Behind the Badge: What It Really Takes to Maintain ISO 27001

As a tech consulting company, Insighture recently navigated the journey to achieving ISO/IEC 27001:2022 certification. ISO/IEC 27001:2022 is the internationally recognised standard for Information Security Management Systems (ISMS). The certification is not just relevant to the IT industry. In this article, we share what we learned along the way, including the unexpected hurdles and the ongoing effort needed to maintain compliance.

While we don’t offer ISO-specific consultancy, our experience offers practical insight for any company beginning or continuing this journey. Here’s a behind-the-scenes look at the steps, obstacles, and takeaways from our own path to maintaining ISO 27001.

Have you just received your ISO/IEC 27001:2022 certification? Congratulations! This article will cover what comes next. Unfortunately, with ISO certifications, it is not a one-and-done kind of deal. You have to:

• Constantly monitor adherence to the established policies and procedures.
• Conduct regular risk assessments.
• Consider external and internal issues.
• Consider the needs and expectations of your stakeholders and interested parties.
• Conduct management review meetings.
• Have internal audits performed on your organisation. These are high-stakes items.

Worst of all, for everything ISO requires, you not only have to do it but you also need to provide clear evidence that you did.

Let us start with the first obstacle you will most likely trip over: Nonconformities (NCs). Here is a breakdown of how to address NCs.

Addressing Nonconformities (NC)

Addressing Nonconformities (NC) is often one of the first challenges post-certification. It requires careful attention to detail, collaboration, and thorough documentation to stay compliant.

• Understand the NC perfectly. Break it down as much as you need to.
• Work with the Information Security Manager to find a solution.
• Once you arrive at a solution, if unsure, contact your ISO consultant and get confirmation.
• Implement the solution.
• It is crucial that you fill out the Non-Conformity Report (NCR). You will have to fill out the NCR with all the required information and submit it to the relevant body.

During audits, NCs are common, even with preparation. What matters most is how swiftly and thoroughly you respond.

There is a particular cycle when it comes to ISO 27001: you must gather the needs and expectations of stakeholders, collect information on new internal and external issues, conduct risk assessments, form and finalise objectives, conduct internal audits, and, of course, hold management review meetings.

Let's break it down, one by one.

Needs and expectations of stakeholders and interested parties

Hopefully, you already have a list of all your stakeholders and interested parties. If you do, that’s great! If not, you will need to get one ready as soon as possible. Make sure to constantly update this list and be on the lookout for new interested parties.

The most effective way to gather this information is to ask stakeholders directly, whether through a survey or another method that suits your process. A survey is likely to be one of the best ways to go about it. Another method is to observe the state of your stakeholders and interested parties. For example, if you notice that a client company is struggling with an issue, they likely need a solution. Guess who has an opportunity to provide one?

To conclude this section, there are two ways to go about it. One is to send some kind of survey/questionnaire or to observe.

Internal and external issues

This is where the distinction between internal and external issues gets interesting. At first glance, it might seem obvious: internal issues happen inside the organisation, and external ones happen outside. But in the context of ISO 27001, it is more about control than location. Internal issues are those that the organisation can influence or manage directly. External issues, on the other hand, are beyond its control. For instance, a new government policy impacting your industry would be considered an external issue.

While all of these internal and external issues could be gathered in a couple of days, it would be best to update the sheet of issues as the issues arise.

Risk Assessment

Once you’ve identified key issues, along with stakeholder needs and expectations, the next step is to conduct a regular, ongoing risk assessment.

Not every issue or expectation will warrant action. Some may not present a significant enough risk or opportunity to require a response. This is where a risk and opportunity assessment becomes essential. It helps determine which areas truly need attention. There are two sides to risk assessment: risks and opportunities. Your risk assessment should consider both. If a risk or opportunity is significant, you can set an objective and develop an action plan to address it.

Objectives

One can create an objective to address internal or external issues following a risk/opportunity assessment.

An internal issue could be that the firewall solution that the company uses is lacking, and an objective can be created to upgrade the firewall solution to something better. You can notice that the opportunity to upgrade the organisation’s firewall is presented here.

One can also create an objective from the needs and expectations of stakeholders/interested parties, following a risk/opportunity assessment.

As an example, there could be an employee who requires a better computer to continue with their work. An objective could be created to address this employee’s needs.

Evidence and Documentation

Ensure that everything you do is well documented. Typically, your ISO consultant will provide you with the required documentation templates. Try requesting your ISO consultant for the required templates if they have not already been provided. Documentation is important as it serves as evidence; however, documentation is not the only evidence required.

In some cases, you may need to provide screenshots of internal organisation notices that spread awareness about security threats. In other cases, you might need to present some evidence of your business continuity during a simulated attack. At times, it felt like we were documenting the documentation. But this level of thoroughness helped us uncover internal inefficiencies and strengthen our controls in the long run.

Internal Audits

You will need to have an internal audit performed on your organisation. This audit will cover the posture of your organisation’s alignment with ISO 27001. If absolutely everything is done perfectly, no NCs will be received. The auditor will most likely ask you to cycle through different documents. A single document will answer many questions about your organisation’s ISO 27001 compliance. Be careful to prepare every document as thoroughly as possible.

For example, document classification labels are critical. Every document should be properly classified. During our first internal audit post-certification, we were surprised by how much we still had to streamline. It took us multiple iterations to get everything classified according to ISO standards. But that process ensured that no document was left unaccounted for during audits.

Management Review Meetings

These management review meetings will take place after the internal audit and will cover all of the above and more. Typically, the ISO consultant will provide the organisation with a list that covers all the topics that must be discussed during the management review meeting.

Another important thing is that the management review meeting minutes have to be taken down. A template for the structure of the document will be provided by the ISO consultant. Ensure that all the required details are noted down in the document. This may be absolutely necessary for the following recertification audit.

Monitoring

As stated before, ISO 27001 is a never-ending process, a cycle, some would say. The Information Security Manager should monitor everything related to the Information Security Management System (ISMS) of the organisation. This includes everything from employees complying with policies to the performance of controls implemented by the organisation. In short, all aspects of the ISMS must be monitored to ensure there are no issues with the organisation’s compliance.

Continuous Improvement

Continuous improvement is one of the key features that ISO 27001 pushes for. An ISMS that does not evolve is not acceptable. Always set objectives to enhance the organisation’s ISMS whenever possible.

Conclusion

In conclusion, maintaining ISO/IEC 27001:2022 certification is a continuous process that demands dedication to monitoring, audits, and improvements. While it’s challenging, the benefits are clear. For us, it strengthens our internal processes, enhances agility, and ensures we stay secure and compliant. Most importantly, it adds immeasurable value to both our company and our clients, building trust and reinforcing our commitment to excellence.