ISO 27001 & BS 25999

If you think writing a bunch of information security documents is enough to get ISO 27001 certificate , you’re wrong. You need to implement all the activities described in your documentation, but that’s not all – you also need to follow certain steps in the final phase of your ISO 27001 project.

ISO 27001 certification process

Let’s start first with the certification process itself – it is divided in two steps: Stage 1 audit and Stage 2 audit. In Stage 1 audit (also called Documentation review) the certification auditor checks whether your documentation is compliant with ISO 27001; in Stage 2 audit (also called Main audit) the auditor checks whether all your activities are compliant with both ISO 27001 and your documentation.

Therefore, you need to pay attention to both writing appropriate documentation for your needs, and to really committing to implementation information security in your company. For details on required documentation, steps in the audit and how to deal with nonconformities read this article How to get certified against ISO 27001?.

Mandatory steps for finishing the implementation

After finishing all your documentation and implementing it, you need to perform these mandatory steps in your ISO 27001 project:

• Internal audit
• Management review
• Corrective and preventive actions

The purpose of internal audit is that someone independent checks out whether your Information Security Management System (ISMS) is working properly. Read more about internal audit here Dilemmas with ISO 27001 & BS 25999-2 internal auditors.

Management review is actually a formal way for management to take into account all the relevant facts about information security and make appropriate decisions. The point with ISO 27001 is to reach such decisions as part of a regular decision making process.

Finally, the company needs to correct all the problems detected by internal auditors, managers or someone else, and document how these problems were resolved – this process is called corrective actions. It is recommended to take preventive actions too – to try to prevent problems before they happen (something the certification auditor will appreciate quite a lot).

How to test ISO 27001 implementation?

However, before undertaking these mandatory steps, it is useful to check whether everything is in place. This step is not required by ISO 27001 (at least not in such an explicit way), but in my opinion it significantly increases the chances for successful certification.

Doing the ISO 27001 test (or check) means that everyone who has a role in ISMS has to check whether everything he/she is responsible for really functions as required by the standard, and by the company’s documentation.

Such test/check is not the same thing as internal audit because during internal audit it is the auditor who goes through the company checking out things, while what I’m talking about here is that almost every employee needs to think hard whether he/she has done really everything that is required. In such a way you not only decrease the chances for something going wrong, but also raise the awareness of your employees.

All these steps might seem complicated or you may think of them as costly overhead. But, believe me, they do serve their purpose – if implemented properly, you will see that they will actually increase your level of information security.

This is usually one of the first questions I receive from the potential client. To their disappointment, I cannot give them the exact figure right away – here is why.

First of all, the total cost of implementation will depend on the size of your organization (or the size of the business unit(s) that will be included in the ISO 27001 scope), the level of criticality of information (for instance, information in banks is considered more critical and demands a higher level of protection), the technology the organization is using (for instance, the data centers tend to have higher costs because of their complex systems), and the legislation requirements (usually the financial and government sectors are heavily regulated with regards to information security).

Second, you won’t be able to calculate the exact costs before you know which level of protection you need – first you have to perform risk assessment, because such analysis will tell you which security measures are required.

When you know the results of risk assessment, you will have to take into account the following costs:

1. The cost of literature and training

Implementation of ISO 27001 requires changes in your organization, and requires new skills. You can prepare your employees by buying various books on the subject and/or sending them to courses (in-person or online) – the duration of these courses varies from 1 to 5 days (read How to learn about ISO 27001 and BS 25999-2).

And don’t forget to buy the ISO 27001 standard itself – too often I run across companies implementing the standard without actually seeing it.

2. The cost of external assistance

Unfortunately, training your employees is not enough. If you don’t have a project manager with deep experience in ISO 27001 implementation, you’ll need someone who does have such knowledge – you can either hire a consultant or get some online alternative (this is what we do at Information Security & Business Continuity Academy).

The greatest value of someone with experience helping you with this kind of project is that you won’t end up in dead end streets – spending months and months doing activities that are not really necessary or developing tons of documentation not required by the standard. And that really costs.

However, be careful here – do not expect the consultant to do the whole implementation for you – ISO 27001 can be implemented by your employees only.

3. The cost of technology

It might seem funny, but most companies I’ve worked with did not need a big investment in hardware, software or anything similar – all these things already existed. The biggest challenge was usually how to use existing technology in a more secure way.

However, you do need to plan such investment if it proves to be necessary.

4. The cost of employees’ time

The standard isn’t going to implement itself, neither can it be implemented by a consultant only (f you hire one). Your employees have to spend some time figuring out where the risks are, how to improve existing procedures and policies or implement new ones, they have to take some time to train themselves for new responsibilities and for adapting to new rules.

5. The cost of certification

If you want to obtain public proof that you have complied with ISO 27001, the certification body will have to do a certification audit – the cost will depend on the number of man days they will spend doing the job, ranging from under 10 man days for smaller companies up to a few dozen man days for larger organizations. The cost of man day depends on the local market.

You have to be very careful not to underestimate the true cost of ISO 27001 project – if you do, your management will start looking at your project in a negative light. On the other hand, forecasting all costs correctly will show your level of professionalism; and don’t forget – you always have to present both the cost and the benefits – read Four key benefits of ISO 27001 implementation.

