Set yourself up for success before your certification process
Getting your ISO 27001 certification can seem daunting.
If you’ve never gone through it before, think of it like climbing a mountain. A little intimidating BUT with the right equipment and a clear path in front of you, you can ascend up the mountain too!
Just like with rock climbing, you need to keep an eye out for the WRONG places to put your foot. A mistake can not only cost you momentum but could cause you to fall.
At ARORA Solutions we’ve been helping guide people through their security and compliance audits for over 5 years. In this time we’ve noticed 6 areas that have led to a lot of headaches for our clients.
Don’t know where to start?
Let us take care of it for you. Reach out to us here.
Problem #1 - Inadequate Risk Assessments Before Your ISO 27001 Certification
As we’ve helped organizations trying to go for ISO 27001 Certification, some have been on a tighter deadline then others.
This can make things tricky.
That tight timeline can cause a handful of problems right away and down the road. One of the ways this can hurt you is in the Risk Assessments (ISO 27001 Clauses 6 and 8).
Risk assessments give you a full view of the context of your organization and let you know what parts need to be assessed for your certification. It also lets you know what parts can be accepted into your risk appetite.
Keep in mind that getting a full picture of your organization takes time and effort. You don’t want to rush this. Risk assessments are crucial because they identify weakness and vulnerabilities as well as limit exposure to future ones.
Here are some questions to ask yourself while doing your own risk assessments before your ISO 27001 certification:
Are there current plans in place to research, document, and remediate/accept current risks in the organization? If so, what are they?
How do our current risk assessments apply to industry standards and practices?
Is executive leadership aware of these risks and how they can affect the organization? If so, how are they informed? If not, why?
Getting these questions answered can make things a lot easier for you and your company to have in place before you start your certification process.
Problem #2 - Little or No Management Approval
The certification process should have all members on board from the executive leadership down. We want everyone to be on the same page when it comes to your organization’s cybersecurity and compliance goals.
Some individuals in leadership may only look at the short-term financial hit getting certified will cause. They may think that complying with an audit is “unnecessary” or a “waste of time and resources”. They may also not see the value in long-term maintenance and continual improvement, which are requirements of ISO 27001.
Top Management stakeholders should understand why the security of your data is so important. The trust of your customers and the success of the organization are ultimately what you are working towards.
Questions to ask yourself before bringing in help:
What is management’s role in the ISO 27001 Certification?
What are potential issues that could happen if they are not committed to it?
How do you foster that kind of buy-in and support?
How do you demonstrate the benefits of having an improved compliance and security posture?
Problem #3 - No Well-Defined Processes and Policies (Or They Aren't Followed)
During the Stage 1 certification audit of the ISO 27001 certification process, your auditor will ask what processes are in place.
This means you want to have your documentation up to date. This includes everything from people, processes, and technologies. While you can verbally confirm your process, documentation is your proof that you have procedures in place. This will be worth its weight in gold to your Stage 2 auditor.
Keeping up with documentation can be overwhelming.
In some cases, we’ve seen organizations have a documented process, but only for the sake of the compliance audit. They did not actually follow through with what they had written down. The scope of the task was more than they wanted to keep up with.
They only created the documentation to pass the audit. Then ignored it once it was over.
This creates a huge discrepancy in the current state of your organization and could slow down or even halt the audit process altogether in the following years.
Without documentation, some auditors may take that as no evidence of compliance.
Questions to ask yourself:
Why is documentation in ISO 27001 certification so important?
What should be included in our documentation to be considered “compliant”?
What documentation are we missing that is required by ISO 27001?
What process should have been included?
Problem #4 - Lack of Continual Improvement After ISO 27001 Audit
You’ve passed your ISO 27001 audit — congratulations!
Now you can finally relax, right?
Not so fast.
One of the key components of ISO 27001 is the concept of “continual improvement.” This means that you are always working to make your processes, policies, and controls better.
Look at it from a threat perspective.
You’re only as protected as the last known vulnerability that is discovered.
It is vital that your controls are regularly reviewed and updated as needed so you can be prepared for not only today’s threats but tomorrow as well.
Questions to ask yourself:
Why is complacency and stagnation such a big problem in some industries?
Does your current organization embrace continual improvement practices? Why or why not?
How are continual improvement practices documented? Where are they located?
Problem #5 - Stakeholders and Interested Parties Aren't Involved in the Process
Once you get all your internal parties in at least a base level of how you’re trying to improve your security standing, you’d think that would be it right?
Not exactly.
While letting your organization know how your updates could affect their day-to-day, there are other groups you might not have thought of.
These people, groups, and entities could be anyone that receives your products or services. If they are affected by them or have an interest in your company, they need to know.
These groups could include:
Suppliers
Investors
Trade unions
Government agencies
Etc.
Every organization can define who these parties are according to their operational needs.
You want to identify these parties not only for your Information Systems Security Management Systems but also for your own future purpose. Knowing these parties can help you gain further insight into your business and what systems are in place to further its interests.
Your organization could be operating within an echo chamber without their guidance and input.
Questions to ask yourself:
What are your organization's interested parties/stakeholders?
How will you engage them in the certification process?
Problem #6 - The Difficulty of Information Security Management System Creation
We’re going to get brutally honest —
Creating a functional Information Security Management System is difficult and can be very expensive if you’re not careful.
People who want to get their certification sometimes underestimate the steps involved in being ISO 27001 certified. On top of getting all your documentation, you also need to take into account what kind of resources and costs will be involved at each step.
You have to consider the following:
Readiness assessment
Implementation of new controls/policies
The internal audit (to get prepared for the real deal)
Certification audit
Surveillance audit
Annual internal audit to check on continual improvement
Keeping up with the ever-evolving security landscape
And…and…and..
Well, you get the idea.
Costs can balloon out of control if not correctly budgeted. Your leadership needs to be careful and look at the cost of the internal audit and keep in mind additional expenses that may come.
Thankfully we created a step-by-step guide on what the process is from beginning to end and some best practices to make it a little easier:
It is crucial to address these challenges head-on as you navigate the potential pitfalls on your path to ISO 27001 certification.
By recognizing the importance of…
Thorough risk assessment
Foster management commitment
Improving documentation practices
Embracing continual improvement
…you can enhance your chance of achieving successful and sustainable ISO 27001 certification.
The journey may seem impossible. But with a little bit of help, you too can overcome these hurdles and fortify your information in the ever-evolving digital landscape.
Want more help? Reach out to us and find where your company could improve and get set up for success on your ISO 27001 certification journey.