A Comprehensive Guide to Establishing an ISO 27001 ISMS
Written on
Chapter 1: Understanding ISO 27001 Certification
Securing ISO 27001 certification is not an overly complicated task. By leveraging existing resources and employing straightforward logic, you can navigate any audit with confidence.
With an increasing number of enterprise clients demanding ISO 27001 certification from their vendors, it’s essential for startups and small to medium-sized enterprises (SMEs) to adopt efficient strategies for compliance. Central to obtaining ISO 27001 certification is the Information Security Management System (ISMS). Similar to the Quality Management System (QMS) required for ISO 9001, an ISMS is a prerequisite for any organization seeking ISO 27001 certification.
Rather than searching online for "ISMS" and hoping for a simplified solution, consider the multitude of consultants and tool vendors eager to market their offerings. Many of these options cater to larger organizations and may overwhelm smaller entities in both effort and expense.
Instead, I recommend a straightforward approach to developing your ISMS: employ common sense. Familiarize yourself with the standard, assess the necessary steps to ensure compliance, and implement them accordingly. It may sound overly simplistic, but I assure you it’s feasible. Follow along for a step-by-step account from a small 30-person B2B SaaS firm.
Section 1.1: Step 1 - Familiarize Yourself with ISO 27001
While reading standards may not be enjoyable, the ISO 27001:2013 standard includes an Annex A that outlines reference controls relevant to all aspects of the standard. This section provides concrete requirements that must be met prior to your audit.
Annex A will serve as your roadmap for the upcoming phases.
Section 1.2: Step 2 - Determine the Scope of Your ISMS
The next task is to define the applicability scope of your ISMS. With the requirements from Annex A in hand, you can identify which requirements are pertinent to specific areas of your organization.
It may not always be necessary to implement every requirement from Annex A. For instance, if your business doesn’t involve software development, you could disregard some or all requirements in A.14. Conversely, if you do develop software, it’s crucial to pay particular attention to those requirements.
Additionally, depending on your organization’s circumstances, you might opt to limit your ISO 27001 certification to a specific location or department. While this may not be the most common practice in startups or SMEs, it is an option provided by the standard.
Section 1.3: Step 3 - Create a JIRA Board for Non-Compliances
Armed with the knowledge of ISO 27001 requirements and a defined scope, the next step is to address any non-compliances. Resist the urge to draft your ISMS just yet — doing so may result in redundant work.
At our company, we foster a culture of pragmatic tool utilization, employing JIRA for task management. We set up a JIRA board to track all non-compliances that needed resolution prior to obtaining our initial ISO 27001 certification.
Section 1.4: Step 4 - Address Non-Compliances with Practicality
As evident from our JIRA board, most non-compliance issues have been resolved — the initial certification audit is now behind us! That said, a few minor tasks remain due to non-conformities identified during the audit.
I want to alleviate concerns regarding minor non-conformities; having a few is perfectly normal during a certification audit, and you’ll typically have a full year to resolve them. Startups and SMEs should prioritize effectively, and it’s acceptable to have minor non-conformities during the audit process.
We tackled our non-compliance issues using existing IT tools. Here’s a glimpse of our toolset:
- JIRA
- Google Identity Platform (including 2FA and SSO)
- Google Drive
- LastPass Enterprise
- AWS CloudWatch
- PagerDuty
- Ubiquiti Network Console
As you can see, it’s not as complicated as it seems. Relying on common sense can lead you toward your goals quickly and without excessive costs.
Chapter 2: Establishing Your ISMS
The first video titled "How to Implement ISO 27001:2022 Like a Pro – Step-by-Step Guide" offers insights into the practical steps necessary for ISO 27001 implementation.
Section 2.1: Step 5 - Select Your ISMS Documentation Tool
Now we get to the heart of the matter. Before you dive into drafting your ISMS in tools like Word or Confluence, consider a few key points.
First, ensure that only authorized personnel within your organization can modify your ISMS. Therefore, utilizing a tool with controlled workflows for ISMS documents is advisable.
Second, anticipate your ISO 27001 maintenance audits even before the initial certification audit. Based on my experience, auditors often ask, “What has changed in your ISMS since the last audit?” Thus, a tool that manages revisions and changes at a granular level is essential.
Lastly, since you’ll be using existing IT tools as mentioned earlier, choose an ISMS documentation tool that allows efficient linking. Since Annex A contains overlapping chapters, the ability to link and reuse content will save you significant time and effort.
In general, I advocate for a more modular documentation approach rather than relying solely on traditional documents and Excel sheets.
Section 2.2: Step 6 - Draft Your ISMS
Now it’s time to compile your ISMS and prepare for the certification audit. Our ISMS is divided into two primary sections:
- Information Security Management System: This section mirrors the structure of ISO 27001’s Annex A and outlines all implemented security measures.
- Information Security Principles: Here, we detail the fundamental principles guiding our information security practices and their application in daily operations.
Our documentation tool enables clickable documents and efficient revision management.
Section 2.3: Step 7 - Achieving Certification
That’s it. Once you reach this stage, it’s time to contact your auditor for the stage 1 audit. This initial audit evaluates your readiness for the stage 2 audit (the certification audit) — essentially a trial run for the main event.
During the certification audit, be prepared to provide thorough documentation for every control listed in Annex A, and be ready to demonstrate both the policies and their practical implementations.
Remember, minor non-conformities are common during certification audits, and it’s crucial to address these within the given timeframe after the audit.
Section 2.4: Step 8 - Continuous Improvement
After the audit, the journey continues. To maintain your ISO 27001 certification, regular maintenance audits will be necessary. This is your opportunity to demonstrate that you have resolved previous minor non-conformities and showcase improvements made to your ISMS based on business needs.
We continue to utilize JIRA to monitor non-compliance issues and findings from internal, customer, and ISO 27001 audits, striving to resolve as many as possible before the next maintenance audit.
In conclusion, as I mentioned earlier, this process is not overly complex. By utilizing your existing tools and applying practical thinking, you can successfully navigate any audit.
The second video titled "ISO 27001 Like Never Seen Before: A Complete Implementation Guide" provides a thorough examination of the ISO 27001 implementation process.
Join my mailing list to stay updated on new articles related to information management, and consider downloading the complete eBook on accessible ISO 9001/27001 certification for startups!