Steps to Get ISO 27001 Certification

ISO 27001 Certification Details

ISO 27001 is an international information security standard developed by a joint committee formed by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC). ISO/IEC 27001:2013 is the complete name of this standard since the latest version was published in the year 2013 (with a few minor changes made in 2017). Having the ISO 27001certification in India automatically implies that the organisation is following the best practices relating to the Information Security Management System (ISMS).

Objective Of ISO 27001

At its core, the primary objective of ISO 27001 is to ensure that the information of the organisation has the following attributes:

• Confidentiality: Access to the data is given to authorised personnel
• Integrity: No unauthorised changes can be made to the data.
• Availability: The correct data is available to the authorised users as and when they request it.

Is ISO 27001 Certification Mandatory?

The ISO 27001:2013 certification is not mandatory. However, the laws of some countries may mandate its applicability depending on the industry that an organisation operates in.

Domains Of ISO 27001

The ISO 27001:2013 standard consists of the following 14 domains within which controls are prescribed:

1. Information security policies
2. Organisation of information security
3. Human resource security
4. Asset management
5. Access control
6. Cryptography
7. Physical and environmental security
8. Operations security
9. Communications security
10. System acquisition, development and maintenance
11. Supplier relationships
12. Information security incident management
13. Information security aspects of business continuity management
14. Compliance

How To Get The ISO 27001:2013 Certification?

An accredited certification body has to be appointed by the organisation. This body will audit the system to issue the certificate. The procedure will consist of the following steps:

Application Review

Under the guidance of the certification body, the organisation has to initiate a gap analysis. In this, the organisation and its employees understand the requirements of the standard and check whether they comply with the international best practices. The necessary documentation is prepared, and the internal audit team is trained specifically to check whether the requirements of the standard have been followed. The management will then review the pros and cons of the existing system and prepare a program to improve the system continuously.

Initial Certification – Stage 1 Audit

In this stage, the certification body will mainly focus on the documentation of the organisation. The organisation will have to ensure that the prescribed documentation has been prepared and the necessary records are maintained.

Initial Certification – Stage 2 Audit

Based on the findings and observations in the Stage 1 Audit, the organisation will have to demonstrate to the certification body that the necessary controls and systems are in place. Generally, a walkthrough of the processes is arranged.

Certificate Decision

If the certification body is satisfied that the requirements of the standard have been met, it will issue the ISO 27001:2013 certification. This certification will be valid for three (3) years, subject to continuous assessment visits.

Continual Assessment (Surveillance audit)

Once in 12 months, the certifying body will conduct a routine audit to ensure that the requirements of the standard are not compromised.

Renewal Audit

After the validity period of three (3) years has expired, the certifying body will again conduct a comprehensive review which may or may not include the Stage 1 Audit. The renewal audit may result in the suspension, withdrawal, extension or reduction of the scope of the certification.

Documents Required For ISO 27001 Certification

The certifying body usually provides a list of documents. The most commonly asked documents are:

• Organisation structure
• ISMS manual
• Personnel details
• Responsibilities and duties of employees
• Internal audit report
• Management committee review meeting report
• IS policy and objective
• Risk assessment and treatment plan
• SoA controls

Benefits Of The ISO 27001 Certification

Some of the benefits of getting the ISO 27001:2013 certification are listed below:

• Based on the views of an independent third party, stakeholders can be assured that the organisation is following international best practices.
• A formalised system helps to identify risks and also implement the appropriate risk mitigation strategy in time.
• Customer satisfaction increases since they are assured that their data remains confidential and secure.
• Investors confidence in the performance of the organisation
• Security-conscious culture will be prevalent throughout the organisation.
• Regulatory compliance requirements will be consistently met.
• Information assets will be safeguarded against a majority of threats.
• Avoidance of information security accidents will help in cost-saving.
• Continuity of business operations can be