Board of Directors Requirements: ISO 27001 Compliance

Being an ISO 27001-certified organization is a huge step toward bolstering your company’s information security system and mitigating exposure to cyberattacks. So, as a board administrator, how can you ensure your organization achieves ISO 27001 certification?

1. Prepare

First things first; have a clear understanding of the ISO 27001 standard, its background, and requirements. A few tips to help you prepare include: 

• Reading IT Governance USA’s green paper about the standard and how to get started
• Purchasing a copy of the ISO standard
• Taking an online introductory training course on ISO 27001

Appoint an ISO 27001 Expert

Understanding the ISO 27001 standard is just the first step. You need to identify an expert within your organization who is competent and seasoned in implementing ISO 27001 requirements on an organization-wide scale.

Secure Senior Management Support

No company project can be implemented successfully without the support of the top management. Conducting a gap analysis to determine the current state of your company’s ISMS is a great start, as it enables you to identify any areas that need improvement to craft an action plan that provides clear guidance on how to meet the ISO 27001 standard requirements.

2. Create the Context, Scope, and Objectives

It’s critical to know the project and ISMS objectives, including the project’s costs and timeline. You’ll need to gauge whether you’ll outsource external support or leverage an in-house information security department. 

A good alternative to maintaining control of the ISMS project is to hire the services of a dedicated internet-based mentor at critical stages of the project. The advantage of an online mentor is that it saves you the costs associated with using full-time consultants throughout the project’s duration. 

You also need to determine the ISMS’s scope. Do you plan to deploy the ISMS throughout the organization, a specific department, or a geographical location? When determining the scope, consider the context and the needs of other stakeholders, such as employees, shareholders, government, regulatory agencies, etc. 

3. Create a Management Framework

Achieving an ISO 27001 certification requires a management framework. A structured implementation process provides the procedures a company needs to follow to achieve its ISO 27001 implementation goals. These processes include:

• Checking the accountability of the ISMS system
• Scheduling of activities
• Auditing to ensure the sustainability of the system

   

4. Assess the Risks

Although ISO 27001 doesn’t outline the procedures for risk assessment, you need to conduct risk assessments to formalize the implementation process. Therefore, develop and document your ISMS policies and procedures, including policies for risk assessment and treatment, information security controls, and incident management.

5. Mitigate Risks

Following a successful risk assessment, the board must decide whether to treat, work with, terminate, or transfer the risks. It’s crucial to document how you respond to those risks because that’s one of the things auditors seek before issuing an ISO 27001 certificate. In fact, a company must present two mandatory risk-assessment documents during registration. These include:

• Statement of Applicability (SOA)
• Risk Treatment Plan (RTP)

   

6. Conduct Training

The ISO standard requires companies to establish employee awareness programs to keep staff aware of information security throughout the organization. Therefore, train your employees and provide the necessary information security controls to ensure everyone within the company is aware of your ISMS deployment. 

It also requires implementation strategies that encourage good habits among the employees. That may include a clean desk policy and encouraging them to shut down their computers once they complete a task.

7. Review and Improve the Required Documentation 

You need documentation to support your ISMS implementation procedures, policies, and processes. The only caveat is that processing these documents can be a daunting task. Fortunately, you can easily access documentation templates to alleviate the hassle. 

Basically, the ISO Standard requires the following documentation:

• The ISMS Scope
• Information security risk management procedure
• Information risk treatment process
• Information security policy
• The Statement of Applicability (SOA)
• Information security goals/objectives
• Evidence of competence
• Operational planning and control
• Outcomes of the information security risk assessment 
• Outcomes of the information security risk treatment 
• Evidence of tracking and measurement of the results
• A documented internal audit procedure
• Evidence of the audit strategy and results 
• Evidence that the management reviewed the results
• The nature of any non-conformities and the subsequent action plans
• Evidence showing the results of the actions taken
• Organization-approved documents on the effectiveness of the ISMS

   

8. Measure, Monitor, and Review

The ISO 27001 standard is designed to support an ongoing improvement process. Hence, the board must identify improvements that can enhance the existing processes and constantly measure, monitor, and review the effectiveness and compliance of your ISMS. 

9. Carry Out an Internal Audit

One requirement when applying for ISO 27001 certification is a documented internal audit process. It goes without saying you’ll need to conduct internal audits at regular intervals, as it provides practical working knowledge for the implementation and maintenance of ISO 27001 compliance. However, it’s worth noting that registration audits for ISO 27001 certification can only be undertaken by an independent registrar certified by the relevant accreditation agency.

10. Registration Audits

Once you’ve submitted your registration documents, a certified ISO 27001 auditor will conduct an on-site audit to verify that your ISMS meets the Standard’s requirements. They’ll also identify nonconformity areas and recommend ways you can improve the information management system. 

The time it takes for your organization to receive the ISO 27001 certification depends on various factors, such as the size and complexity of the ISMS infrastructure. Generally, SMBs can expect to complete the registration process within six to 12 months.