Who certifies ISO 27001

ISO 27001 is an international standard that specifies the requirements for an Information Security Management System (ISMS). An ISMS helps organisations to manage their information security risk by providing a framework of policies, processes and procedures. If you, as a business owner, are using the ISO 27001 recommendations to create an ISMS for your company, you will likely consider certification against this standard.

Acquiring an ISO certification can gain dividends for your business in improved efficiency, productivity and security management of your assets. Certification by an independent third-party registrar is a great way to demonstrate your company’s compliance. By gaining certification, you can keep your information confidential and show that you have information security risks under control. As this standard integrates world class recommendations, compliance can also help you win customer trust and gain new business opportunities. We provide ISO 27001 consulting services to help you implement and obtain certification.

What is ISO 27001 certification

ISO 27001 certification refers to either the certification of organisation’s ISMS against the requirements of the standard, or the certification of individuals who were able to implement ISO 27001 recommendations in an organisation or audit against the standard’s requirements. For more information, read the article What is ISO 27001.

ISO 27001 certification for individuals versus certification for companies

Initially, the ISO 27001 was designed for the certification of organisations. The system was created for companies or any other type of organisations that develop their ISMS using policies, procedures or risk assessment, people or internal auditors, technology or cryptography, going on to invite certification bodies to audit their management system against the standard.

However, with the passage of time, the entire industry related to ISO standards, namely consultants, certification bodies, training institutions, et cetera realised that without adequately qualified people, the entire concept of maintaining compliancy would fail. As a result, various training programmes were developed for individuals who were interested in acquiring skills related to ISO 27001 auditing. In this manner, the individuals who attend the training and clear the ISO 27001 exams, will obtain a certificate that is issued in their name.

There are many certification training programmes available for individuals, including the ISO 27001 lead implementor course, which is intended for advance practitioners and consultants.

The ISO 27001 lead auditor course is intended for auditors in certification bodies and ISO consultants, whereas the ISO 27001 internal auditor course is intended for people who perform internal audits in the company. Moreover, ISO 27001 foundation courses are also available, intended for people who want to learn the basics of the standard and the main steps in its implementation.

How to get ISO 27001 certified

To establish an ISMS, organisations must begin by determining their scope. This begins by identifying what information needs to be protected and which processes act upon that information. Answering these questions would be helpful in understanding and documenting the people, systems and other assets which influence your organisation’s information related risks. Here, it is essential to remember that interview with “the right people” with the correct knowledge is the easiest method to gather the input needed to determine your scope. Using ISO consulting services in Australia will help you get complete information on how to implement ISO 27001.

1. Understand your current controls

The next step is to understand your current controls and compare it with your idealised state. There is a popular saying that, “The first step to achieving a milestone is to figure out where you stand.” Here, not only do you have to identify what security controls do you have in place today, but also determine the extent to which they are operational. To determine the discrepancies that may exist between your theoretical and practical security controls, it is always beneficial to conduct a gap analysis.

2. Cyber security gap analysis for ISO 27001

Cyber security gap analysis enables organisations to address the areas of business within the network and system security controls. It ensures that they are effective. Additionally, this type of analysis also showcases what you should be doing by comparing your current practices against the industry specific best practises. Moreover, understanding your current controls is not just about documenting the details of the security controls within the organisation, but rather critiquing their effectiveness. The easiest way to collect input is to review audit findings, procedures, policies, penetration test results, et cetera, in addition to interviewing information security personnel.

3. Analyse Organisations risks

After understanding current controls, organisations must analyse their risks. Organisations must ask themselves what are the risks posed to their information assets and which risks are at an acceptable level, and which are at an unacceptable level. Asking these questions will drive your risk assessment, helping you to identify, analyse and categorise risks in accordance with priority and severity.

4. ISO 27001 risk treatment plant

Once you have successfully identified and prioritised the risks that you need to address, it is time to build a risk treatment plant to mitigate them to an acceptable level. The acceptable level of risks can be improved by utilising security controls. This treatment plan gives you near term, tactical items to manage risks in a more effective manner. The characteristic of a good risk treatment plan is that it prioritises risk treatments based on risk-level, effort-level and the logical relationship between different treatments.

Once you have successfully executed and operationalised your plan, you are ready to verify the effectiveness of your controls. Effectiveness of your controls can be measured by conducting an internal audit that will help you to identify what is working well, and documenting what is not.