ISO 27001 – Your Essential Guide
Once you have your ISO 27001 Standard implemented, it’s time for your audit and certification. But how do you know if you’re ready? Take a look at our essential guide for tips on the information you need to be ready for your auditor’s visit:
ISO 27001 (as with all other Standards) is broken down into 10 sections
The first three are introductory, (we will cover the Annex A controls later)
4. Context of the Organisation
- What are the internal and external issues relevant to your company and its vision that may impact your ability to achieve ISO 27001 Certification?
- What do your customers and clients require from you? How is your Information Security Management System achieving this for them and you?
- How are you monitoring the changes that occur within your business to ensure you are still compliant with ISO 27001?
- What internal and external factors could impact the effectiveness of your ISO Standard?
- Upon implementing your standard, how did you foresee achieving continual improvement? How have you managed to achieve continual improvement so far?
- Have you determined the scope of your information security management system?
- Having assigned roles to people concerning ISO 27001, are those involved aware of their responsibilities?
- Are those within the leadership roles effectively communicating the importance of the standard for the company’s informational security practices?
- Is there a clear programme in place to ensure compliance to the standard with reminders of the importance of reporting any issues that arise?
- Is the risk assessment in place up to date to ensure that there is a contingency plan in the event of an error or data breach and to prevent the occurrence where possible?
- What plans are in place to determine the changes that may be needed for the ISMS to be effective and how will these changes be effectively implemented?
- What documentation do you have in place to prove that the risk owners have reviewed and approved all security risk assessment plans?
- Which resources are needed for your company to implement, maintain and continually improve your Information Security Management System? These may include people, infrastructure and/or environment.
- How do you define the suitability for any persons undertaking the competency roles within the business? What documentation do you have to prove they are consistently meet the requirements of the standard?
- What training have you provided to your staff? How did they engage with it? Was it effective and was there a notable change in the day to day routines of those who were involved in the training (e.g. more consistently securing computer systems when away from the workspace)? What documentation do you have in place to document this training and its results?
- Do you have documentation to prove that the process you have previously implemented has been carried out as planned? And further documentation to demonstrate its results or rescheduled timings?
- How are you controlling any changes that need to be made?
- How do you plan to combat any negative impacts that changes may have and how do you then document this for continual improvement and future reference?
9. Performance Evaluation
- What criteria do you have to evaluate and select external providers and their performance?
- When conducting internal audits how do you ensure consistent checks and then document this?
- If non-conformities are raised, what plans are in place to ensure they are identified and addressed properly?
- When do those with leadership roles and top management conduct reviews?
- How are the reviews organised to ensure consistency and clear records of them each time?
- If issues arise within these reviews, how are they communicated and addressed to employees?
- Control, correct, address – How are you dealing with non-conformities if they are identified?
- When documenting information throughout the evaluative elements of the Information Security Management System, how is the information then stored and how long for?
Once you have these things in place, it's time to give Swift Certification a call!
Our experts will conduct your audit in a friendly atmosphere and are happy to answer any questions you may have. Our team of auditors have years of experience within the industry and provide a unique, 21st-century style to your audit. Zero scare tactics and every audit is conducted in a thorough, yet timely process.