How We Help You Become ISO27001 Certified
Becoming ISO27001 Certified involves a process comprising of a 5 stages. This approach is designed to give you the best possible system for your needs and can be broken down as follows:
ISO27001 Certification Gap Analysis
We will initially need to spend one or two days with you to assess your current situation relative to the ISO27001 Standard. This assessment will allow us to provide you with a comprehensive Gap Analysis that identifies all of the areas requiring attention in order for you to become ISO27001 Certified.
ISO27001 Information Security Management System
Once the agreed rectifications have been carried out we will produce the documentation required by an Information Security Management System that will ensure the implementation of a fully compliant ISO27001 Information Security Management System.
ISO27001 has several key documents that require alot of preparation and careful consideration and will inevitably take longer to produce than many of the other ISO standards. These documents help to make up the Information Security Management System (ISMS) and include:
- A comprehensive hardware asset register
- A comprehensive information asset register
- A number of Information Security Policies
- An Information Security Management Manual
- A Risk Register and Risk Treatment Plan
- A Statement of Applicability (SOA) containing 114 information security controls all of which must be considered
Producing this Information Security Management System will ensure that you successfully achieve the Document Review process conducted by your Certification Body prior to your Certification Audit.
Now that you have a fully compliant ISO27001 Quality Management System (at least in principle), you will need to ensure that it is effectively implemented in order to achieve your ISO27001 Certification.
Implementation will involve the following activities to ensure effective implementation:
- Communication of any new processes and policies identified during the Gap Analysis
- Awareness Training relative to the principles of ISO27001 and the Information Security Management System
- Implementation of effective Document Management
- Internal Audits
- A Management Review Process
- The implementation of controls identified in the SOA
- The completion of the Risk Register and Risk Treatment Plan
- The completion of the hardware and information asset registers
You will need to select a Certification Body to conduct your Audit and to issue your ISO27001 Certification. We would advise choosing a UKAS Accredited* Certification Body and can assist with the selection of a reputable cost effect Certification Body if required.
The certification body will assess your application and based on the number of sites and staff you have employed they will notify you of the number of days required to complete your certification audit. We would propose to support you during this initial audit period in order to facilitate the communication between you and the auditor and to clarify the areas of your system that the auditor may not have identified in order to demonstrate ISO27001 compliance.
ISO27001 Surveillance and Maintenance
In order to ensure on-going ISO27001 Certification you will need to maintain your system with on-going audits, reviews and the effective management of the documentation. This will then be audited at least annually by the Certification Body in order to ensure that your system remains compliant.
We can offer training for your staff in order to maintain this yourself or we can provide that maintenance for you as your Quality Representative in the form of Internal Audits, Document Management and assistance during Management Reviews, Risk Assessments and Audits by the Certification Body.