How to prepare for ISO 27001 certification

Preparing for ISO 27001 certification involves a lot of moving parts. Are all of your policies and documents in order? Do you have proper evidence that your ISMS meets all compliance requirements? Did you address all the necessary aspects of risk management?

To help, we asked former ISO lead auditors for their proven insights and best practices for preparing for and undergoing the ISO 27001 certification process.

You can read them below or watch the webinar recording featuring Cavan Leung, Secureframe compliance manager, and Tom Rozen and Elad Motola, the CRO and COO at Consilium Labs.

Certification for ISO 27001

ISO 27001 involves a certification process to become officially compliant. The certification process includes an audit that must be performed by an accredited audit firm, also known as a certification body.

The stages of ISO 27001 certification are as follows:

• Year 1 - Initial certification audit: This is the first time an organization will go through ISO 27001 certification. This audit is split into a “Stage 1” and “Stage 2” within the same year and encompasses 100% of the ISO 27001 requirements. Once the organization successfully passes the Stage 2 audit, it obtains its ISO 27001 certificate. This certificate is valid for three years, pending annual surveillance audits. 
• Years 2 and 3 - Surveillance audit: At this stage, ISO 27001 is already established in the organization. The auditors will typically audit all the ISMS framework requirements and a sample of Annex A controls to ensure the ISMS is still effective and being properly maintained. 
• Year 4 - Recertification audit: This is when the ISO 27001 certificate is about to expire. During a recertification audit, auditors will assess the ISMS and make sure all ISO 27001 requirements are in place in order to recertify the organization for another three years.

How to prepare for ISO 27001 certification

Below are ways to address common challenges and pain points that organizations face when preparing for and completing the ISO 27001 certification process. 

1. Expect to participate in the ISO 27001 audit process.

ISO 27001 certification audits are more interactive than many organizations expect, especially if it’s their first time undergoing the audit.

After the Stage 1 documentation review, the ISO 27001 auditor will need to validate their findings through a series of interviews. For example, Annex A control A.5 involves information security policies. During stage 1, the auditor will review policy documents and evidence of employee review/acceptance. During stage 2, the auditor will interview management and other key stakeholders to verify that there is a regular process in place to disseminate, review, and update policies within the organization.

Below are some common questions that clients can expect to receive from their auditors during these interviews.

• Interested parties: If you submitted a generic list, the auditor will likely ask you to be more specific when listing the interested parties that are relevant to the customer.
• Context of the organization: If internal and external issues are not defined, the auditor will likely ask you to define them using the risk assessment process.
• Labeling: If you do not label your policies and procedures according to a predefined classification matrix, the auditor will likely ask you to do so.

How can Secureframe help?

Secureframe can help minimize and ease these interactions between you and your auditor. It provides all the necessary ISO 27001 policy templates that you can customize for your unique organization. It also allows you to review, update, and disseminate these policies for employees to review and accept all in one dashboard.

Your dedicated Secureframe compliance manager can also help assist with the validation process, answer any questions that arise about scoping or other parts of the process, and facilitate any additional evidence request that your auditor may have.

2. Get management involved.

Auditors are required to validate that leadership has taken ultimate responsibility for building and maintaining an effective ISMS. That includes allocating appropriate time and resources for monitoring and improving the ISMS over time. This is a mandatory requirement of ISO 27001.

How can Secureframe help?

The Secureframe platform offers continuous monitoring and real time alerts to non-conformities so your organization can monitor, measure, and improve upon your ISMS over time and take correct actions as needed. The platform also allows you to assign controls and tests to individuals and get notifications when these are failing or need to be repeated.

This will help you meet the ISO 27001 requirement for management review, as well as other requirements. 

3. Understand your risk management strategy.

Organizations should understand how the Statement of Applicability, risk register, vulnerability assessment/pen test, and other documentation relate to each other and work together to form their risk management strategy. This strategy is typically made up of the following four components to answer each of the questions below. 

• Risk assessment: What risks does your business face? 
• Pen test/vulnerability assessment: Are there any other vulnerabilities that contribute to your overall risk profile?
• Risk register/Risk treatment: How do you plan to prioritize and mitigate those risks?
• Statement of Applicability: What does that plan look like in practice? What specific controls will you implement and who will own them?

How can Secureframe help?

The Secureframe platform can help you throughout the entire risk management process. A risk management module is built in to allow you to identify and evaluate risks throughout your environment by answering a series of questions.

Once you answer these questions, the platform generates a risk register that allows you to monitor, manage, and mitigate risks in one place. You can also assign risk treatments and mitigation steps to risk owners to bring visibility and accountability to the entire organization. 

Also, the platform can automatically generate a Statement of Applicability based on applicable controls that you select so you don’t have to write one from scratch. 

4. Understand the requirements of internal audits.

Unlike the certification review, which is completed by an accredited external auditor, the ISO internal audit can be conducted in-house or by a third-party consulting firm. The results of these internal audits help organizations improve the ISMS over time and ensure it satisfies the requirements for ISO 27001 certification.

