ISO 27001 Implementation Guide
How to start your journey to ISO 27001 certification
Start your journey toward ISO 27001 accreditation by setting clear, concise strategic objectives.
This article is the first of a series of how-to articles dedicated to explaining each step of the ISO 27001 certification journey. From these articles you’ll learn how to start, build an asset register, create a risk management framework, ISMS, and more. But let’s not worry about that for now, in this article we’ll just start with:
Reading time: 6 minutes
As discussed, this article is the first in a series of articles dedicated to explaining each step of the ISO 27001 certification journey. These articles will reference the standard itself and many of its finer details and steps. If you want these articles to make even more sense and help you on your journey to certification – buy the standard!
If you find yourself unaware of ISO 27001 and what it entails, you may find it useful to read our ISMS introductory articles before reading these articles to gain a better understanding of the standard overall.
Determining the strategic objectives on your journey to certification
To begin your journey to ISO 27001 certification, we believe it’s important to define your strategic objectives at the start of your journey. This may seem counter-intuitive if you have already read the standard (link to standard) because the standard typically directs you to define your strategic objectives according to clause 6.2: The standard shall establish information security objectives at relevant functions and levels.
In our experience we have found it more effective to define your strategic objectives at the start of your journey because your objectives might impact your scope, which must be decided on at the beginning.
Examples of strategic objectives from real organisations
Given that the main purpose of an Information Security Management System (ISMS) is to “…[preserve] the confidentiality, integrity and availability of information…”* it makes sense to have this as an overarching strategic objective. When you say “we want to become certified to ISO 27001 to better protect our information”, it means protecting the Confidentiality, Integrity and Availability. This is often referred to as CIA.
In addition to this overarching objective, you might want to choose others that apply to you from the examples below.
These are just examples, feel free to use them as you wish and/or add some of your own. They need to be right for you. (note: see clause 0.1 of ISO/IEC 27001:2022.)
- To enable us to respond to tenders where ISO 27001 certification is a requirement
- To ensure the security of the information held within [insert the name(s) of the system(s) you wish to protect]
- To reassure our clients and other commercial partners about the quality of our work and the security of the information we process and/or control
- To establish our credibility as a reliable and responsible business partner
- To increase the maturity of our business in terms of quality, efficiency, effectiveness and governance, thereby enabling scalability
- To win [insert number of desired new clients] of new clients as a direct or indirect result of obtaining ISO 27001 certification
Determining your scope
Clause 4.2 of the standard asks you to determine the “scope” of your management system at the beginning of your journey. The scope of a management system can include the whole of the organisation, or specific functions, departments, locations or systems. What you determine as your scope is entirely down to you.
Bear in mind that in a small organisation, it is very likely to be the whole organisation as it will be difficult to draw boundaries.
The key question to ask is: “What information do we want to protect exactly?” To help you answer that question, ask yourself:
- What information would our customers, partners, suppliers, shareholders and other interested parties want us to protect?
- Is this information digital? paper based? both?
- What system is this information stored in?
- Where are the servers? Are they in-house/on-premise? In what building? Cloud-based provided by a supplier?
- Who is responsible for the information?
- Who has access to the systems, filing cabinets and the information they contain?
Just as important as what is IN your scope, what is NOT in scope (if anything) should also be specified, as well as dependencies you might have for the assets in scope.
You will need to have your scope as “documented information”, i.e. it needs to be written down in a controlled document (more on that later) – make sure to write down your chosen scope for now.