ISO 27001 Certification

The first question that may come to your mind when you come to know about ISO 27001 might be, “How do I get there?”.

In this blog, I will explain the ISO 27001 Certification Roadmap from my experience consulting more than a few dozen of ISO27001 projects in Malaysia and abroad.

Blog cover image for ISO 27001 Certification Malaysia

I would categorise the ISO 27001 certification roadmap into 7 Phases based on our 7E lifecycle model.

Phase 1: Explore- ISO 27001 Compliance in Your Organisation

ISO 27001 Self-Assessment

In this Explore phase, you must understand where your organization stands in compliance with ISO 27001 standards. You can achieve this by going through a compliance checklist. I have included a sample ISO 27001 Self-Assessment Checklist for your immediate action.

Forming your ISO 27001 Information Security Steering Committee

Remember, you shouldn’t do this alone. It would help if you started forming an ISO 27001 Information Security Steering Committee comprised of representatives from:

  • IT Department,
  • Human Resource Department,
  • Physical Security and Administration Department,
  • Finance Department,
  • Supply Chain Management or Procurement Department.
Tips: The Best Ambassador for ISO 27001 & Information Security is yourself and your Founder, CEO and Top Leader . Appoint this credible and experienced personnel to your ISO 27001 Steering Committee. It creates a lasting impact and increases the success rates of ISO 27001 certification by multi-fold.

Phase 2: Educate- ISO 27001 Awareness

ISO 27001 Awareness Training

Awareness is the most critical component of the ISO 27001 management system. Therefore, Phase 2 is Educate to provide awareness training to your Information Security Steering Committee and your employees about the ISO 27001 framework and get everyone to understand why your organization is going for ISO 27001 certification and, most importantly, what roles every one of them is playing in the ISO 27001 certification roadmap..

A yearly Refresher ISO 27001 Awareness training given to the entire organization is a mandatory activity.

Tips: Employees’ buy-in is most critical in this phase. It is not wise to give the wrong impression to your employee that your ISO 27001 journey is only for compliance’s sake or marketing purposes. The last you should mention is ISO 27001 certification to get more sales or to fulfill the requirements of tenders.

Phase 3: Establish- ISO 27001 Policies and Procedures

Establishing ISO 27001 Policies and Procedures is the phase where it will take most of the time in the ISO 27001 Roadmap. Typically spans between 1 – 3 months depending on the scope of ISO 27001 certification.

Scope of ISO 27001 Certification

Defining the Scope of the ISO 27001 certification plays a significant role in ensuring your ISO 27001 Certification is successful. Why is it so? In short, the scope of ISO 27001 certification determines the areas, functions or departments covered during the ISO 27001 Certification Audits. In other words, the bigger the scope of the ISO 27001 Certification, the wider the areas of Certification Audit that will be carried out on your Organisation.

Tips: Always consider going first for the Most Critical Functions of your organisation where Information resides. Avoid going for the “big-bang approach”.

ISO 27001 Policies and Procedures

Depending on the Scope of Certification and the result of the Gap Assessment, you must start developing the mandatory ISO 27001 Policies and Procedures to prepare for the next phase, Execute. All ISO 27001 Policies and Procedures must be “baselined” or “approved” for implementation by the Information Security Steering Committee.

Tips: I recommend your organization consider hiring an experienced ISO 27001 consultant to carry out this phase of activities, as it involves many hours of documentation development. It is value for money not to burn out your Leaders in your Department on this mundane work. Furthermore, an experienced ISO 27001 consultant would be able to impart their latest professional advice based on their years of experience in tackling compliance with the ISO 27001 standard most realistically and cost-effectively.

Phase 4: Execute- ISO 27001. Do what you’ve written

Executing or implementing ISO 27001 Policies and Procedures ensures all Stakeholders, your Employees, Vendors, Partners, and customers comply with the new ISO 27001 policies and procedures your organization has approved.

ISO 27001 Implementation Evidence and Records

This Execute Phase shall take approximately 2-3 months to ensure that evidence and records of ISO 27001 implementation have occurred in your organization. These ISO 27001 implementation evidence and records are crucial to proving your stakeholders are practicing and complying with your Organisation’s ISO 27001 Policies and Procedures.

ISO 27001 Measurements & KPIs

Measurements or Process KPIs should be set for ISO 27001 critical Policies and Procedures. These measurements and KPIs will give you a bird’s-eye view of the overall performance and effectiveness of the ISO 27001 implementation in your Organisation.

Tips: No Policies and Procedures should be written on the rock, meaning Policies and Procedures should be flexible enough to undergo improvements during this period.
Tips: Accredited Certification Auditors prefer to see improvements during this phase. Any Documents in Version 1.0 means no progress has been made throughout the ISO 27001 certification journey.

Phase 5: Ensure- ISO 27001 Compliance

To ensure compliance with the ISO 27001 standard, your Organisation must train a pool of Internal Auditors to ensure the sustainability of the ISO 27001 Certification to reduce dependencies on external consultants.

