July 30, 2019

Last Updated on January 13, 2024

This short post is the second in a series that explains in straightforward terms the process we follow to build an ISO 27001 certifiable Information Security Management System (ISMS). You can access our entire proven process here.
We hope you find these bite-sized posts useful for understanding how ISO 27001 certification is achieved, and what it could look like for your organization. You may want to read them in order, starting with Step 1. Enjoy!
A major factor in any information security plan is (no surprise) the strength and maturity of your current information security posture/program. There is quite a bit of overlap between documenting your current “security status” and understanding your organizational scope, as discussed in Step 1. You can gather this information during the scoping process as a “controls understanding/enumeration.”

“The easiest way to gather a “controls understanding” is via artifact review”

As you perform this fact-finding activity, the focus is not yet on “assessment” (passing judgement) about how effective an information security control is or isn’t. Instead, it’s about learning what controls are currently in place, and the extent to which they are implemented and operating. As you learn more about your risks starting with Step 3, you’ll be in a better position to assess your controls in the context of your environment.
The easiest way to gather a “controls understanding” is via artifact review (policies, standards, procedures, audit/assessment findings, penetration test results, incident reports, and so on) combined with discussions with your IT and information security staff.
Have questions about ISO 27001 certification or the best way to achieve your information security goals? Contact Pivot Point Security—we specialize in advising organizations on how to manage information security risk.

Access All ISO 27001 Proven Process Step Posts Here:

  1. Understand Your Scope
  2. Understand your InfoSec Controls
  3. Identify and Analyze Information Related Risk
  4. Build a Risk Treatment Plan
  5. Execute the Risk Treatment Plan
  6. Conduct an Internal Audit
  7. Certify Your ISMS
  8. Maintenance, Continuous Improvement and Recertification

Also, here is our ISO 27001 Proven Process PDF