Become a security expert
Get the latest articles on startup security and compliance best practices delivered straight to your inbox.Get a Secureframe demo
As one of the most respected frameworks internationally, ISO 27001 is an optimal certification for companies looking to bolster their information security and build customer trust.
However, getting ISO 27001 certified isn’t exactly a walk in the park.
There are many hours and weeks ahead of you as you begin your certification process. The things worth having don’t always come easy, right?
To help make preparing for an ISO 27001 certification easier, and thus your job, easier, we’ve created a step-by-step, interactive ISO 27001 checklist. It includes all the major and minor tasks you’ll need to complete as you seek certification.
While it would be nice to snap your fingers and become ISO 27001 certified, the certification process requires a good deal of time.
The certification timeframe will depend on the size of your company and the complexity of the data you keep.
A small- to medium-sized business can expect to be audit-ready in about four months, then through the audit in six months. Larger organizations might require more than a year.
While this checklist serves as an overview of the steps to becoming ISO 27001 compliant, this process will look different for each company. Factors like the size of a company or the maturity of their risk management strategies may affect these steps.
Ready to get started? We’ll walk you through checking off every step of the ISO 27001 checklist below.
Need a bit more instruction on how to complete the steps above? We'll walk you through each step of the ISO 27001 implementation process below.
First, gather a dedicated team to oversee and own the ISO 27001 process.
This team will determine the scope of the certification process, create information management practices and policies, gain buy-in from stakeholders, and work directly with the auditor.
Depending on the size of your organization and the scope of the data you manage, you may be able to have just one person lead the project, or you may need a larger team. It can be helpful to appoint one lead project manager to oversee ISO 27001 and let them build a team around them.
Some of the traits to look for in the ideal ISO 27001 project manager are:
There’s a good chance your company already has an ad hoc system of information management in place. However, that type of information management isn’t going to cut it during an ISO 27001 audit.
In short, an information security management system, or ISMS, is the framework a company uses to manage information and risk. An ISMS consists of policies and procedures that spell out exactly how information will be stored and managed.
There are three pillars of an ISMS: people, processes, and technology.
ISO 27001 is the international standard that offers detailed instructions on how to create a best-in-class ISMS and how to meet compliance requirements.
We break down how to determine ISMS scope in three steps:
After you’ve determined your ISMS scope, you’ll need to create the scope statement of your ISO 27001 certificate. You’ll outline what’s in scope and out of scope related to products and services, locations, departments and people, technology, and networks.
It’s important to note that your ISMS is not static. As your company evolves, new processes and departments may be introduced. When this happens, it’s important to revisit your ISMS and make adjustments as needed.
Two big parts of the ISO 27001 process are documentation and sharing those documents internally. Doing so will help keep you accountable and build a foundation for establishing, implementing, maintaining, and continually improving the ISMS.
When creating your documents, you can customize policy templates with organization-specific policies, processes, and language.
Include information or references to supporting documentation regarding:
The next step in your ISO 27001 checklist is to conduct an internal risk assessment. This will identify potential risks to data security and judge the severity of those risks.
Similar to how you identified where all your data is stored in step two, you’ll do the same for risks your organization faces. After compiling a list of risks, determine the likelihood that these risks could occur.
Then, evaluate the potential impact of all identified risks. Think not only in terms of business continuity but also the financial impact a risk poses to your organization.
Using a risk matrix is a helpful way to identify the most important risks your organization faces. Here's an example of how that process could look
After ranking risks, create a response plan for each. Assign responsibilities to certain employees and track to completion.
Familiarize yourself with the 114 controls of Annex A. You can think of Annex A as a collection of all possible controls so you can find the ones that pertain to your organization.
Once you’ve selected the controls that best address your identified risks, you can then create a Statement of Applicability (SoA).
The SoA states what ISO 27001 controls and policies are being applied by the organization. This document will outline what actions will be taken to address risks.
After identifying risks and developing risk management processes, you can begin implementing the information security management system (ISMS) policy. This policy is a high-level overview of how your organization approaches information security.
The ISMS is at the heart of ISO 27001. The standard offers step-by-step instructions for how to protect data from threats and vulnerabilities. Organizations often turn to the Plan-Do-Check-Act (PDCA) method to help them put an ISMS plan in place.
Here’s a look at what the PDCA method looks like in practice:
Comb through ISO 27001 clauses 4-10 and the Annex A controls to ensure you’ve met all the requirements. Continue to perform ongoing effectiveness monitoring of your ISMS rollout.
This is also the point at which you should begin informing employees of any new procedures related to the ISMS that may impact their day-to-day duties. Share policies with employees and track that they’re being reviewed.
Hold regular trainings for employees to familiarize them with ISO 27001 and the company’s ISMS.
Go over terms related to ISO 27001 that may be new to them and highlight the importance of becoming certified.
This is also a time to define expectations for staff regarding their role in ISMS maintenance. Educate employees on what may happen should the company fall out of compliance with data security requirements.
This will help highlight the importance of your ISMS and plant the seed of security awareness in your team.
If there’s one word you’ll hear over and over again when it comes to ISO 27001 it’s this: documentation. The more documentation you do prior to the audit stages, the better.
Now is the time to prepare all ISO 27001 required documents and records for reference during the audits.
Once your ISMS is in decent shape, plan an internal audit to see where your company lands on the path to certification.
Choose an independent and objective auditor to perform the internal audit. When the audit is complete, record and remediate the internal audit results before scheduling the Stage 1 audit.
Select an accredited ISO 27001 auditor to conduct a Stage 1 audit. Within this audit, they’ll be reviewing documentation required for ISO 27001 certification.
Once they’ve finished going through all the documentation, they will identify any gaps or places where your ISMS fails to meet the ISO 27001 standard.
At this point your auditor will perform tests on your ISMS to evaluate its implementation and functionality. They will also see how your ISMS stacks up against applicable Annex A controls.
The point of this audit is to ensure that the processes you began in the stage one audit are being followed company-wide.
Take all recommendations from the auditor to heart. Once all major nonconformities have been addressed, the auditor will send a draft certificate of ISO 27001 compliance to the organization for review.
The company then makes any minor adjustments before sending it back to the auditor. Then the auditor will publish the certificate, and your ISO 27001 certification is official.
Becoming ISO 27001 certified isn’t the final step. To maintain continuous compliance with ISO 27001, your organization must commit to ongoing audits and assessments.
An ISO 27001 certificate lasts for three years. During that time, ISO 27001 requires organizations to conduct a surveillance audit each year to ensure a compliant ISMS hasn’t lapsed.
Here are additional steps to take to ensure compliance:
Your ISMS will go through changes after ISO 27001 certification. When you change your software providers or you’re working with new suppliers, this may require revising your ISMS.
Your ISO 27001 team should be updating your ISMS as needed and documenting each change. Additionally, any threats to your ISMS that were identified and remediated need to be documented.
This will not only make your next certification process easier, but will highlight nonconformities that may impact the overall security of your data.
If this process seems a little grueling, that’s because it is.
However, organizations like Secureframe make this process much simpler. We streamline the ISO 27001 audit process, saving you hundreds of hours and thousands of dollars.
We have partnerships with dozens of auditors and can match you with an auditor that’s already well-versed in your industry. We also provide access to ISO 27001 experts that can walk you through all of the intricacies that trip up many businesses on the path to certification.
Simply put, Secureframe has your back throughout every step of the ISO 27001 process. To find out how we can help you, request a demo today.