Tips for ISO27001 certification

Tip for ISO27001 certification

More information about ISO27001 is available on our website.

5 tips – for Risk Assessments

  1. Read – yes, actually read – the parts of the standard that refer to risk assessment
  2. Make sure you cover *everything* the standard expects for risk assessment
  3. ‘define and apply….process’ – document the process
  4. all risks must have an owner
  5. ‘residual risks’ – determine how they will be accepted

5 tips – for Interested Parties

  1. Include any that could be affected by the Information Security Management System (ISMS) – internal, suppliers, regulators etc
  2. Define what their interests are, e.g. shareholders and investors would expect security to be in place so clients don’t leave
  3. Determine how the ‘management review’ requirement will be met
  4. Determine how the Information Security policy will be made available to them
  5. The ISO27001 certification body will be an interested party

5 tips – for Performance evaluation

  1. Define what needs to be monitored and how this will be done
  2. Determine when this will take place – do checks more frequently for anything that could present higher risks
  3. People doing monitoring need to have appropriate processes and tools…and may need training to do it effectively
  4. Determine how the results from monitoring will be fed back to senior management
  5. Keep records of what is done….and know where they all are so they can be made available at ISO27001 certification and surveillance audits. You don’t want to keep auditors waiting for too long 😃

5 tips for – Internal Audits

  1. Determine who will do the audits. No formal qualifications are required, but the person must be objective, impartial (should not be auditing their own work) and have an understanding of ISO27001 Clauses and Annex A Controls relevant to what they are auditing
  2. Maintain a schedule covering the next 12-18 months identifying what will be audited and when. This needs to reflect the “importance” of processes and results of previous audits (internal and external)
  3. Audits need to cover all parts of the standard, but the standard doesn’t define the time period for doing this. Don’t feel you need to cover everything in 12 months – 18 months (or longer?) can be OK depending on business needs and risks
  4. Each audit needs to have defined criteria and a defined scope – audit templates are a good way to do this, include references to the Clauses and Annex A Controls to be audited
  5. Determine how to extract information from audits for reporting back to senior management. One option is to link findings from audits to business area and/or Clauses and Annex A controls and analyse these over time. Unexpected trends may be found!

5 tips for – Information classification

  1. The number of classifications required depends on business requirements and needs to consider “legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification”
  2. Having a flowchart that shows how to determine the classification of an information asset can help define the number required and what they are called
  3. Consider the requirement to make Information Security related documents available to external parties. Having documents as ‘Restricted’ could cause overheads in tracking who has them (although this depends on how you define the use of ‘Restricted’)
  4. You don’t need to go back and classify all historical documents/information assets, although there is nothing to stop you doing this if it delivers business benefits. It is OK to have a statement on how historical items are handled
  5. Each information asset should be classified by the asset owner

Get in touch for advice or help with ISO27001 certification.

e: ian.grey@wadiff-consulting.co.uk
t: +44 (0)7941 188462