Steps to ISO/IEC 27001 Certification

1. Learn About ISO/IEC 27001

You will need to understand ISO/IEC 27001 to help you know what you need to do in your company to meet the requirements of the standard.

• Learn about the standard:
• What is ISO/IEC 27001?
• What is an ISMS?
• Requirements of ISO/IEC 27001
• ISO 27000 Family of Standards Explained
• Who is ISO?

• Buy a Copy of the ISO 27001 Standard

• If you are contemplating ISO 9001 also, read these:
• Combine ISO 9001 and ISO 27001
• Compare ISO 9001 and ISO 27001
• Training Materials
• ISO 27001 Powerpoints
• Benefits of ISO 27001
• Requirements of ISO 27001 Powerpoint
• ISO 9001-27001 Integration PowerPoint

2. Perform Initial Information Security Review & Gap Analysis

Perform a Gap Analysis to determine where you need to change your existing ISMS.

• Buy ISO/IEC 27001 Gap Analysis Checklist
• Find a Consultant to perform Gap Analysis

3. Plan Your 27001 Implementation Project

Create a Project Plan to determine your tasks, timeline, and resources.

• Compare Products that help you integrate an ISMS into your organization

4. Educate Your Organization on 27001

All of your employees will need to be trained to work with the ISO/IEC 27001 ISMS System.

• Employee Presentation & Training Materials
• ISO 27001 Employee Training PPT
• ISO 27001 Online Employee Training
• ISO 27001 Implementation Products

5. Design & Document Your 27001 Information Security Management System

Design and document your ISO/IEC 27001 ISMS Manual and Procedures. The biggest portion of the project is looking at your current processes, and redesigning them to address all of the requirements of the standard. Once you have modified or developed processes to meet the standard, you will need to control those processes. Documenting the processes as Information Security Management System procedures is part of this control.

• ISO/IEC 27001 Documentation Requirements
• ISO/IEC 27001 Information Security Management System Templates – These templates will save you time and money versus creating them on your own. Best of all, they include FREE Support!

6. Use & Improve Your 27001 ISMS

Once your system is developed and documented, employees will follow the procedures, collect records and make improvements to the system. For approximately three months or more, your organization will run the ISMS, collecting records.

• Clause 10.0 Improvement of the ISMS

7. Audit the 27001 ISMS Performance

Use and improve your ISMS: Is it working? You will conduct internal audits to see how your system is working and find ways to improve it. This prepares you for an Audit by a Registrar.

• ISO/IEC 27001 Internal Auditor Training Materials
• ISO/IEC 27001 Internal Audit Checklist

8. Achieve 27001 Registration

To get your Registration, typically you will select a Registrar and they will come and perform your registration audit, and then regular surveillance audits thereafter. During these audits, the Auditor will be looking at your ISMS to make sure that it meets the requirements of the standard. If they find that there are pieces of your ISMS that do not meet the requirements, they will document a “Nonconformance.” Your registration will be dependent on you correcting any nonconformances that are found.

There are three types of conformance for ISO 27001:

1. Internal efforts to create an ISMS that meets ISO/IEC 27001 requirements
2. Self-declaration of conformance
3. Third party verified registration