Preparing for an ISO 27001 and 27002 Audit
Getting your certification for ISO 27001 is a complex and time-consuming endeavor. But for many organizations, it’s worth the effort.
That’s because ISO 27001 is the international standard for Information Security Management System (ISMS). Being able to say you’re “ISO 27001 certified” tells stakeholders that your organization is serious about protecting the security and privacy of their information. Stakeholders include your current and future clients, business partners, suppliers, and customers.
In this day and age, that’s no small claim. And in fact, ISO 27001 certification is a must for many enterprises that do business with you. Mere ISO 27001 compliance isn’t always enough. To become certified as ISO compliant, you must pass an audit and obtain yearly “surveillance audit” reports attesting that you still comply.
To achieve certification, your organization must pass a rigorous audit of the 114 security controls contained in the latest ISO 27001 update, ISO 27001:2013. Those security requirements fall into 14 categories:
- Information security policies
- Organization of information security
- Human resources security
- Asset management
- Access control
- Physical and environmental security
- Operations security
- Communications security
- Systems acquisition, development and maintenance
- Supplier relationships
- Information security incident management
- Information security aspects of business continuity management
ISO 27001 lists the controls; ISO 27002 guides the implementation of those controls.
Preparation is key
An audit of your entire information security management system, including its technologies, processes and procedures, and people, will almost certainly be a challenge to pass.
The larger and more complex your organization, the greater the likelihood of audit findings that could delay certification.
But there are things you can do in advance to make your audit less of an ordeal and more efficient. ISO recommends taking a process-oriented “Plan, Do, Check, Act” approach:
- Plan: Planning and Preparation
- Develop your ISMS, if you don’t already have one. This entails
- Identifying and documenting your ISMS business objectives and processes. Value stream mapping, systems architecture mapping, and the ISO 27002 guidelines can help.
- Designating a team of employees, including managers, to oversee the ISO certification initiative, and a lead person to direct the process.
- Using an ISO 27001 audit checklist to help ensure that nothing gets missed.
- Analyze your gaps. Study ISO 27001 and 27002 to determine where you comply and where you fall short. You may wish to hire an ISO consultant to help with your gap analysis.
- Analyze your security risk. Conduct a risk assessment of your processes and policies including your user access control policy, identity management, password management, and other aspects of your ISMS, and decide how to mitigate or minimize the risks you find.
- Write your risk treatment plan, detailing your organization’s response to each identified risk. ISO 27001 recommends four possible responses to risk: modify, share, avoid, or retain.
- Train your personnel. Make sure that everyone is familiar with the ISO standard. If you’re renewing certification, ensure that they know about updates to the existing standard.
- Do: Systems and ISO implementation
- Implement your new or updated system. This can happen in-house, or you may work with a consultant.
- Train employees on how to use the system.
- Check to ensure that the system is working as it should, following the proper ISO standard.
- Check: Testing
- Conduct an internal audit to ensure that your ISMS risk management controls are effective and that your system complies with your chosen ISO standard or standards. You may wish to use an internal audit checklist or self-audit using software that performs this audit for you.
- Act: Closing compliance gaps
- Make changes where needed to bring your organization into compliance.
- Explain how you will maintain continual improvement of your ISMS, as the standard requires.
- Document everything, from the first step through the last.
When you have completed these steps, you’re ready for your ISO audit. Be sure to choose an ISO certification company that is accredited by ISO’s Committee on Conformity Assessment (CASCO). Otherwise, your audit will not be valid.
In advance of the audit, be sure to gather your “audit trail” documents to present to the auditor as evidence of your compliance efforts. If you’re not sure what those documents might be, consult Reciprocity’s ISO audit guide, “Preparing for an ISO 27001 and 27002 Audit.” This detailed ISO 27001 checklist will put your enterprise on the path to ISO 27001 certified success.