6 Steps to get ISO 27000

Getting certified for ISO 27001 certification is not necessarily complicated or super expensive. It needs time, effort and support of senior manager(s). You also need attention to details and proper documentation and forms.

Step 0. Decision

Step 1. Defining Scope of Implementation

Step 2. Documentation

These documents would be a policy (or set of policies), and its related documented procedures and guidelines to ensure the business is adhering to ISO requirements in an efficient and achievable way.

ISO 27002 standard would be a huge help to prepare such documentation but in is not necessary to select the controls/safeguards from ISO 27002 text.

At least 15 different documents are required for ISO/IEC 27001:2013:

  • Scope of ISMS (item 4.3, Page 1)
  • Policy (item 5.2, Page 2)
  • IS Risk Assessment process (item 6.1.2, Page 3)
  • IS Risk Treatment process (item 6.1.3, Page 4)
  • IS Objectives (item 6.2, Page 5)
  • Evidence of the competence of the people doing work on IS (item 7.2, Page 5)
  • Other documents deemed necessary by the organization for ISMS (item 7.5.1b, Page 6)
  • Operational Planning and Control Documents (item 8.1, Page 7)
  • Results of IS Risk Assessments (item 8.2, Page 7)
  • Results of IS Risk Treatment (item 8.3, Page 7)
  • Documented information as evidence of the monitoring and measurement results (item 9.1, Page 7)
  • Internal audit program plus audit results (item 9.2, Page 8)
  • Documented information as evidence of top management review (item 9.3, Page 8)
  • Evidence of nonconformities identified, actions taken and the results (item 10.1, Page 9)
  • Other documentations might be needed: A policy about rules for acceptable use of assets (use policy), access control policy, operating procedures, confidentiality and nondisclosure agreements, secure system principles, information security policy for supplier relationships or vendors, information security incident response procedures, regulations and contractual obligations, associated compliance procedures, and information security continuity plan.

Auditors will check that above-mentioned documentation are present, up-to-date and fit to ISMS scope which is defined in step 1

Step 3. Realization

Another key to have a successful realization step is to communicate with all employees about the processes in place and the need to adopt them fully and report back on all discrepancies.

Step 4. Internal Audit

Step 5. Certification Audit

Step 6. Maintaining the Certification

Information Security Expert, Cyber Security Engineer, Blogger, Mentor, PCI SME, CISM, CISA, CRISC, RHCSA, MCSE, CCNA, MBA, PMP, CLSSGB

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store