top of page

The ISO 27001 Certification Journey

Achieving ISO 27001 Certification is a significant milestone for any organisation that requires following a long and winding road with many obstacles, taking several months or even years.  But not anymore!

The Traditional Way

  1. Understand The ISO 27001 Standard

    First, obtain a copy of the ISO 27001 standard, then try to understand what any of it means.  This is supposed to help you understand what to expect during the certification process, but the language of the standard is not detailed nor explicit.  You may not understand what much of it means, and you will probably hire a specialised consultant at an exorbitant daily rate.  Ultimately, you are trying to build an "Information Security Management System (ISMS)" but don't know how to start.

  2. Define The Scope Of The Organisation

    You will spend a lot of time trying to describe your business and how it operates to someone who is not familiar, forcing a lot of re-work and endless conversations, emails, and phone calls.  You must decide which parts of your business are covered by the certification, focusing on areas that handle important information and how that data is managed.

  3. Conduct a Risk Assessment

    You must identify potential threats to your information and evaluate how likely they are, what the impact is, and the risk they pose. This helps you understand where to focus your efforts, but if you don't know what the risks are and what they mean, let alone where to begin, consulting hours rack up in a hurry while you chase shadows.

  4. Implement Required Controls

    Once you've identified your risks, you must implement measures to protect your information, such as policies, procedures, and more. You can try to choose simple solutions that fit your limited resources, but unless you know what your options are, you're left scratching your head.  And probably paying for a consultant.

  5. Create Policies and Procedures

    This is where you will experience "the tyranny of the blank page" in trying to develop clear rules and guidelines for handling information securely. Or, more likely, you'll use some generic, downloaded, free templates that don't really fit or end up hiring yet another expensive consultant to write them all for you, hoping for the best and that they vaguely match your business!  By this time, you are becoming aligned with ISO 27001 and it just seems like so much time and money to get here with so far to go!

  6. Train Your Staff

    Once you have all your paperwork, you then have to explain all of it to your team... at least anyone that handles information.  Unless written in a way everyone understands, it may be wasted effort.  You must educate your employees about information security and their role in protecting data, but they must be able to understand it and why, so if your paperwork is a bit vague, the lessons will be, too.

  7. Monitor and Review

    This is where you'll find you can almost never get ahead.  You'll feel like you're going in circles trying to check your security measures to ensure they are effective. Making adjustments as needed to address any new risks can be very time consuming, requiring significant manual rework.  And expensive consultants.

  8. Conduct an Internal Audit

    Now it's time to review your processes to ensure your ISMS meets the ISO 27001 standard requirements. This helps identify areas that need improvement before an official audit, if you choose to seek certification.  This can be incredibly nerve-wracking, so you often require outside help at even more expense to get that critical set of eyes to ensure you haven't missed anything - and what you do have is worthy.  Often, an internal audit can lead to significant rework if you don't get it right the first time!

  9. Address Issues

    This is when you fix problems found during your internal audit, and the list can be long and never-ending.  Some things will be good, but are they good enough?  And many things may be missing or you have to start over.  The idea is to strengthen your information security management system, but in a way that is clear and concise.  By this point, you should now be compliant with ISO 27001.  Are you ready for the next step?

  10. Choose a Certification Body and Get Audited

    It's go time!  Select an accredited organisation to review your ISMS and everything it includes. They will conduct an official audit to determine if you meet ISO 27001 standards.  This can cost tens of thousands of dollars, take weeks to complete, and can require significant re-work to meet the Auditor's expectations!  But once you check all the boxes, congratulations, you are finally ISO 27001 Certified!

​

But wait!  There's more!

​

The ISO 27001 Certification is valid for three years, but that doesn't mean you can relax for the next 36 months.  Every year there is a "surveillance audit" where the certification body will check that you're still using your Information Security Management System, that you have made improvements, and that you have continued to perform risk assessments and treat new and existing risks. The auditor will want to see evidence the business is discussing risks and progress, and that ownership and others are involved regularly.  

 

Often, the surveillance audit is only a part of the full audit, but some certification bodies check everything, every year.  And after two surveillance audits, you will need to undergo a recertification audit in year three to renew your certification.  Recertification is usually a lot easier provided you stay on top of things and have the time to do so.

​

It's a lot to consider.  That's why at CompliCertify, we've designed our platform to take away a lot of this pain and save you time better spent running your business! How is our way better?  Keep reading below!

The CompliCertify Way

  1. Sign up for CompliCertify; it's quick and easy (we've even put the button below to make it easier still!).  Pay the incredibly low monthly fee.  Provide your basic business information like your address and contact details.

  2. Provide more specific details about your business, like what it does, what its market is, its industry vertical, and other relevant information about operations, customers, types of information it handles, and where it operates.  The more detail you provide, the easier everything that comes after is.

  3. Following the guidance, select the risks applicable to your business and the controls you may need to address those risks.  Don't worry - you can adjust these if needed, and you can always come back to them later to make changes.  You're already on your way to becoming ISO 27001 aligned!  Isn't this easy?

  4. We'll even preload 100 or so risks that, whilst generic to your business vertical, are most likely highly relevant AND we'll give you a generic match to the controls... you could almost click the "GO" button and be 75% of the way there!

  5. Generate the required policies and procedures, tailored to your business, and you can accept the statements in each, or you can update them as needed.  You can always come back to these any time to update them as needed.  Once you're satisfied, simply publish the document and it becomes your official artefact!  Each artefact will contain version control, document approver, and change history.

  6. Once you've built your ISMS, you can take any recommended actions to remediate risks, and update the risks as you go, which will be reflected in the list of risks in real time.

  7. Check your progress on the dashboard showing how many controls have been implemented and which ones remain, and any that are out of scope.  You'll also get reminders of when documents are due to be reviewed.

  8. At any point, you can review, update, and edit any part of your ISMS... add and remove controls or risks, regenerate and republish documents, and even add custom risks and controls to supplement the included default ones that cover most scenarios a business will face.

  9. Congratulations!  Your ISMS is now ISO 27001 compliant!  Should you wish to proceed to obtaining formal certification, the process is still similar to #10 above in "The Traditional Way", but the time to prepare for the formal audit process is far shorter, and the time to address any issue is much faster.  You'll also find it significantly easier to manage going forward, especially during annual surveillance audits and the eventual recertification audits.

  10. One of the best things about CompliCertify is by using our tools, you'll get educated as you succeed! By the time you finish, you'll be an expert at risk modeling for your business and you can confidently hold your own in any conversation about ISO 27001, Information Security, even how AI is revolutionising your business... and tell everyone about CompliCertify!

​

Now, wasn't that easy?  Let's get started, shall we?

​

​

bottom of page