Frequently Asked Questions

What are ISO 27001 requirements?

In order to earn an ISO 27001 certification, an organization is required to implement and maintain an ISMS that covers all aspects of the standard. After that, the organization can request a full audit from a certification body.

What does it mean to be ISO 27001 certified?

To be ISO 27001 certified means that your organization has successfully passed the external audit and met all compliance criteria. This means you can now advertise your compliance to boost your cybersecurity reputation and grow your client base.

How do you become ISO 27001 Certified?

The ISO 27001 certification process is typically broken up into three phases:

The organization hires a certification body who then conducts a basic review of the ISMS to look for the main forms of documentation.
The certification body performs a more in-depth audit where individual components of ISO 27001 are checked against the organization’s ISMS. Evidence must be shown that policies and procedures are being followed appropriately. The lead auditor is responsible for determining whether the certification is earned or not.
Follow-up audits are scheduled between the certification body and the organization to ensure compliance is kept in check.

How do you maintain ISO 27001 Compliance

An ISO 27001 task force should be formed with stakeholders from across the organization. This group should meet on a monthly basis to review any open issues and consider updates to the ISMS documentation. One outcome from this task force should be a compliance checklist like the one outlined here:

Obtain management support for all ISO 27001 activities.
Treat ISO 27001 compliance as an ongoing project.
Define the scope of how ISO 27001 will apply to different parts of your organization.
Write and update the ISMS policy, which outlines your cybersecurity strategy at a high level.
Define the Risk Assessment methodology to capture how issues will be identified and handled.
Perform risk assessment and treatment on a regular basis once issues have been uncovered.
Write a Statement of Applicability to determine which ISO 27001 controls are applicable.
Write a risk treatment plan so that all stakeholders know how threats are being mitigated. Using threat modeling can help to achieve this task.
Define the measurement of controls to understand how ISO 27001 best practices are performing.
Implement all controls and mandatory procedures as outlined in the ISO 27001 standard.
Implement training and awareness programs for all individuals within your organization who have access to physical or digital assets.
Operate the ISMS as part of your organization’s everyday routine.
Monitor the ISMS to understand whether it is being used effectively.
Run internal audits to gauge your ongoing compliance.
Review audit outcomes with management.
Set corrective or preventive actions when needed.