If you think writing a bunch of information security documents is enough to get ISO 27001 certificate, you’re wrong. You need to implement all the activities described in your documentation, but that’s not all – you also need to follow certain steps in the final phase of your ISO 27001 project.
ISO 27001 certification process
Let’s start first with the certification process itself – it is divided into two steps: Stage 1 audit and Stage 2 audit. In Stage 1 audit (also called Documentation review) the certification auditor checks whether your documentation is compliant with ISO 27001; in Stage 2 audit (also called the Main audit) the auditor checks whether all your activities are compliant with both ISO 27001 and your documentation.
Therefore, you need to pay attention to both writing appropriate documentation for your needs and to really committing to implement information security in your company. For details on required documentation, steps in the audit and how to deal with nonconformities read this article How to get certified against ISO 27001?
Mandatory steps for finishing the implementation
After finishing all your documentation and implementing it, you need to perform these mandatory steps in your ISO 27001 project:
- Internal audit
- Management review
- Corrective and preventive actions
The purpose of internal audit is that someone independent checks whether your Information Security Management System (ISMS) is working properly. Read more about internal audit here Dilemmas with ISO 27001 & BS 25999-2 internal auditors.
Management review is actually a formal way for management to take into account all the relevant facts about information security and make appropriate decisions. The point with ISO 27001 is to reach such decisions as part of a regular decision-making process.
Finally, the company needs to correct all the problems detected by internal auditors, managers or someone else, and document how these problems were resolved – this process is called corrective actions. It is recommended to take preventive actions too – to try to prevent problems before they happen (something the certification auditor will appreciate quite a lot).
How to test ISO 27001 implementation?
However, before undertaking these mandatory steps, it is useful to check whether everything is in place. This step is not required by ISO 27001 (at least not in such an explicit way), but in my opinion, it significantly increases the chances for successful certification.
Doing the ISO 27001 test (or check) means that everyone who has a role in ISMS has to check whether everything he/she is responsible for really functions as required by the standard, and by the company’s documentation.
Such test/check is not the same thing as internal audit because, during an internal audit it is the auditor who goes through the company checking out things, while what I’m talking about here is that almost every employee needs to think hard whether he/she has done really everything that is required. In such a way you not only decrease the chances of something going wrong but also raise the awareness of your employees.
All these steps might seem complicated or you may think of them as costly overhead. But, believe me, they do serve their purpose – if implemented properly, you will see that they will actually increase your level of information security.