ISO 27001 Internal Audit Training

The identified Internal Auditors shall undergo formal Internal Audit Training provided by an experienced and certified ISO 27001 Lead Auditor (internal or external trainer). Internal Auditors must complete the internal Audit training, and the certificate of completion should be retained for ISO 27001 Certification Audit purposes.

ISO 27001 Internal Audit

The ISO27001 Internal Auditors and the ISO 27001 consultant, shall conduct a complete ISO 27001 Internal Audit. All ISO 27001 Internal Audit Records shall be kept and reported to closure.

*In my coming blog, I shall write in detail about the mandatory ISO 27001 Internal Audit Process.

ISO 27001 Management Review Meeting

ISO 27001 Management Review Meeting is a meeting conducted at least once a year to go through the specific Agenda listed in the ISO 27001 standard. The primary purpose of the ISO 27001 Management Review meeting is for the ISMS Steering Committee to present the Internal Audit Findings and any potential actions for Continual Improvements to the Top Management of your Organisation.

This ISO 27001 Management Review meeting must be minuted following the agenda listed in the ISO 27001 standards.

Tips: At this point, your company has already implemented ISO 27001 for some time. Even so, it is expected that there may still be areas of non-compliance due to constraints of resources and budget. The Management Review meeting acts as a checkpoint where The Management can decide to accept, transfer or terminate these risks and non-compliance during the ISO 27001 Management Review meeting.

Phase 6: Examine by Accredited ISO 27001 Certification Bodies

Examine is a phase where the ISO 27001 Accredited Certification Body is invited to conduct a Third Party Audit. This certification audit is broken into 2 stages:

  • Stage 1 Audit and
  • Stage 2 Audit

Any organization going for ISO 27001 certification will have to go through Stage 1 and Stage 2 Audit (Full cycle audit) for the 1st Year and every 4th year during Re-Certification Audit.

For Year 2 and Year 3, only Stage 2 Audit will be conducted during Surveillance Audit. Refer table below for a better illustration:

Year Type of Certification Audit
Certification Audit Stage 1 & Stage 2 Audit
Surveillance Audit (Stage 2)
Surveillance Audit (Stage 2)
Re-certification Audit (Stage 1 & Stage 2 Audit)
Surveillance Audit (Stage 2)
Surveillance Audit (Stage 2)
Re-certification Audit (Stage 1 & Stage 2 Audit)

ISO 27001 Stage 1 Audit – Documentation Adequacy Checks

During the ISO 27001 Stage 1 Audit, the ISO 27001 Accredited Certification Auditors are performing an audit to confirm a few objectives:

  1. Ensure Organisation is in operation. A formal ISO 27001 Management System is in place.
  2. Understand the Organisation ISO 27001 Scope of Certification and Documentation Framework.
  3. Obtain affirmation that the Organisation and its Management are committed to pursuing ISO 27001 certification.
  4. Decide if the Organisation is fit to undergo ISO 27001 Stage 2 Audit.
  5. Suggest Improvement by Issuing Corrective and Preventive Action Report for the Organisation to be fit and ready for ISO 27001 Stage 2 Audit.

ISO 27001 Stage 2 Audit – Final Certification Audit

Upon satisfactory completion of ISO 27001 Stage 1 Audit, the ISO 27001 Accredited Certification Auditor will propose a date for the Stage 2 Audit, typically within 2 – 8 weeks from Stage 1 Audit.

The main focus of the ISO 27001 Stage 2 Audit is to conduct interviews and assess evidence and records from your Organisation’s ISO 27001 implementation. The ISO 27001 Stage 2 Audit is conducted via sampling of evidence. Upon completion of the ISO 27001 Stage 2 Audit, a Final Certification Audit Report will be Issued.

Tips: I recommend you to conduct a simulation of the ISO 27001 Stage 1 and Stage 2 Audit with an experienced ISO 27001 consultant to prepare every Auditees on what to expect during the ISO 27001 Certification Audit.
Tips 2: On the day of the ISO 27001 Audit, avoid dependency on your ISO 27001 Consultant. In most situations, Accredited Certification Auditor would not allow an external ISO 27001 consultant to reply and answer on behalf of your organization. Auditors wouldn’t like to read this, but this is highly useful; create a Whatsapp Group Chat to raise questions so that your ISO 27001 consultant can guide you to the right area.

Phase 7: Enhance ISO 27001 Continuous Improvements

Enhance is a phase where you continuously identify Areas of Improvement in your ISO 27001 Framework and constantly implement the ISO 27001 Controls based on your organization’s policies and procedures.

Cyber Threats and Vulnerabilities are escalating on the go. The risk you identified earlier may have been exploited or not be relevant anymore. Therefore, it is critical to repeat Phase 1 to Phase 6 continuously on an annual basis.

Tips: Top Management, Founders and Leaders of the organisation play the most crucial role in ensuring the ISO 27001 Management system stays relevant. Consistent awareness campaigns should be implemented to ensure the Organisation is always alert to the ISO 27001 Policies and Procedures.

Disclaimer: There may be specific details that I may have missed out on. Please feel free to DM me for more information or suggestion for improvements.

Stay Up To Date

Stay updated on the latest trends, best practices, and innovations in quality management and information security.