Whether you’re a small organisation with limited resources or an international firm, achieving ISO 27001 certification will be a challenge.
Anyone who has already been through the process will know that. You must assemble a team, conduct a gap analysis and risk assessment, apply security controls, create documentation and perform staff awareness training. And that’s before you even get into internal audits and certification audits.
To make matters more complicated, once you’ve certified to ISO 27001, you must maintain your compliance status and regularly recertify.
Organisations must do this to ensure that they have maintained their compliance practices and accounted for changes in the way they operate.
In this blog, we look at the key issues you must address if you are to maintain ISO 27001 compliance.
How often do you need recertify to ISO 27001?
An organisation’s ISO 27001 certification lasts three years. The certificate itself will state the date at which certification was issued and when it will expire.
As that day approaches, the organisation must apply for recertification. This can be with the same body that performed the initial audit or it can be with another registrar.
How to maintain ISO 27001 certification
Organisations can ensure that their ISO 27001 practices remain compliant by following these seven steps.
1. Continually test and review risks
Your ISMS (information security management system) was built to address risks that you identified during the certification process, but the threat landscape is constantly evolving.
As such, you must regularly monitor the risks you face to ensure that your defences are adequate. Part of this process will involve vulnerability scans and other tools that can automatically spot new risks. However, you should also perform more rigorous tests on a regular basis.
To remain compliant, you must complete an ISO 27001 risk assessment at least once a year or whenever you make substantial changes to your organisation.
You can use the results of the assessment to determine whether your controls work as intended and whether additional defences should be adopted.
2. Keep documentation up to date
The policies and processes you wrote during the initial implementation will have been created specifically for the way your organisation operated at that time.
However, your operations will no doubt evolve and you need to ensure that your documentation takes that into account. Have you made a significant change in the way you perform certain actions? Have you undertaken new activities involving sensitive data? Has the physical premises changed in any way?
If the answer to any of those questions is yes, then you must amend your documentation accordingly.
3. Perform internal audits
An internal audit provides a comprehensive review of the effectiveness of your ISMS. Alongside a risk assessment and a documentation review, it will help you assess the status of your ISO 27001 compliance.
You will have conducted an internal audit as part of your initial certification process, so you should already have the framework to hand, which you can repeat as part of your compliance maintenance.
4. Keep senior management informed
Unless you are extremely lucky, the maintenance practices outlined above will reveal weaknesses that you must address if you are to remain compliant.
Remedying those vulnerabilities will take time and resources, which requires you to gain board-level approval. As such, you should keep senior management informed of both your activities maintaining the ISMS and the benefits that it has brought.
For example, your defences might have played a direct role in preventing a data breach or cyber attack. If so, you should have logged and investigated the event, in which case you’ll have proof of the ISMS’s effectiveness that you can bring to the board.
An ISMS isn’t just about preventing security breaches, though. It also helps organisations operate more efficiently and responsibly. You should also provide evidence of this, presenting key performance indicators and interviews with employees and other stakeholders.
5. Establish a regular management review process
In addition to informing the board of the ISMS’s successes, you should also involve them in the review process. This is where you can discuss opportunities for improvement or necessary changes that must be made.
There is no requirement for how often the management review should take place, but it should be at least once a year and ideally every six months.
6. Stay on top of corrective actions
If there’s a theme to these tips, it’s that your ISMS isn’t set in stone. As such, it should evolve to meet the threats that your organisation faces.
By regularly monitoring the effectiveness of your ISMS, you should be able to perform corrective actions that prevent weaknesses from spilling over into major problems. Some of these changes could be minor tweaks to processes and policies, or the addition of a new tool.
However, some corrective actions will require a significant overhaul of your practices. These should be discussed during the management review process and could involve ongoing adjustments and monitoring.
7. Promote ongoing information security staff awareness
One of the key principles of ISO 27001 is that effective information security is everybody’s responsibility. Compliance should not be left to the IT department or managers.
Anyone in the organisation that handles sensitive data plays a role in the organisation’s security. They must understand their obligations for protecting sensitive information and appreciate the stakes involved.
You are required to provide staff awareness training as part of your certification process, but those lessons should be repeated on a regular basis. As with your management review, it should be at least annually but ideally twice yearly.
For organisations looking for a quick and effective way to meet their staff awareness training requirements, IT Governance is here to help.
Our Information Security & ISO 27001 Staff Awareness E-Learning Course contains guidance on everything you need to know about the international standard for information security.
With this 45-minute training course, you can enable your employees to demonstrate their competence in information security and ISO 27001 with digital badges.
The package comes with an annual licence, making it quick and easy to refresh employees’ knowledge on a regular basis.