focus initially on their certification process, and seek to develop a deeper understanding of ISO 27001 post-certification. Rest assured, the effort to achieve certification will give you a strong background to help you understand your ISMS and how to manage it.
- Take advantage of project management tools.
There are a lot of moving pieces in an ISO 27001 implementation. Guidance and tasks from internal requirements, internal audit findings, external reviews, and information security committee meetings all need to be recorded and tracked. Then there’s your calendar, milestones and timeline for implementation. Plus you’ll be maintaining a list of requirements to address after certification. There’s a lot of project management software out there: get some.
- Prepare ISMS documentation in advance.
If possible, prepare your ISMS documentation well in advance of the ISO 27001 internal audit and the Stage 1 and Stage 2 reviews. This is especially important for the Stage 1 review, which is often called a “documentation review.” The audit process can be intimidating for experienced practitioners, let alone first-timers. You want to be focused on explaining what’s in your documentation, not scrambling to find supporting information. Also, if you have the support of a third-party in your certification process, you’ll want to give them some lead time to look over your documentation and help you address any weak points.
- Ask reviewers directly about nonconformities.
When nonconformities are identified during audits and reviews, be sure to gain an understanding of the issue directly from the person who performed the review. That way you’ll not only get your questions answered upfront, but you’ll give the reviewer an opportunity to provide more feedback than he or she would likely think to offer in written form. As a result, you’ll find it easier to address the specific problem(s) identified, as well as to scope the effort required to fix the issues.
Achieving ISO 27001 certification can be complex and challenging, but starting off on the right foot and being prepared for each step in the process will make it a much smoother process.
To find out more about ISO 27001 implementation and tap into some useful resources around the steps involved, FAQs, costs and more, contact Pivot Point Security.
It's a little more complicated than just checking off a few boxes.