The first question that may come to your mind when you come to know about ISO 27001 might be, “How do I get there?”.
In this blog, I will explain the ISO 27001 Certification Roadmap from my experience consulting more than a few dozen of ISO27001 projects in Malaysia and abroad.
I would categorise the ISO 27001 certification roadmap into 7 Phases based on our 7E lifecycle model.
Phase 1: Explore- ISO27001 Compliance in Your Organisation
ISO 27001 Self-Assessment
In this Explore phase, you must understand where your organisation stands in compliance with ISO 27001 standards. You can achieve this by going through a compliance checklist. I have included a sample ISO 27001 Self-Assessment Checklist for your immediate action.
Forming your ISO 27001 Information Security Steering Committee
Remember, you shouldn’t do this alone. It would help if you started forming an ISO 27001 Information Security Steering Committee comprised of representatives from:
Human Resource Department,
Physical Security and Administration Department,
Supply Chain Management or Procurement Department.
Tips: The Best Ambassador for ISO 27001 & Information Security is yourself and your Founder, CEO and Top Leader . Appoint this credible and experienced personnel to your ISO 27001 Steering Committee. It creates a lasting impact and increases the success rates of ISO 27001 certification by multi-fold.
Phase 2: Educate- ISO 27001 Awareness
ISO 27001 Awareness Training
Awareness is the most critical component of the ISO 27001 management system. Therefore, Phase 2 is Educate to provide awareness training to your Information Security Steering Committee and your employees about the ISO 27001 framework and get everyone to understand why your organisation is going for ISO 27001 certification and, most importantly, what roles every one of them is playing in the ISO 27001 certification roadmap.
A yearly Refresher ISO 27001 Awareness training given to the entire organisation is a mandatory activity.
Tips: Employees' buy-in is most critical in this phase. It is not wise to give the wrong impression to your employee that your ISO 27001 journey is only for compliance's sake or marketing purposes. The last you should mention is ISO 27001 certification to get more sales or to fulfil the requirements of tenders.
Phase 3: Establish- ISO 27001 Policies and Procedures
Establishing ISO 27001 Policies and Procedures is the phase where it will take most of the time in the ISO 27001 Roadmap. Typically spans between 1 – 3 months depending on the scope of ISO 27001 certification.
Scope of ISO 27001 Certification
Defining the Scope of the ISO 27001 certification plays a significant role in ensuring your ISO 27001 Certification is successful. Why is it so? In short, the scope of ISO 27001 certification determines the areas, functions or departments covered during the ISO 27001 Certification Audits. In other words, the bigger the scope of the ISO 27001 Certification, the wider the areas of Certification Audit that will be carried out on your Organisation.
Tips: Always consider going first for the Most Critical Functions of your organisation where Information resides. Avoid going for the “big-bang approach”.
ISO 27001 Policies and Procedures
Depending on the Scope of Certification and the result of the Gap Assessment, you must start developing the mandatory ISO 27001 Policies and Procedures to prepare for the next phase, Execute. All ISO 27001 Policies and Procedures must be “baselined” or “approved” for implementation by the Information Security Steering Committee.
Tips: I recommend your organisation consider hiring an experienced ISO 27001 consultant to carry out this phase of activities, as it involves many hours of documentation development. It is value for money not to burn out your Leaders in your Department on this mundane work. Furthermore, an experienced ISO 27001 consultant would be able to impart their latest professional advice based on their years of experience in tackling compliance with the ISO 27001 standard most realistically and cost-effectively.
Refer to my other blog titled "ISO 27001 Mandatory Documentation"
Phase 4: Execute- ISO 27001. Do what you’ve written
Executing or implementing ISO 27001 Policies and Procedures ensures all Stakeholders, your Employees, Vendors, Partners, and customers comply with the new ISO 27001 policies and procedures your organisation has approved.
ISO 27001 Implementation Evidence and Records
This Execute Phase shall take approximately 2-3 months to ensure that evidence and records of ISO 27001 implementation have occurred in your organisation. These ISO 27001 implementation evidence and records are crucial to proving your stakeholders are practising and complying with your Organisation’s ISO 27001 Policies and Procedures.
ISO 27001 Measurements & KPIs
Measurements or Process KPIs should be set for ISO 27001 critical Policies and Procedures. These measurements and KPIs will give you a bird's-eye view of the overall performance and effectiveness of the ISO 27001 implementation in your Organisation.
Tips: No Policies and Procedures should be written on the rock, meaning Policies and Procedures should be flexible enough to undergo improvements during this period.
Tips: Accredited Certification Auditors prefer to see improvements during this phase. Any Documents in Version 1.0 means no progress has been made throughout the ISO 27001 certification journey.
Phase 5: Ensure- ISO 27001 Compliance
To ensure compliance with the ISO 27001 standard, your Organisation must train a pool of Internal Auditors to ensure the sustainability of the ISO 27001 Certification to reduce dependencies on external consultants.
