The journey to ISO 27001 certification

Understand the journey to ISO 27001 certification with our ISO 27001 guide

This hub is dedicated to guiding you to ISO 27001 certification. If you are interested in achieving ISO 27001, this series of posts will provide you with a wide-breadth of information, free templates and more. 

First, it’s important to understand all the steps from a bigger-picture view:

  1. Starting your journey
  2. Defining your information assets
  3. Identifying your risks
  4. Treatment plans & controls
  5. Writing documentation
  6. Build an ISMS tracker
  7. Operating your ISMS and undergoing audits

Reading time: 4 minutes

As you begin your journey to ISO 27001 certification it’s important to build a foundation of knowledge around the standard. You should start by gaining an understanding of what a management standard is, how it works and, more specifically to ISO 27001, what an Information Security Management System or ISMS is.

Once you have a strong foundation of knowledge you should be ready to set strategic objectives and determine the “scope” of your management system.

“How to start your journey to ISO 27001 certification” covers these topics and provides you with a free scope statement template, to help get you started.

Once you have laid the initial foundations for ISO 27001 certification it’s important to begin defining and classifying all your information assets.

The ISO 27001 standard defines information assets as information that is an asset to your organisation, or an asset that is associated with that information. This means that all your hardware, software, offices and people who have access to your information should also be considered as “information assets.”

To define and maintain all your information assets we have shared our asset register template in “Defining your information assets” alongside some handy tips.

Defining your information assets is an important stage in your ISO 27001 journey, however identifying your risks is just as important, if not more.

In “Identifying risks and adopting risk-based thinking for ISO 27001 risk management” we cover the importance of adopting risk-based thinking and how it can help you best build your risk register.

The risk register is an important part of ISO 27001, that enables you to identify risks, assess, prioritise them and ultimately decide the actions you will take should a risk occur. It is a comprehensive framework and can be hard to build from scratch which is why we included a free template for you to use at this stage.

To ensure compliance with ISO 27001, it’s absolutely crucial to have comprehensive treatment plans and controls in place to treat your risks, should a breach happen. This is why after completing your risk register, you should create relevant risk treatment plans, controls and a Statement of Applicability (SoA).

In “Treatment plans and controls” we cover some “risk” related-jargon and how to create risk treatment plans. Alongside understanding the 4 T’s of risk management, Annex A and writing a SoA. 

We have shared a free-to-use Statement of Applicability template in “Treatment plans and controls” to help you to keep progressing.

One of the most important components of achieving ISO 27001, is being able to write correct and successful documentation. The standard itself can often be vague, making the process of understanding how to properly write documentation much harder than it should be.

In “Writing documentation” we look at the full set of documents required for an organisation to be certified to ISO 27001. Alongside tips on how to understand the standards jargon, what the standard demands from documentation, and how to store, update and communicate documentation to your employees.  

Creating and operating an ISMS tracker is crucial to maintaining your eventual ISO 27001 accreditation. The ISMS tracker keeps track of all the items you need to track, the relevant evidence and people associated with ISMS items.

In “Building an ISMS tracker” we discuss tracking items in as few places as possible, namely the risk register, ISMS tracker and KPIs. As well as discussing the evidence you need to be tracking for different requirements. Alongside how you should ultimately operate your tracker and what system you should use.

Once you have created all your relevant ISO 27001 documentation, you should be ready to begin conducting internal audits to prepare for your stage 1 and 2 audits.

In “Your ISMS is ready to be audited” we cover what you should expect during a stage 1 audit, how you should perform internal audits, how you should maintain operation of your ISMS, and finally what you should expect from the stage 2 audit – the final step.

Picture of Elisabeth Belisle

Elisabeth Belisle

Elisabeth is an Associate Consultant of the British Standards Institute (BSI), a BSI qualified ISO Lead Auditor and member of the Standard Committee responsible for the publication of the BS 10008 Standard.

Elisabeth can help you decide if ISO 27001 is for you and support you through its implementation, all the way to certification.