You probably knew that the first step in ISO 27001 implementation is defining the scope. What you probably didn’t know is that this step, although simple at first glance, can sometimes cause you quite a lot of trouble. Namely, a lot of companies are trying to decrease their implementation costs by narrowing the scope, but they often find themselves in a situation where such a scope gives them a headache.

So, where is the problem?

The problem when the ISO 27001 scope is not the whole organization is that the Information Security Management System (ISMS) must have interfaces to the “outside” world – in that context, the outside world are not only the clients, partners, suppliers etc., but also the organization’s departments that are not within the scope. It may seem funny, but a department which is not within the scope should be treated in the same way as an external supplier.

For instance, if you choose that only your IT department is within your scope, and this department is using the services of the purchasing department, the IT department should perform risk assessment of your purchasing department to identify if there are any risks for the information for which the IT department is responsible; moreover, those two departments should sign terms and conditions for the services provided.

Why is such an overhead necessary? You have to put yourself in the certification body’s shoes – it must certify that within your scope you are able to handle the information in a secure way, while it cannot check any of your departments outside the scope. The only way to handle such a situation is to treat such departments as if they were external companies. (Please note: certification auditors never like a narrow scope.)

This is not where the trouble stops. Sometimes, a narrow scope is simply not possible, because there is no interface with the outside world. For instance, if employees from both within the scope and outside the scope are sitting in the same room, such a scope is hardly feasible; if both the employees within and outside the scope use the same local network (with no segregation) and have the access to various network services, such a scope is definitely not possible – there is no way you would be able to control the information flow only inside the scope.

The point here is – narrowing your ISMS scope is sometimes impossible, and in most cases it will bring you unnecessary overhead. Therefore, what initially didn’t seem like a good solution, might be the optimal one after all – try to extend your scope to the whole organization. The rule of the thumb is: if your organization has no more than a few hundred employees, and one or just a few locations, the best thing would be for the ISMS to cover the whole organization.

On the other hand, if you really cannot cover the whole organization with your ISMS scope, try to set it in an organizational unit which is sufficiently independent; try to solve the relationships with other organizational units outside the scope by determining their service through internal documents (policies, procedures etc.) that would serve as “agreements” – in such a way you could document those organizational unit’s obligations in a manner that is usable in daily operations.

There you go – you have solved the first step in your ISO 27001 implementation.

You have been implementing ISO 27001 for quite a long time, invested quite a lot in education, consultancy and implementation of various controls. Now comes the auditor from a certification body – will you pass the certification?

This kind of anxiety is normal – you can never know whether your ISMS (information security management system) has everything the certification body is asking for. But what is it exactly the auditor will be looking for?

First, the auditor will perform the Stage 1 audit, also called the “Document review” – in this audit, the auditor will look for the documented scope, ISMS policy and objectives, description of the risk assessment methodology, Risk Assessment Report, Statement of Applicability, Risk Treatment Plan, procedures for document control, corrective and preventive actions, and for internal audit. You will also have to document some of the controls from Annex A (only if you found them applicable in the Statement of Applicability) – inventory of assets (A.7.1.1), acceptable use of assets (A.7.1.3), roles and responsibilities of employees, contractors and third party users (A.8.1.1), terms and conditions of employment (A.8.1.3), procedures for the operation of information processing facilities (A.10.1.1), access control policy (A.11.1.1), and identification of applicable legislation (A.15.1.1). Also, you will need records of at least one internal audit and management review.

If any of these elements are missing, this means that you are not ready for Stage 2 audit. Of course, you could have many more documents if you find it necessary – the above list is the minimum requirement.

Stage 2 audit is also called the “Main audit”, and it usually follows a few weeks after Stage 1 audit. In this audit the focus will not be on the documentation, but if your organization is really doing what your documentation and ISO 27001 say you have to do. In other words, the auditor will check whether your ISMS has really materialized in your organization, or is it only a dead letter. The auditor will check this through observation, interviewing your employees, but mainly by checking your records. The mandatory records include education, training, skills, experience and qualifications (5.2.2), internal audit (6), management review (7.1), corrective (8.2) and preventive (8.3) actions; however, the auditor will be expecting to see many more records as a result of carrying out your procedures.

Please, be careful here – any experienced auditor will notice right away if any part of your ISMS is artificial, and is being made for the purpose of audit only.

OK, you knew all this, but it still happened – the auditor found major non-conformity and told you that ISO 27001 certificate will not be issued. Is this the end of the world?

Certainly not. The process goes like this – the auditor will state the findings (including the major non-conformity) in the audit report, and give you the deadline until which the non-conformity must be resolved (usually 90 days). Your job is to take appropriate corrective action; but you have to be careful – this action must resolve the cause of the non-conformity, otherwise the auditor might not accept what you have done. Once you are sure the right action is taken, you have to notify the auditor and send him/her the evidence of what you have done. In the majority of cases, if you have done your job thoroughly, the auditor will accept your corrective action and activate the process of issuing the certificate.

There you go – it took some time, but now you are a proud owner of the ISO/IEC 27001 certificate. (Be careful though – the certificate is valid for three years only, and can be suspended during that period if the certification body identifies another major non-conformity on the surveillance visits.)