Maintaining Your ISO 27001 Certification

Maintaining ISO 27001 certification requires conducting regular internal audits and gap analyses, documenting these activities and keeping all evidence within an indexed review, audit or gap analysis file or Document Management System.

Before moving forward with Stage 2, major nonconformities must have acceptable corrective action plans and evidence of correction in place, along with an ongoing commitment to continuous improvement.

1. Prepare for the Audit

Reaching ISO 27001 compliance is an incredible accomplishment that shows competitors, clients, and partners that you take information security seriously. However, once achieved it’s important not to rest on your laurels: regular reviews must take place to maintain your certification status.

Your program must also involve periodic internal audits, gap analyses, and responding to any findings in your audit report. Furthermore, controls must be put in place.

Step two is a certification audit with an ISO 27001 accredited certification body, who will assess both your ISMS documentation and an on-site review of your organization’s policies and procedures.

2. Documentation

Auditor will examine your ISMS documentation during an audit and you must ensure you have it all – policies, procedures and associated records for incident management and performance monitoring must all exist.

Your organization may need more documentation than listed here, which is perfectly fine: ISO standards don’t aim to be prescriptive. But you should still be mindful of mandatory documentation requirements and understand any additional needs your ISMS might present.

Your ISMS might require daily system backups; if this requirement is violated on occasion, an auditor could consider this a minor nonconformance and note this discrepancy as such.

3. Training

An effective training course will help you understand the standard clause by clause. This is essential as misinterpretation is one of the leading causes of noncompliance during audits.

At least every three years, your organization must undergo a recertification audit in order to maintain ISO 27001 certification. Unlike its initial audit counterpart, only ISMS Framework Clauses 4-10 and Annex A controls will be tested during this process.

At this stage, it is crucial that you train your internal auditors. Consider enrolling in PECB’s ISO 27001 Lead Auditor Training Course as a starting point.

4. Risk Assessment

Risk evaluation is an integral component of information security. It assesses potential hazards and their severity within the context of business activities and serves as the foundation for selecting controls to reduce them.

Documenting your risk assessment process is of utmost importance; auditors will look for documentation in the form of procedures, reports and metrics to assist in their audits of such assessments.

An effective risk evaluation requires working in collaboration with a group of knowledgeable individuals familiar with your specific situation, to ensure an impartial, complete analysis.

5. Policies

As with the other mandatory clauses, your organization must demonstrate compliance with all policies required for ISO 27001 compliance. These policies cover how an information security program should be managed and how controls should be implemented.

Policies encompass documenting your Statement of Applicability and Risk Treatment Plan and making them readily available to all employees. Your auditor will examine these records to verify adherence with these policies.

Your auditor will also look for evidence that your ISMS reduces risks to an acceptable level, by assessing whether incidents are reported and corrected and whether risks remain after being identified by its ISMS.

6. Procedures

Your ISO certification auditor will want to check that your policies actually manifest themselves at work, through observations and interviews with employees but mostly by reviewing records such as logs, risk analyses and statements of applicability.

Before receiving an ISO 27001 certificate, a final report certifying that your information security processes meet ISO 27001 standards is required. If any significant nonconformities have been discovered, corrective action plans and monitoring must be put in place in order to address them before certification can proceed.

7. Controls

Once your policies and procedures have been documented, it’s time to ensure they’re being implemented successfully. A recertification audit or phase two audit conducted after official certification will review your documentation to assess how effectively ISO 27001 guidelines have been put into action in your business.

As part of your audit, it will be necessary to demonstrate that your organization has implemented and used its ISMS as per Annex A of the standard, covering various controls such as 534Elsewhere in this document