Here’s my strategy to help you get ISO Certified
It’s been about 10 years since I first brought a technology team through the process of ISO27001 certification. I admit the first time I went through the certification process it was a learning curve for me, however the approach I took then is an approach I have repeated a number of times since, so it is an effective strategy which I am happy to share with you here.
Before we get into the specifics of what you should do in order to achieve certification, we should clarify why you might want to become ISO27001 certified.
ISO27001 is an Information Security Management System certification. It is not industry specific (for example like PCI DSS or HIPPA) or technology specific. The advantage of this is that you can apply the standard to any industry, but a more recent advantage is that many of the expectations of the new GDPR data protection regulation are embedded within ISO27001 – for example both are risk based systems. I’m not saying by being ISO27001 you are automatically GDPR compliant, in fact I am not saying that, GDPR has many other obligations not mentioned in ISO27001, but it will help in the process of being GDPR compliant.
Another reason why ISO27001 is important, is that any time you work in a Business-to-Business (B2B) environment you will be subjected to security due diligence by your clients – having ISO27001 really helps with this, and can shorten the due diligence timeframe and ease the burden on you when responding to security questions by clients.
Three steps to success:
I have used the same three step approach in a number of my projects to bring ISO27001 certification to new companies or departments. Here is the approach I recommend you adopt:
- Step 1 – Brief yourself on the standard with Pluralsight.
- Step 2 – Gap Analysis with BH Consulting.
- Step 3 – Certification with Certification Europe.
Step 1 – Brief yourself on the standard with Pluralsight
I have amassed a lot of knowledge on the ISO27001 standard and the certification process over the years. I’ve been through at least three ISO27001 certifications for new companies, and one for ISO22301. I have been through a number of re-certifications which occur every three years to keep your ISO27001 certification current, a number of transition certifications where the standard is updated and you need to transition from one standard to another version of the standard, and countless surveillance audits.
Over that time, you do encounter scenarios and challenges in the certification process, and to be honest business situations that arise which need consideration to keep you certification.
Back in 2016 I encapsulated all this knowledge into a Pluralsight training course so that I could share the knowledge with others. The Course is called ISO/IEC 27001: The Big Picture. If you don’t have a subscription for Pluralsight, which is a highly recommended tool to have, you can take my course with the 7 day trial which is free. You will find the course here.
Step 2 – Gap Analysis with BH Consulting
Brian Honan, is the CEO and founder of BH Consulting. I have worked with Brian on various projects since the first ISO27001 certification. Brian is highly regarded in the Information Security world, and BH Consulting is an organization I strongly recommend you engage with as part of your ISO27001.
Once you have a Big Picture understanding from my Pluralsight course, one of the next steps you need to undertake is a gap analysis. If this is the first time you’re going for certification, I recommend you engage Brian’s team to assist with this process. It usually takes about 1 day of on-site work and a couple of days for report writing etc. The best thing from this is that you have a clear action list, you will know where you need to put in most work in order to get things up to the expected standard for the certification audit.
A nice bonus by getting BH consulting involved in the process, is that they will point out areas of improvement that relate to general information security if they identify them as part of the ISO27001 gap analysis. Brian and his team undertake assignments worldwide.
You can contact Brian and his team here.
Step 3 - Certification with Certification Europe
Before you can be recommended for certification, you need to engage a certification body. You need to be careful here as not all organizations who claim to be in a position to certify you are in face bone fide certification bodies. Certification Europe are a certification body and have been in this business for years. They also have a large footprint in Europe, but also beyond to the USA, and far east.
I like the practicality that Certification Europe bring to the process. They are exacting and precise but seem to balance that very practically with the need for you to run your business and accept practical ways of complying with the standard. Certification Europe can also support Integrated Management Systems, where you might have multiple standards, for example if you have ISO27001 for Information Security and ISO20000 for IT Service management, or ISO22301 for Business Continuity, Certification Europe will be able to work with an integrated management system so that you get the maximum business process efficiency from your quality systems.
You can find Certification Europe here.
I wanted to write this article for a while, as I feel there is a lot of mis-information and fear about attaining ISO27001 certification. With GDPR now in place, I feel businesses will benefit even more from a formal Information Security Management System. One of the most common questions I get asked is - How do I start? I hope this article helps you to understand how to start the process, and how to avoid mistakes.
If you need any further help or have specific questions I’m happy to answer these on the Pluralsight Discussion forum, just go to the course page once you’re logged in and click Discussion.
To view my Pluralsight course click here.
Oh and in the interest of full disclosure, I have well....nothing to disclose. Neither BH Consulting or Certification Europe has rewarded me in any way for mentioning them in this article, as the article says I'm just sharing the approach I take for certifying new organizations I work with...
Best of luck with your certification journey !