If you thought that your job was over after the ISO 27001 certification, you’re wrong – the real job with your Information Security Management System (ISMS) has just begun.
OK, but where do you start? The good news is that you already have all the directions in your documentation, but here’s an overview on what you have to focus on:
1) Operate the ISMS. First of all, you have to make sure you perform all the activities described in your policies and procedures. And I don’t mean just artificially creating some records and pretending that you are doing some activities because of the auditors – I mean really walking the talk, complying with all the requirements in all of your documents and producing the real records. If you think this makes no sense, then you have to simplify your documents or delete some documents that are not mandatory.
2) Update the documentation. Circumstances in your company will change – you’ll create some new products, you’ll purchase some new software, your organization will change, etc. This means you’ll have to update your policies or procedures or they will become useless. Best practice is to nominate an owner for each document, and that person will have to review his or her document periodically (usually once a year), and recommend possible changes.
3) Review the risk assessment. Again, because of the changed circumstances, the threats and vulnerabilities will change, meaning your risks will change; and if your risks have changed, this means your existing controls won’t be enough. This is why you should send the results of the last risk assessment to the risk owners so that they can review them and update if necessary – once this is done, you have to implement new controls based on those results. This review must be done at least once a year, or more often if some significant change has occurred.
4) Monitor and measure the ISMS. Although this one seems too abstract and probably the most difficult one to achieve, it is also one of the most important – otherwise, how would you know whether you’re doing a good job or not? When speaking about monitoring, you have to keep an eye on various security-related events like incidents, errors, exceptions, etc. Based on this information, you can learn what to do better and how to prevent future incidents from happening. But this is not all – you have to measure whether your ISMS achieves the intended results. To do this, you have to measure if you have achieved the objectives – for example, if the objective was to decrease the number of incidents by 50% in the current year, you have to take the actual number from the results of monitoring, and compare it with the number of incidents in the previous year. Read also ISO 27001 control objectives – Why are they important?
5) Perform internal audits. This might seem just like one of those “Oh no, another useless ISO 27001 job,” but the fact is – when done properly, an internal audit can reveal to you many more security weaknesses than most of the other activities together. To achieve this you have to either train some of your employees to do this job, or hire an external auditor. No matter which option you choose, you have to enable this person to do the job thoroughly and be prepared to act upon the audit results. Read also: How to make an Internal Audit checklist for ISO 27001 / ISO 22301.
6) Perform management review. This is a crucial activity, since it actively involves your top management in your information security. You have to inform them about the key issues related to your ISMS, and ask them to make crucial decisions – for example, changes in organization, providing the budget, eliminating obstacles, etc. Learn more here: Why is management review important for ISO 27001 and ISO 22301?
7) Perform corrective actions. Again, this is not some “ISO 27001 job,” because corrective actions are something you perform regularly – most probably you do make improvements to what you are doing, only you don’t call them “corrective actions,” so the trick is to continue making those improvements in the form that is acceptable to ISO 27001. See also Practical use of corrective actions for ISO 27001 and ISO 22301.
And don’t forget that the certification body will perform surveillance visits at least once a year – they will check all the seven issues listed above, but also whether you closed all the non-conformities from their last visit, so make sure you didn’t forget about them. See also Surveillance visits vs. certification audits.
But basically, the maintenance of your ISMS comes down to this: you should do it because of yourself, in order to make your company more secure – not because of a certification auditor.
Click here to see an overview of Internal Audit Toolkit.