August 5, 2019

Last Updated on January 13, 2024

This short post is the sixth in a series that explains in straightforward terms the process we follow to build an ISO 27001 certifiable Information Security Management System (ISMS). You can access our entire proven process here.
We hope you find these bite-sized posts useful for understanding how ISO 27001 certification is achieved, and what it could look like for your organization. You may want to read them in order, starting with Step 1. Enjoy!
A hallmark of ISO 27001 is the requirement that management ensures “the suitability, adequacy, and effectiveness” of the ISMS. The key to doing this is a well-designed ISMS Internal Audit program.
The two-part goal of your Internal Audit program is:

  1. To identify what is working well; and
  2. To document what isn’t working and how it will be corrected.

The documentation on how you will correct issues is called the Corrective Action Plans (CAPs). Once complete, you can begin working with management to review the results and formally approve the CAPs.
Have questions about ISO 27001 certification or the best way to achieve your information security goals? Contact Pivot Point Security—we specialize in advising organizations on how to manage information security risk.

Access All ISO 27001 Proven Process Step Posts Here:

  1. Understand Your Scope
  2. Understand your InfoSec Controls
  3. Identify and Analyze Information Related Risk
  4. Build a Risk Treatment Plan
  5. Execute the Risk Treatment Plan
  6. Conduct an Internal Audit
  7. Certify Your ISMS
  8. Maintenance, Continuous Improvement and Recertification

Also, here is our ISO 27001 Proven Process PDF