ISO 27001 audit process in Australia
The process of implementing an information security management system (ISMS) that complies with the ISO 27001:2013 standard can prove to be quite an arduous task. This is why most organisations opt for the services of certification consultants such as Edara Systems.
Whether you have chosen to do it in-house or are considering hiring a consulting firm, you and your team will have to familiarise yourselves with this process to ensure effective implementation. To help you get started, we have put together the following best practice implementation tips.
Establish an implementation taskforce for ISO 27001 process
The first order of business is to nominate a project manager to lead the ISMS implementation project. The project manager will also need an implementation team to assist them. Both the project manager and their team members must have a solid information security background. Their first action is to create the project mandate to answer these four key questions:
- What are we trying to accomplish?
- How long (time)?
- How much (money)?
- Is management on board?
Plan out your implementation in iso 27001 process
The next step is to plan for the actual implementation. The task force should expand on the project mandate and start developing the organisation’s information security plan and high-level policies to determine the roles and responsibilities, continual improvement methodology, and the communication strategy to raise awareness for the implementation project.
Initiate your ISMS
At this point, you should have chosen your preferred continual improvement methodology. The methodology you opt for is at your total discretion. The important thing is to make sure processes are clearly defined, properly implemented, reviewed, and improved consistently. We recommend the process approach method. Next, you should create the remainder of your document structure in the following order: policies, procedures, work instructions, and records.
What are ISMS scope? the definition of ISMS scope
The next logical step is to define your ISMS framework further. This is a very important step, explained in further detail in clauses 4 and 5, where the magnitude of your ISMS and the level of implications it will have on your daily operations will be determined. In other words, the success of the entire ISMS implementation project relies on the correct definition of your scope.
Identifying your security threshold
A security threshold is the minimum level of security necessary for a business to be carried out safely and securely.
Implementing a risk management process: The ISO 27001:2013 standard leaves it at the applicant’s discretion to create their risk management process based on the threats identified and prioritised during ISO’s risk assessment. A risk management process consists of establishing a risk assessment framework, identifying risks, analysing and evaluating them, and finally, choosing risk management options. A risk matrix is commonly used to illustrate risk acceptance criteria and security baselines.
Implementing a risk treatment plan: Implementing a risk treatment plan entails constructing the security controls that will safeguard your information assets. The effectiveness of the security controls is highly dependent on your employees’ ease of access to controls and their awareness of their information security responsibilities. It is also advised to build a process that identifies, reviews, and maintains the competencies required to fulfil the objectives of your ISMS.
Measuring, monitoring, and reviewing: The only way to find out if your ISMS is running effectively is to put it through regular pre-planned reviewal to ensure you keep track of the health condition of your systems. This process involves reviewing measures that reflect the goals you first set in your scope definition. Internal audits should be conducted at regular intervals in conjunction with system reviews. These two work together to provide the elements that keep the continual improvement process going. for getting more information please see What is the benefits of ISO 27001:2013?
Sample questions for iso 27001 audit
ISO certification is not a single event, rather a slow journey that takes place over multiple phases. The first step to implementing an Information Security Management System (ISMS) and getting ISO 27001 certified is deciding whether your organisation will benefit more from an ISO 27001 certification or Security Operation Centre (SOC). The next step is to gain an understanding of the preparatory costs and the compliance requirements. However, irrespective of the fact whether you utilise an ISO 27001 checklist or not, the entire certification process can be daunting, as there are multiple moving parts. The ISO 27001 checklist simplifies the process by pointing you in the right direction and guiding you with strategic questions. When business owners download the standard, they are overwhelmed as they do not understand what they should do first. An ISO 27001 checklist is extremely beneficial as it directs information to security team, giving them practical guidance on what they should do first and how they should prepare for the certification in an easy to follow, step-by-step format. For example, an ISO 27001 audit checklist will improve the efficiency of your process by streamlining the auditing phase, shortening the duration from years to a few months. Similarly, you will gain a birds eye view of the requirements and the recommended steps, so that you can allocate the resources in accordance if you utilise an ISO 27001 compliance checklist.
Sample questions in ISO 27001 compliance checklist
- Is the scope of your ISMS relevant to the context of the organisation?
- What business areas would be covered by the ISMS and what are outside its boundaries?
- How are the stakeholders informed about the scope of the ISMS?
- Name and list out the designations of the individuals in the ISMS governing body?
- Is your information security policy detailed and measurable with specific security objectives?
- Are customer requirements adequately researched, established and implemented?
- Has the information security management system been defined in a manual?
- Is the control of documents and data described in a procedure?
- How does the organisation retain information about the information security risk treatment process?
Certifying your ISMS, it’s done!
Now that your ISMS is fully implemented, the next step is to prepare for your external audit conducted in two stages. Before taking this step, you should have enough confidence in your application’s chances of success to avoid wasting time and money. The initial audit enables the auditor to assess whether the ISMS created is aligned with the ISO 27001:2013 standard requirements. If your ISMS checks out, the auditor will then conduct a more thorough assessment.
In choosing a certification body, ensure you conduct thorough research, including reviewing their accreditation, accreditation body, and other relevant bodies they may be members of.
Do not let cost be the only factor when determining which certification body to go with. Cost is certainly an important factor, but there are other more important factors such as whether the certification body has experience working with organisations from your industry? Do they know the business? Since your ISMS is particular to your organisation, the auditor reviewing it must be aware of the requirements that are unique to your industry. For more information you can see the cost of ISO 27001 article.