Primary Steps for Achieving ISO27001 Certification

1
Primary Steps for Achieving ISO 27001
Certification
2
Steps -1 Get Acquainted with the Standard 
As a responsible person for information security
within your organization, whether your are the
CEO, the owner, CTO or Information Security
Officer you should obtain a copy of the standard
ISO/IEC 27002 code of practice and read it. Upon
reading, you will realize that this is a
management standard. It is essentially an
overview of best practices to ensure integrity,
confidentiality and availability of your business
data.
www.certificationconsultancy.com
3
Steps -2 Involve your Team
Initiate the first round of discussions with your
employees at all levels and perform information
security profiling within your organization.
www.certificationconsultancy.com
4
Steps -3 Define the Scope of your Implementation 
The ISMS stands for Information Security
Management System. In the beginning it is
important to define this scope, whether it is one
layer of your company, a department, floor or
even a process.
www.certificationconsultancy.com
5
Steps -4 Get Started with a Risk Assessment 
Define the risk assessment approach. You may want
to take a look at ISO/IEC 27005 a sub section of
the 2700x standard series, which is specially
focused on risk assessment.
www.certificationconsultancy.com
6
Steps -5 Identify your Information Assets   
Define both the tangible and intangible assets
within the scope of your ISMS. These assets can
be people and buildings and everything else in
between.
www.certificationconsultancy.com
7
Steps -6 Assess the Risk to the Assets 
Perform risk assessment exercise for various
assets within the scope of your ISMS. This
involves identifying relevant threats towards the
assets, identification of vulnerabilities of the
asset towards each threat, impact of threat and
the probability of a threat becoming a reality.
www.certificationconsultancy.com
8
Steps -7 Design a Risk Management Strategy  
The relationship between an Asset and a Threat is
considered a Risk. Suggest controls from ISO/IEC
27001 that Hedge against the Identified Risks.
Guidelines on the implementation of these
controls are in ISO/IEC 27002. You may need to
define your own specific controls.
www.certificationconsultancy.com
9
Steps -8 Obtain the results of the Risk
Assessment required by the standard ISO/IEC
27001    
The most important report is the SOA report or
the Statement of Applicability which should
display the information security risk within the
scope.
www.certificationconsultancy.com
10
Steps -9 Training and Awareness 
Develop a customized and focused information
security training program to build awareness of
information security for everybody in your
company.
www.certificationconsultancy.com
11
Steps -10 Get ready for Business Continuity
planning. 
The Risk Assessment is only one part of three
steps required for a full implementation of
ISO/IEC 27001. The other two are Business
Continuity planning and development of
Organizational Manual such as procedures,
processes and policies.
www.certificationconsultancy.com
12
Thanks.
You get more information about ISO 27001
certification consultancy, documentation, auditor
training as well as Information Security
Management System (ISMS) visit global web site
www.certificationconsultancy.com