Top tips from our ISO 27001 certification process as a SMB:
1. Give yourself plenty of time
Achieving ISO 27001 and successfully implementing an Information Security Mangement System (ISMS) takes a lot of hard work and time. Some companies set themselves a deadline of three months or have a time limit set for them, but realistically everything under four to five months is tight. The amount of time spent on implementing an ISMS varies from business to business, but if you have not done anything around cyber security or data protection before, it makes sense to create an implementation plan over 5-6 months. Also, you always want to have plenty of time between the Stage 1 and the Stage 2 audit, which leads us to the next point.
2. External audits
Once you have successfully implemented the ISMS, your auditor will look at all your efforts and see if your organisation is ready for the Stage 2 audit. At the Stage 1 audit there are no non-conformities yet, just suggestions for improvement. In most cases, you will go away with at least some points that should be addressed prior to the Stage 2 audit. At CyberSmart we decided to leave a month between Stage 1 and Stage 2 so that we can adequately address any issues that were raised in our first audit.
3. Team, team, team
A company can only get ISO 27001 certified if you have the management buy-in but also the support and commitment from all team members. It is crucial that the company adopts a security-aware culture – or as we call it at CyberSmart – “Secure by Culture”. Otherwise, incidents will be undetected, policies and procedures will get locked away in a cabinet and only be looked at right before the next audit. That is not the purpose of an ISMS and continuous improvement.
4. Ongoing work
Once you are ISO 27001 certified the work doesn’t stop. In fact, it will probably increase as you now have to maintain all the controls, policies and procedures that you have implemented. Also, an internal audit should be performed on a regular basis to identify how effective the ISMS is and where there is room for improvement.
In short, implementing an ISMS and getting ISO 27001 certified takes time, commitment and a lot of work, but it is worth it.
