In over your head?

At minimum you need to have the ISO standard you are certifying against. It’s rare they ask for it in an audit, but it is required. In the case of ISO 27001, you may also consider buying ISO 27002 for guidance on implementing your applicable risk mitigating controls

ISO/IEC 27001:2022

ISO/IEC 27002:2022

You need to figure out what you are certifying. Unfortunately, it sounds easier than it is. One thing to keep in mind is that the more processes you include, their complexity, and the number of in-scope personnel with not only play a factor in the implementation time but they are also used by the certifier to determine the number of audit days needed and how many auditors will be assigned. The best approach is to identify the objective of certification. Find a scope that meets this need, while keeping the other factors in mind.

Making a plan will help you identify all the required activities that need to be completed prior to certification. If done well, you should be able to estimate the time needed before booking your certification. There are many variable but for an average company with a moderate scope it should take about 6 to 8 months. There are ways to expedite this, but I wouldn’t recommend trying without assistance.

An Information Security Management System (ISMS) needs a sponsor. The sponsor needs to be in a high enough position to ensure the allocation of appropriate resources to success of the management system, and is of a high enough authority level to enforce the ISMS policies and procedures across the organization.

As a risk based standard, it important to understand the Information security risks that apply to you. A good understanding of these risks will help with decisions while implementing your Information Security Management System (ISMS).

Identifying your security objectives will help you along your path. The requirements for security objective start with your information security policy (section 5.2 b) and are carried through to section 6.2 “Information security objectives and planning to achieve them.” Less obviously, they carry over to section 9.1 where you’ll need to demonstrate how you monitor, measure, analize and evaluate these objectives.

SoA is short for Statement of Applicability. The Statement of Applicability (SoA) is a required document, it normally consists of a list of all the 27001 Annex A controls and justifications for inclusion or exclusion. within your ISMS based on scope.

Note: The SoA does not include the management clauses (Sections 4 - 10.2 of the standard). Management clauses can not be excluded they are all required.

Identify the roles and responsibilities, the logical structures and ensure that we have taken into account the Plan-Do-Check-Act model that will ensure the continual improvement and maturity of the management system.

There are differing opinions in the consulting community on the use of as ISMS Manual. At Berbridge, we have seen the value of such a document and highly recommend establishing an ISMS manual to formally address the standard’s Management Clauses (Sections 4 - 10.2). In our experience, this approach greatly facilitates and de-stresses the audit process.

Ensure you address the training and awareness needs comprehensively and keep evidence.

You should have proof of:

• Competencies for the ISMS team.

• Security Awareness Training for all in-scope personnel

Ok, this last tip may be a blatant plug for Berbridge; however, hear us out. We want you to succeed, but we also know that the best chance of that would be to work with an expert in this subject. If you’re interested, we would love to spend some time with you and discuss your situation.

Click here to setup a FREE no obligation 30-min Strategy Session.