The standard implementation and certification can be broken up into the following phases:
Scope and Objectives of ISMS
To ensure the success of ISMS, organizations have to understand ISMS’s scope and objectives, which vary greatly among different organizations and industries. Some large organizations may have ISMS that covers only a specific business unit or a location. Similarly, some organizations’ objectives may focus on protecting customer data while others concentrate on ensuring secure product development.
In this step, the organization establishes necessary organizational changes to lay out the ISMS foundation. This step includes the appointment of a role responsible for the ISMS management, organizing a Security Council and involving stakeholders across the company, documenting ISMS, securing the necessary budget, etc.
Security Risk Assessment
A security risk assessment is a key activity in determining what Annex A controls should be implemented to achieve the ISMS objectives. Once the risk assessment is done, the organization completes the Statement of Applicability (SOA); a document that identifies applicable security controls and provides an explanation when controls are not applicable.
This portion is the most resource-intensive and time-consuming stage of the process and requires commitment and involvement from multiple resources across the organization as well as sufficient financing. In this step, all the missing administrative, technical, and physical controls as determined by the risk assessment are implemented.
An internal audit is another required step in the certification process. The goal of the internal audit is to ensure that the implementation and effectiveness of ISO 27001 requirements have been validated by an independent audit. Companies may use internal resources not involved in the ISMS implementation or hire external auditors to complete the audit. Prior to the certification, all non-conformities must be addressed.
The certification audit can only be performed by an accredited certification body. The audit process consists of two phases; Stage 1 and Stage 2. In Stage 1, the auditor reviews the organization’s ISMS. Stage 2 focuses on the implemented controls (Annex A). When both stages are completed and without any non-conformities, the organization receives ISO 27001 certification.