- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
Summary: In this article, we’ll cover the ISO 27001 certification steps, including what certification means and how to simplify the process to achieve compliance. You’ll learn about what the ISO 27001 certification process is and how it can be used to lay the foundation for a secure organization. By the end of this article, you’ll have a good understanding of why an ISO 27001 certification is a signal of an organization’s commitment to data protection and risk mitigation.
ISO 27001 Certification Process Overview
ISO 27001 is a set of standards and requirements that make up a robust framework for an information security management system (ISMS). Companies and organizations around the world rely on the ISO 27001 standards to guide their security policies and development. And as an internationally recognized security standard, ISO 27001 certification helps organizations demonstrate their security posture while remaining competitive and compliant across industries and borders.
However, ISO 27001 certification is a large undertaking. Because ISO 27001 touches on every aspect of a security management system—including policies, asset management, supplier relationships, HR security, and physical security—compliance requires thorough planning and coordination.
Understanding the ISO 27001 Structure
ISO 27001 is comprised of two parts: The main section of standards and requirements as outlined throughout Clauses 0-10; and Annex A, which identifies 114 security controls you can implement based on your risk assessment.
These security controls are organized into 14 categories:
- A.5 Information security policies
- A.6 Organization of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development, and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
These are the levers you can implement to mitigate risk in your organization and its supply chain. The controls are not mandatory for certification—the ones you ultimately implement will be determined during the certification process based on your organizational context, security landscape, and goals.
Clauses 4-10 describe the scope and mandatory requirements for a certified ISMS, including all the documents, processes, policies, and controls you will need to assemble, create and implement to achieve ISO compliance.
These requirements are described under the following categories:
- Clause 4: Context of the organization
- Clause 5: Leadership
- Clause 6: Planning
- Clause 7: Support
- Clause 8: Operation
- Clause 9: Performance evaluation
- Clause 10: Improvement
To achieve ISO 27001 certification, you must develop an ISMS that follows the ISO standards outlined in Clauses 4-10 and then pass two external audits to be recommended for accreditation.
ISO 27001 Certification Process
So what are the ISO 27001 certification process phases and how can you meet ISO 27001 certification requirements?
There are three ISO 27001 certification process phases:
1. Implementation—This stage is when you identify and apply the security policies and controls that will make up your ISMS.
2. Audit—Once your ISMS is in place, an external auditor will review and assess your ISMS for compliance. The audit is split into two stages: a preliminary assessment of the ISMS documentation you’ve compiled and then a formal review for certification.
3. Maintenance—Finally, ongoing maintenance and continuous improvement are central to the ISO 27001 framework. During this phase, you will regularly monitor and assess your security system’s posture and adapt your policies as needed to ensure compliance and best practices are followed.
Below, we’ll cover the steps you can take to streamline the certification process during each phase and develop a robust ISMS that meets your organization’s security needs and goals.
Step 1: Define the Scope
The ISO 27001 standard is designed as a broad framework that can be applied to any organization no matter the size, type, or industry. This is one reason why it is such a popular standard. But that doesn’t mean its application will be uniform. Every business is different and will have different types of data and associated security needs.
Before you begin planning and developing your ISMS, you’ll need to define the scope of your system. What data do you need to protect? Will you be implementing the ISMS across the entire organization or will it be isolated to a specific department?
To answer these questions, consider your organization’s security goals and needs, as well as the needs and expectations of third parties such as partners, clients, and suppliers. If you are pursuing certification to meet the requirements of a specific customer or industry, note what their security priorities are so you can ensure your ISMS fully addresses those expectations within the scope of your project.
Understanding the scope will help you clearly identify and document the people, processes, systems, and assets that impact your information and its related risk. An overly narrow project scope won’t adequately protect your data or meet your customer requirements, while an overly broad scope adds an unnecessary burden to your budget and resources, provides less agility, and is more difficult to control.
Make sure the scope is aligned with your organizational objectives, client obligations, and available resources so you can successfully implement your ISMS.
Step 2: Create a Plan
With your scope defined, the next step to compliance is developing a plan to achieve it.
Create a project plan to help answer key questions from the start:
- Who will manage the project, set expectations, and oversee progress?
- How will you get buy-in from leadership and stakeholders?
- When will you begin the project?
- What resources do you currently have and what will you need?
- What are the organization’s strategic goals?
Clarifying the organizational goals upfront will help you align your security implementation efforts with these objectives and manage them effectively.
Statement of Applicability
Once you have defined your scope, you’ll need to evaluate what controls will fall under your ISMS umbrella. This will be outlined in what is called a Statement of Applicability (SoA). The SoA is a mandatory report that documents the Annex A controls that are included in the scope of your organization.
The SoA is a key component of your project plan as it justifies why specific controls are included or excluded from the ISMS implementation. The SoA not only acts as guiding documentation for your plans but also provides evidence of your security compliance, defining which activities, stakeholders, departments, systems, and processes will be part of the ISO audit and compliance assessment.
Step 3: Conduct a Risk Assessment
A documented risk assessment is required as part of the certification standards. ISO 27001 doesn’t prescribe a risk assessment methodology—instead, organizations are expected to establish and document a formal and repeatable process that includes:
- Risk identification
- Risk analysis
- Risk treatment
The assessment will be based on your baseline security criteria determined during the scoping and planning phase. These criteria include the organization’s business, legal, and regulatory requirements, as well as its contractual obligations regarding information security.
