Product

Solutions

Learning

Company

Product

Solutions

Learning

Company

Maintaining your ISO 27001 Certification

How to Maintain ISO 27001 Certification

As old the saying goes no good deed goes unpunished, and some may feel that goes with the aftermath of a successful ISO 27001 certification project.

With your organization now certified, you might feel you could breathe a sigh of relief and take a long well-deserved vacation. Your ongoing effort to maintain your ISMS during the next cycle for re-certification will obviously be a breeze in comparison. Sorry to be the bearer of a hard truth, but as soon as the congratulations and shoulder patting start to diminish, you will notice that your organization will want more. As a professional, you might be asking yourself: What is the next step? How can we surpass a feat such as a successful ISO 27001 certification?

There are several new goals to pursue and they are a worthy challenge for any seasoned champion.

Avoiding pitfalls and ensuring continual improvement

By now you know that certification is not the finish line, some could even say that certification is just the beginning, and rightfully so. You can't just stop paying attention to your ISMS (Information Security Management System); it will cause your subsequent maintenance audits not to go so well for you.

Some post-certification pitfalls may be failing to maintain a proper internal audit effort or forgetting about management reviews. Even the best-designed ISMS must undergo periodic reviews to ensure it is still pertinent to your organization context. A simple thing such as staff turnover can have a significant impact if a critical team member leaves.

All these aspects should fall within the scope of a regular risk analysis process. Any change in the environment, essential personal or business process that requires new or modified controls must be shown in your statement of applicability. Some changes may even have a direct impact on your certification scope, requiring you to review and update the ISMS documentation to correctly reflect the post-change environment.

Going above and beyond the call of duty

While maintaining and continually improving your ISMS is an important task, you should not limit yourself from taking a step further in achieving more value to your organization. During the certification process, you probably noticed that in achieving ISO 27001, you established several controls that can be used to benefit areas other than information security.

One of the biggest changes in the ISO 27001:2013 update, was the alignment with Annex SL (formerly known as ISO Guide 83), which standardizes definitions and structures for different ISO standards, including ISO 9001, ISO 14000, ISO 20000, ISO 22000, ISO 22301.

What this means is that in pursuing an ISO 27001 certification, you already created some of the assets for further certifications that can add significant value to your business. You could add the quality management ISO 9001 standard, however combining a certified ISMS, with properly managed IT services, and a robust business continuity model, is an excellent way to attract new customers:

  • ISO 20000: Starting with 20000-1: Service management system requirements, the focus of this standard is to provide the requirements for the design, transition, delivery and improvement of services that fulfill service requirements and provide value for both the customer and the service provider. It requires an integrated process approach when the service provider plans, establishes, implements, operates, monitors, reviews, maintains and improves a service management system (SMS)

  • ISO 22301: This standard is considered one of the best frameworks for managing business continuity in an organization. ISO 22301:2012 specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented business continuity management system (BCMS) to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise.
    While the effort of implementing and maintain more than one "management system" at once might appear daunting at first, the fact is you already have a great head start: more mature process, top management commitment and a more disciplined corporate culture.

Time to try something different

You may be no longer interested in ISO, the mere mention of these three combined letters are giving you regular headaches. It is time to take another step further and try something new!

  • COBIT: With its last update, COBIT has moved to an even more strategic approach towards IT governance. Aligning business strategy with IT strategy goes way beyond information security, but with your ISO 27001 certification, at least five of the twenty-seven IT governance/management processes have been implemented.

  • PCI-DSS: While 27001 has a broader approach and public, if your company process, store, or transmit credit card data, compliance with the PCI-DSS standard is obligatory, with different levels of requirements depending on the volume of cards processed. Can you use them together and benefit from both? Sure! They are quite compatible indeed! Many controls of both standards are similar; the integration will be simple! You just have to understand that while a management system will use generic controls, PCI will focus on specific controls for credit card environments.

  • SOC 2: Through reading "Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy" it is easy to grasp how SOC 2 and 27001 can work together. The SOC 2 examination is an independent evaluation of the service organization's controls that are designed and operating effectively to meet the applicable criteria in one or more of the five Trust Services Principles and Criteria (i.e. Security, Availability, Processing Integrity, Confidentiality, or Privacy). If you are unsure what to pursue first, have a read of our blog post entitled ISO 27001 or SOC 2? How to decide which audit to pursue first, but presuming you are already 27001 certified, it is not that difficult to go for SOC 2 and benefit from another great way of communicating company commitment to information security.