The ISO/IEC 27001 standard lays out the requirements for an internal audit in clause 9.2. This clause requires that internal audits: 

• Are conducted at planned intervals 
• Determine whether the ISMS meets the organization's own standards as well as ISO 27001 requirements
• Are documented as part of a formal audit program
• Are completed by an independent and impartial internal auditor (i.e., not by someone who has a level of operational control or ownership over the ISMS, or who was involved in its development)
• Include audit results that are reported to management and retained as part of the organization’s records

How can Secureframe help?

The Secureframe platform has an ISO 27001 report where you can see all the framework requirements, controls, associated tests, policies, and evidence in one single place. This centralized view helps your organization have a smooth internal audit process, no matter whether you’re doing it in-house or outsourcing it to a third party.

You won’t need to provide screenshots, set up configurations, or manually pull data and evidence. You’ll just need to integrate your cloud service provider and Secureframe will automatically pull that configuration data and compare it to the framework requirements. You’ll then see passing or failing tests in the Secureframe platform with actionable remediation tasks. This will show you how close you are to achieving ISO 27001 compliance and how to close any gaps. 

5. Properly scope the certification.

Before undergoing the ISO 27001 audit, the scope needs to be defined and the client needs to have a clear understanding about what certification scope they have. This can be challenging for organizations, particularly for those trying to get certified for the first time. 

Organizations must account for all requirements defined in clauses 4-10, including both internal and external issues as well as physical assets such as data centers. This should be reflected in their ISMS scope statement.

For example, if your audit includes a data center, it is important that the audit plan contains the relevant controls and questions that will be checked during the audit itself. This helps ensure that the right evidence is prepared in advance.

How can Secureframe help?

The Secureframe platform has the ability to automatically keep track of your endpoint assets, cloud resources, and relevant code repositories. It also allows for filtering of mass compliance requirements, such as in-scope endpoint assets and personnel and relevant cloud resources. 

The platform also has ISMS templates that cover all the relevant requirements of ISO clauses 4-10, including internal and external issues, interested parties, and scope. Your dedicated compliance manager can help you customize those templates and answer any questions about scoping your certification.  

Frequently asked questions about the ISO 27001 audit and certification process

Below are answers from lead ISO 27001 auditors to frequently asked questions about the ISO 27001 audit and certification process.

1. What needs to be covered in security awareness training to meet ISO 27001 requirements?

Cavan Leung: There are no prescriptive topics that ISO has outlined. It does require that all in-scope personnel relevant to your ISMS take security awareness training on a periodic basis. Personnel must also be aware of the ISO 27001 policies and procedures that are in place at the organization. 

2. How detailed does the internal audit need to be? Does it need to assess every control?

Elad Motola: Yes, the internal audit needs to cover all the mandatory and Annex A controls. This is for two reasons. One is to make sure you’re ready for the external audit. The second is because the ISO 27001 standard requires it. 

3. Do Secureframe customers typically perform internal audits internally or outsource them to a third party?

Cavan Leung: It depends if the organization can meet the requirements for internal audits in terms of impartiality and competence.

So if you decide to do an internal audit in-house, then you have to ensure the person doing it has some level of competence. They have to know how to audit and know information security, and preferably they have an ISO 27001 auditor certification. This person must also be impartial. So they can’t be involved with the implementation, maintenance, or any aspect of running your ISMS. If an organization doesn’t have a person that meets those criteria in-house, then typically they will outsource internal audit services. 

The size of the organization also affects this decision. Smaller organizations will typically outsource this because their team lacks the competency or impartiality to complete an internal audit. Small-to-medium sized organizations and enterprises typically do and will therefore leverage someone on their team to complete the internal audit. 

4. How does an ISO auditor audit your physical controls when you are 100% cloud-based?

Elad Motola: It depends if the client has an office and if all employees are working remotely. If they are all working remotely, then most of the requirements will have to be marked as not applicable with a justification for that answer.

If the client does have an office but all employees are working remotely, the auditor is not required to conduct the audit on-site. They do need to review some of the physical requirements, however. They can do so by using a phone or a computer with a camera to review some of the physical aspects.

5. Is it possible that by using the Secureframe platform, a company can implement ISO 27001 without the help of a consultant? 

Cavan Leung: The short answer is yes. By leveraging the Secureframe platform, you’ll get a step-by-step process for certification as well as everything you need to implement all the necessary controls for achieving and maintaining compliance without needing to pay a consultant. 

How Secureframe can help you prepare for ISO 27001 certification

Secureframe streamlines ISO 27001 certification by optimizing aspects of the readiness process, including task management, evidence collection, security awareness training, and risk assessment and management.

Secureframe also optimizes aspects of the audit process by providing audit partners like Consilium Labs with a report view, evidence export, and simple dashboard.

This can help you get and stay ISO 27001 compliant with speed and ease. Schedule a demo to see for yourself.