With these criteria in mind, perform a risk assessment to identify both external and internal threats to your ISMS and then analyze and evaluate the probability and potential impact of each risk. For every risk you identify, you’ll need to assign a security control to mitigate it and outline an action plan in response.
Risk Treatment Plan
The Risk Treatment Plan is another mandatory report that must be documented for the certification audit. It outlines how your organization will respond to the threats identified during your assessment.
The ISO 27001 standard outlines four action options:
- Mitigate the risk using controls to reduce the likelihood it will occur.
- Avoid the risk by preventing the circumstances under which it could occur.
- Transfer the risk to a third-party such as an insurance company or security services provider.
- Accept the risk because its potential impact is lower than the cost to address it.
With your risk treatment plan outlined, you can then begin implementing those controls and processes according to best practices.
Step 4: Conduct Training
ISO 27001 requires all employees to receive information security awareness training in accordance with clause 7.2.2. But security training isn’t just a compliance measure—it’s a security control in itself. The better trained your organization is on security risks and best practices, the more equipped people will be to manage and avoid risks.
The goal of ISO 27001 is to create a security-centric culture that makes security everyone’s responsibility. As a result, training should occur regularly on an ongoing basis. Make sure to document your efforts so all training is traceable through records like learning management system reports, participant lists, and training agendas.
Step 5: Document and Collect Evidence
The first audit phase involves reviewing all documentation for the ISMS so it is crucial to have clearly recorded information on your plans, analyses, decisions, and actions.
The ISO 27001’s mandatory documents include:
- 4.3 The scope of the ISMS
- 5.2 and 6.2 Information security policy and objectives
- 6.1.2 Information security risk assessment process and methodology
- 6.1.3 Information security risk treatment plan
- 6.1.3 The Statement of Applicability
- 7.1.2 Definition of security roles and responsibilities
- 8.1 Operational planning and control
- 8.2 Results of the information security risk assessment
- 8.3 Results of the information security risk treatment
- 9.1 Evidence of the monitoring and measurement of results
- 9.2 A documented internal audit process
- 9.2 Evidence of the audit programs and the audit results
- 9.3 Evidence of the results of management reviews
- 10.1 Evidence of the results of any corrective actions
In addition, organizations may include other non-mandatory records to provide further evidence of security processes, decisions, and actions. Documentation is essential for certification, so make sure to keep careful records with clear justifications for your decisions. The better your documentation, the more streamlined the audit process will be.
Step 6: Measure, Monitor, and Review
ISO 27001 supports continuous improvement. Monitoring against your documented procedures will allow you to identify gaps in your ISMS that could disqualify you from certification during an audit. Use this opportunity to audit your systems, review your documentation, make changes or fix mistakes, and measure your efforts against your stated goals.
Step 7: Complete Certification Audit
Once you’ve planned and implemented your ISMS, it’s time to complete the certification audit itself. Certification happens in two stages:
Stage 1: An external auditor reviews your ISMS documentation to verify it complies with all ISO 27001 requirements and you have all necessary controls in place. At this point, any gaps in compliance will be noted, and you’ll have a chance to correct and update your system to meet the standards before the final audit.
Stage 2: In a final review, the auditor assesses the actual processes and activities in practice in the organization to ensure they are in line with the written policies and standards.
Once complete, certification is valid for three years.
Step 8: Maintain Certification
ISO 27001 certification requires periodic assessments called surveillance audits to ensure continued compliance. During the next three years of certification, internal auditors will continue monitoring and reviewing your processes to make sure they’re effective and mitigating any risks that emerge.
In the final year of certification, the organization can choose to undergo a recertification audit. The process is similar to the original stage 2 audit, where the external auditor reviews the ISMS policies and assesses their effectiveness. If you pass inspection, the certification is valid for another three years.
How Long Does the Entire Process Take?
As with most things in life, the answer is “it depends.” The length of your certification process will vary based on where you start, the complexity of your organization, and your strategy. For most organizations, certification can take anywhere from 6-12 months minimum—not including subsequent audits for continual verification and improvement.
How to Simplify the ISO 27001 Certification Process
Get familiar with ISO 27001: You’ll need to be deeply familiar with ISO 27001 standards and controls. Take time to review ISO 27001 so you can make a plan that adequately addresses and prepares for the overarching goals and components. The better you understand the standards and requirements for compliance, the better you can plan and implement an effective ISMS.
Enlist help from a partner: ISO 27001 certification is a long and tedious process. From the mountains of documentation to the numerous controls and monitoring systems required, it’s easy for things to get lost in the shuffle. But working with an access management solution can streamline the process and unlock greater visibility into your ISMS and security policies.
Automate Compliance with strongDM
Managing compliance is a big job. Employ the help of a proxy like strongDM to streamline policy implementation and audit processes so nothing falls through the cracks.
Easily implement best-practice standards across the organization:
- Authenticate users so only authorized people gain access to critical infrastructure
- Enforce role-based access policies that are least privileged by default
- Maintain comprehensive audit logs that provide centralized visibility into your systems
Schedule a free demo and see how you can automate your ISO 27001 certification process.
About the Author
Andrew Magnusson, Director, Global Customer Engineering, has worked in the information security industry for 20 years on tasks ranging from firewall administration to network security monitoring. His obsession with getting people access to answers led him to publish 'Practical Vulnerability Management' with No Starch Press in 2020. He holds a B.A. in Philosophy from Clark University, an M.A. in Philosophy from the University of Connecticut, and an M.S. in Information Management from the University of Washington. To contact Andy, visit him on LinkedIn.