How to achieve ISO 27001 certification for your organisation

But first: more about ISO 27001

ISO 27001 certification is the globally recognised standard for information security.

It covers complying with laws and regulations such as GDPR, safe on- and offboarding of employees, secure development, the security of assets including laptops and mobile phones, authorisations, cryptography, and physical security.

A breach of personal data, a DDOS attack or the circulation of phishing email traffic, the smallest error in an organisation can have major consequences. ISO 27001 certification in itself does not directly guarantee that the above situations will never occur, but it does guarantee that there are precautions and emergency procedures in place to guide your organisation on how to act quickly and thus reduce negative impacts.

To obtain ISO 27001 certification, you must demonstrate that your organisation has successfully implemented 114 unique control measures. This proves that your organisation is compliant with these measures to a team of external auditors, and you will be awarded official ISO 27001 certification for three years.

External auditors will visit your organisation to confirm that you are maintaining or improving on the ISO 27001 standards.

ISO 27001: Availability, Integrity, Confidentiality

The 114 control measures cover the most important characteristics of a reliable information security policy: availability, integrity, and confidentiality.

Availability: Data should only be available to authorised users when they need it. This also means that systems, networks, and devices must always remain operational.
Integrity: is your data correct and can you trust the source? A data policy with integrity means keeping data in the correct state – untouched and correct, authentic, and reliable.
Confidentiality: How secure is the data that your organisation uses? This often means that only authorised users and processes are allowed to access or modify data.

Why do you want your organisation to be certified?

Securing your information efficiently isn’t optional in the digital world, it’s an absolute necessity. ISO 27001 is the most reliable way to demonstrate to your clients that your organisation has everything you need in the field of information security, and it also makes you stand out from the competition.

iO's learnings

Consider the road to an ISO 27001 certificate as an opportunity to raise employee awareness about information security : think of sharing new policies in this area and making the role that security has within your organisation more prominent. It’s a great opportunity to help your teams to understand that information security is a necessity in the digital world.
It’s important that you make sure that this level of information security fits with the culture and objectives of your organisation, to ensure that your efforts are widely supported.
Thinking of drafting your own information security policy? Keep it brief: a maximum of one A4 is enough.
Don’t think about ISO 27001 certification as the end goal, but as the starting point of implementing information security processes within your organisation. It is the start, rather than the goal, of a higher level of security.
Provide dedicated security teams as points of contact for information security, incidents, and privacy-related matters

Make sure that your security teams and the Information Security Officer are always accessible quickly and easily.

Time for a conversation about iO, ISO 27001 and your organisation?

Contact us. We are happy to share our knowledge on proper information security processes and give you an insight into the steps we took to comply with the ISO 27001 certification.