ISO 27001 Internal Audit Training
The identified Internal Auditors shall undergo formal Internal Audit Training provided by an experienced and certified ISO 27001 Lead Auditor (internal or external trainer). Internal Auditors must complete the internal Audit training, and the certificate of completion should be retained for ISO 27001 Certification Audit purposes.
ISO 27001 Internal Audit
The ISO27001 Internal Auditors and the ISO 27001 consultant, shall conduct a complete ISO 27001 Internal Audit. All ISO 27001 Internal Audit Records shall be kept and reported to closure.
*In my coming blog, I shall write in detail about the mandatory ISO 27001 Internal Audit Process.
ISO 27001 Management Review Meeting
ISO 27001 Management Review Meeting is a meeting conducted at least once a year to go through the specific Agenda listed in the ISO 27001 standard. The primary purpose of the ISO 27001 Management Review meeting is for the ISMS Steering Committee to present the Internal Audit Findings and any potential actions for Continual Improvements to the Top Management of your Organisation.
This ISO 27001 Management Review meeting must be minuted following the agenda listed in the ISO 27001 standards.
Tips: At this point, your company has already implemented ISO 27001 for some time. Even so, it is expected that there may still be areas of non-compliance due to constraints of resources and budget. The Management Review meeting acts as a checkpoint where The Management can decide to accept, transfer or terminate these risks and non-compliance during the ISO 27001 Management Review meeting.
*In my coming blog, I shall write about the specific ISO 27001 Mandatory Management Review Agenda.
Phase 6: Examine by Accredited ISO 27001 Certification Bodies
Examine is a phase where the ISO 27001 Accredited Certification Body is invited to conduct a Third Party Audit. This certification audit is broken into 2 stages:
Stage 1 Audit and
Stage 2 Audit.
Any organisation going for ISO 27001 certification will have to go through Stage 1 and Stage 2 Audit (Full cycle audit) for the 1st Year and every 4th year during Re-Certification Audit.
For Year 2 and Year 3, only Stage 2 Audit will be conducted during Surveillance Audit. Refer table below for a better illustration:
ISO 27001 Stage 1 Audit – Documentation Adequacy Checks
During the ISO 27001 Stage 1 Audit, the ISO 27001 Accredited Certification Auditors are performing an audit to confirm a few objectives:
Ensure Organisation is in operation. A formal ISO 27001 Management System is in place.
Understand the Organisation ISO 27001 Scope of Certification and Documentation Framework.
Obtain affirmation that the Organisation and its Management are committed to pursuing ISO 27001 certification.
Decide if the Organisation is fit to undergo ISO 27001 Stage 2 Audit.
Suggest Improvement by Issuing Corrective and Preventive Action Report for the Organisation to be fit and ready for ISO 27001 Stage 2 Audit.
ISO 27001 Stage 2 Audit – Final Certification Audit
Upon satisfactory completion of ISO 27001 Stage 1 Audit, the ISO 27001 Accredited Certification Auditor will propose a date for the Stage 2 Audit, typically within 2 – 8 weeks from Stage 1 Audit.
The main focus of the ISO 27001 Stage 2 Audit is to conduct interviews and assess evidence and records from your Organisation's ISO 27001 implementation. The ISO 27001 Stage 2 Audit is conducted via sampling of evidence. Upon completion of the ISO 27001 Stage 2 Audit, a Final Certification Audit Report will be Issued.
Tips: I recommend you to conduct a simulation of the ISO 27001 Stage 1 and Stage 2 Audit with an experienced ISO 27001 consultant to prepare every Auditees on what to expect during the ISO 27001 Certification Audit.
Tips 2: On the day of the ISO 27001 Audit, avoid dependency on your ISO 27001 Consultant. In most situations, Accredited Certification Auditor would not allow an external ISO 27001 consultant to reply and answer on behalf of your organisation. Auditors wouldn’t like to read this, but this is highly useful; create a Whatsapp Group Chat to raise questions so that your ISO 27001 consultant can guide you to the right area.
Phase 7: Enhance ISO 27001 Continuous Improvements
Enhance is a phase where you continuously identify Areas of Improvement in your ISO 27001 Framework and constantly implement the ISO 27001 Controls based on your organisation's policies and procedures.
Cyber Threats and Vulnerabilities are escalating on the go. The risk you identified earlier may have been exploited or not be relevant anymore. Therefore, it is critical to repeat Phase 1 to Phase 6 continuously on an annual basis.
Tips: Top Management, Founders and Leaders of the organisation play the most crucial role in ensuring the ISO 27001 Management system stays relevant. Consistent awareness campaigns should be implemented to ensure the Organisation is always alert to the ISO 27001 Policies and Procedures.
Disclaimer: There may be specific details that I may have missed out on. Please feel free to DM me for more information or suggestion for improvements.