Any organisation that has achieved ISO 27001 certification knows it can be a challenging process. To make matters more complicated, once an organisation is certified to the standard, it must maintain its compliance status and regularly recertify. This demonstrates that the organisation has maintained its compliance practices and accounted for changes in the way it operates.
ISO 27001 certification lasts for three years, but organisations can ensure that their information security management system (ISMS) remains compliant with the standard by following these recommended steps.
Continually Monitor and Review Risks
To remain complaant, organisations must complete an ISO 27001 risk assessment at planned intervals or whenever there are signficant changes to the way it operates. However, the threat landscape is constantly evolving due to digital transformation, threat actors targeting new organisations (both large and small), and a constantly changing regulatory environment. Organisations should therefore actively monitor the risks they face and review risk assessments as necessary to ensure that their cyber defences remain effective.
Keep Documentation Up to Date
The policies and processes developed during implementation must evolve with the organisation. Documentation should be regularly reviewed to ensure it is accurate, suitable for use and up to date.
Make The Most of Internal Audits
Internal audits help monitor the compliance, status and effectiveness of the organisation’s ISMS. To get the best out of internal audits, the organisation should ensure it develops a comprehensive audit programme including the frequency of audits, methods, responsibilities, planning requirements, reporting and that auditors have enough time and resources to determine the root cause of any non-conformities that are identified.
Monitor and Measure Key Security Controls
Monitoring and measuring play a vital role in making sure an ISMS is effective. Monitoring key information security controls can help identify opportunities for improvement and can help flag potential cyber security incidents before they occur.
Plan For Management Reviews
The mandatory management review is an opportunity for senior leaders to discuss the effectiveness, adequacy and suitability of the ISMS and any potential changes that could impact cyber security in the organisation. This should be conducted at planned intervals. Management reviews are one of the most important oversight functions in the ISMS, so the organisation should ensure that it prepares all the necessary information and arrange the review meeting with plenty of notice to ensure that business leaders and busy managers can find time to attend.
Stay On Top of Corrective Actions
It is worth mentioning that even the best-maintained ISMS will develop non-conformity and/or opportunities for improvement over time as the organisation evolves. However, in the hustle and bustle of day-to-day business activities, it can be tempting to set aside corrective actions in favour of more urgent business requirements. The longer a corrective action is left unresolved, the greater the risk that the non-conformity it is meant to address negatively impacts the organisation. Timely corrective actions should always be a priority.
Promote Ongoing Information Security Staff Awareness
One of the key principles of ISO 27001 is that information security is everybody’s responsibility – not just the responsibility of the helpdesk staff, IT manager or cyber security personnel. Anyone in the organisation who handles sensitive data plays a role in the organisation’s security. They must understand their obligations to protect sensitive information and the consequences the organisation can suffer if they fail to do so. An information security awareness programme should be established in line with the organisation’s information security policies and relevant procedures, taking into consideration the organisation’s information to be protected and the controls that have been implemented to protect the information.
Additional Measures to Maintain Your Certification
- Inform your Assessment Manager of any changes that may affect the scope of your certification as early as possible. Your Assessment Manager can be contacted at any point in the certification cycle.
- Ensure that your key technical staff maintain their technical competence by attending recognised training courses and relevant sector events.
- Ensure that your organisation keeps up-to-date with regulatory changes in your sector.
- Ensure that you are subscribed to updates, UKAS/ ISMS publications and technical bulletins to ensure that you receive the latest certification requirements.
- Inform UKAS/ certification body in advance of any relocation of premises from which credited work is performed.
- Retain all quality records and technical records throughout the period between assessments.
- Use a PDCA (plan–do–check–act) model for the control and continuous improvement of processes and products.
- Plan - Establish objectives and processes required to deliver the desired results
- Do - Carry out the objectives from the previous step.
- Check - During the check phase, the data and results gathered from the Do phase are evaluated. Data is compared to the expected outcomes to see any similarities and differences.
- Act - sometimes called "Adjust", this is where a process is improved. Records from the "do" and "check" phases help identify issues with the process. These issues may include problems, non-conformities, opportunities for improvement, inefficiencies and other issues that result in outcomes that are less-than-optimal. Root causes of such issues are investigated, found and eliminated by modifying the process. Risk is re-evaluated. At the end of the actions in this phase, the process has better instructions, standards or goals.