The long and winding road to ISO 27001 Certification

When a race car takes to the track at the start of a motor sport event, it is the culmination of months, if not years of preparation. Top-level deals have been done, the team is working together toward a single goal, and every last wheel nut must be accounted for before the race even begins.

So it should be with your business’s Information Security Management System (ISMS) if you want your company to achieve ISO 27001 certification.

The ISO 27001 international standard reassures customers of your dedication to protecting their data, providing best practice guidance that ensures your company has the capability to do this. For ISO27001 certification to be achieved and retained, an organisation must be able to provide demonstrable evidence that it is using the ISMS effectively in order to pass the initial 12-month audit.

The ISMS eco-system

An ISMS is not just a collection of policies, processes and procedures that are put in place and then remain static as time passes. Rather, it should be thought of more as an ecosystem of mutually dependent factors that is constantly evolving.

Influences on this evolution can include changes in the scope of your business, such as new partnerships, which may require operational changes that affect your ability to meet the necessary standards. A shift in your working practices would also require further adjustment to your ISMS. This is an aspect that has become particularly relevant to many enterprises due to the widespread shift to remote working during the coronavirus pandemic.

Beyond your internal practices, regulatory requirements are also ever-evolving. For example, the jury is out, post-Brexit, on the EU’s determination of whether the UK Data Protection Act (DPA) 2018 is adequate to meet the General Data Protection Regulation (GDPR) that governs the free transfer of data between its member states. So, especially for organisations that are spread across multiple locations or countries, an effective and responsive ISMS is a must.

Making your business fit for purpose

The process of ISO 27001-compliance requires more than just setting up an IT security group and letting them get on with it. This is very much a top-down process that will require time, effort and money so right from the start there must be 100% buy-in from your organisation’s top-level management in order to make sure the wheels do not come off along the way.

Before setting off on any long and important journey, there are other checks that must be performed fully in order to ensure a smooth passage. To this end, an ISMS scope of assessment and Statement of Applicability (SOA) should be compiled with comprehensive consideration given to every single one of the moving parts that make up your business.

Checking the pressure in just two of your car’s tyres does not provide peace of mind for a safe journey. Likewise, your company may suffer potential pitfalls if parts of its operations are de-scoped at the start of the certification process. Including the entirety of your business is the surest way to set off towards certification, as omitting any part could ultimately weaken your ISMS to the point of ruling out your chances of certification.

The Xpertex roadmap to ISO 27001

The route to accreditation is fraught with potential potholes, dead ends and cliff edges, so it is vital you have an expert co-driver to help navigate what may be previously uncharted territory for your business.

Having blazed a trail through the complete process of gaining and maintaining its own ISO 27001-certification, Xpertex now shares this carefully detailed experience with its customers, ensuring they avoid any unnecessary detours or expensive U-turns along the way.

Key stages on the Xpertex route included:

1. Establishing a Statement of Applicability (SOA) and scope agreement with initial buy-in from senior management.

2. Formulating an initial ISMS that was wholly aligned with its operations right from the beginning.

3. Being audited against its SOA. At this point, certification was achieved.

4. Using the ISMS for a period of 12 months to test its suitability.

5. Being audited again once this period had elapsed in order to see how the ISMS was being applied. Certification could have been lost at this stage.

6. Then begins a four-year adventure with the ISMS before the next audit takes place.

As is evident from this itinerary, ISO 27001-certification process is more like a Le Mans endurance race than a quick blast along the main drag. Once you have the plaque on the wall, that is where the real work begins and preparation for the next audit should start the day after the last one has been completed. In this particular race, there is nothing to be gained from looking in the rear view mirror – it’s not about what happened on the last lap, it’s how you drive the next one!

To engage the experience Xpertex can offer to guide your organisation towards fully certified security management, call +44 2030 210 749


Related articles