July 29, 2019

Last Updated on January 13, 2024

This short post is the first in a series that explains in straightforward terms the process we follow to build an ISO 27001 certifiable Information Security Management System (ISMS).
We hope you find these bite-sized posts useful for understanding what ISO 27001 certification is all about, and how it can be implemented in your organization. You may want to read them in order, starting with this Step 1… but if you want a simple way to see our entire proven process, you can access it here.
The first step towards an ISO 27001 certifiable ISMS is to understand your organizational context, or scope. To develop any kind of information security plan, it’s critical to understand the organization itself, including its business goals and information security expectations.
An easy way to think about this activity is to ask: What information do we need to protect and what are the processes that act on that information?
Understanding the relevant processes will require you to identify and document the people, systems and hard assets (e.g., employees, contractors, vendors, hardware, software, physical offices, data centers, networks, etc., etc.) that support those processes.
The easiest way to gather this information is through a series of interviews with an organizational cross-section of “the right people” who know how things work.

“What information do we need to protect and what are the processes that act on that information?”

Simply put, scoping is about understanding all of the many factors that influence your company’s information related risk and associated risk management decisions.
Have questions about ISO 27001 certification or the best way to achieve your information security goals? Contact Pivot Point Security—we specialize in advising organizations on how to manage information security risk.

Access All ISO 27001 Proven Process Step Posts Here:

  1. Understand Your Scope
  2. Understand your InfoSec Controls
  3. Identify and Analyze Information Related Risk
  4. Build a Risk Treatment Plan
  5. Execute the Risk Treatment Plan
  6. Conduct an Internal Audit
  7. Certify Your ISMS
  8. Maintenance, Continuous Improvement and Recertification

Also, here is our ISO 27001 Proven Process PDF