After ISO 27001 certification, your hard works not ends. The real job is about to start because Information Security Management System does not stop at certification. As you may know, it is not enough for a successful certification and then expects your organization to continue to perform at the desired level while using intelligent work practices. The goal should be making compliance to the standard is a habit; Otherwise, long-term benefits would not be achieved. The benefits are real, but they will need to continuously improve their performance to experience them.

The good news is that you already have all the directions in the ISO 27001 documentation, but here’s an overview on what you have to focus on:

  1. Operate the ISMS

First, you must ensure that you performed all the activities described in their policies and procedures. The meaning of this is not that you artificially create files and pretend that you do some activities because the auditors. It means that, compliance all the requirements of all your documents and produce the actual records.

  1. Update the ISO 27001 documentation

The circumstances of your company are change. This means that you will have to update your policies or procedures otherwise they will become useless. The best practice is to designate an owner for each document, and this person will review your document periodically (usually once a year) and recommend changes.

  1. Review the risk assessment

Again, due to changed circumstances, threats and vulnerabilities change, which means the risks change. And if the risks have changed, it means that your existing controls are not sufficient. This is why you should send the results of the latest risk assessment to the risk owners so they can review and update as necessary. Once this is done, you must implement new controls based on these results. This review should be done at least once a year, or more often if there has been a significant change.

  1. Monitor and measure the ISMS

Although this one seems too abstract and probably the most difficult to achieve, it is also one of the most important; If not, how do you know if you are doing a good job or not? When monitoring, you need to look at several security-related incidents such as errors, exceptions, events, and so on. Based on this information, you can learn to do better and how to prevent other incidents from happening. But that’s not all – you need to measure whether your ISMS is achieving the desired results. To do this, measure whether the objectives have been achieved

  1. Perform internal audits

An internal ISO 27001 audit can reveal much more security weaknesses than most other activities together. To do this, you must train some of their employees to do this job, or hire an external auditor. Whichever option you choose, you must activate that person to do the job thoroughly and be prepared to act on the audit results.

  1. Perform management review

This is a crucial activity as it actively involves its top management in its information security. You should inform them about the key issues related to your ISMS and ask them to make critical decisions – for example, organizational changes, supply budget, removal of barriers.

  1. Perform corrective action

 The best practice is to continue to make improvements in an acceptable form for ISO 27001.

Remember that the certification body will perform surveillance visits at least once a year. They check all of the above points, and whether you’ve closed all the non-conformities of your last visit.

ISO / IEC 27001 can grow and change with your business, ensuring that information remains safe, no matter how it changes, and new security threats appear.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s