ISO 27001 Information Security Management Standard - Certification Step 4

Posted by Craig Thornton

Part 41 - Getting Certified to ISO 27001 – You're Certified. 

After many thousands of hours and plenty of hard work, you have created, established and are maintaining your information security management systems (ISMS).  Subsequently your ISMS:

  • Has been audited by a Certified Body (CB) in two stages (Stage 1 and Stage 2)
  • Is certified and a new ISO 27001 certificate on the wall at reception, and
  • Has been celebrated with a big party or a couple of biscuits at a morning tea.

Therefore … job well done.

Young businesswoman measuring something with big ruler

Don’t Rest on Your Laurels

Well, for one thing you don’t do is rest on your laurels.  Don’t think that the job is over and done with.

More work is required to make sure that the ISMS keeps adding value to your business.

You may have spent thousands of dollars on consultants and the CB external audit.  Plus you have spent time on the systems, this will be a cost to the business.  Therefore, your Management Team and even your Board maybe looking at you, the Information Security Manager, and asking “show us the money” or “where is the return on our investment in an ISMS?”

Therefore, you need to show pay-back. How do you do that?

Your ISMS Needs to Show Pay-Back

Well you need to work hard and measure the value-add to your business.  This requires foresight and planning ahead.

Think about the areas of your business where the ISMS has helped to reduce costs. 

In addition think carefully where the ISMS could have been used to reduce waste. 

Finally ask the sales team and see if they have won extra jobs from your organisation being ISO 27001 certified. 

Add that value up and present it to the Management Team or Board to prove that getting certified wasn’t a waste of time.

Review Your ISMS

What else should you do?  Well for one you should be reviewing the ISMS regularly.

For example, one thing we are doing here at Mango is to have all our employees attend the monthly Management Review meeting.  In that meeting we talk about the adequacy, effectiveness and value the ISMS is bringing to the business.  We discuss the objectives in detail and look at the results against the objectives.

You need to keep improving and updating your ISMS so that it remains effective and keeps adding value to your business. 

You need to demonstrate to Management that the ISMS is not a time suck and that it makes their job easier. 

Winning over Management will mean that the ISMS will have longevity.

Takeaways

  1. Start measuring the pay-back of your ISMS.
  2. Present the results to Management and the Board.
  3. If the ISMS is adding no value to the business stop doing it.

View previous blogs in this series "ISO 27001 Information Security Management Standard":

Part 1 - Reasons why you need to meet this standard

Part 2 - Principle 1 - Analysing the Protection of Your Information and then Applying Controls

Part 3 - Principle 2 - Awareness of the Need for Information Security

Part 4 - Principle 3 - Assignment of Responsibility for Information Security

Part 5 - Principle 4 - Incorporating Management Commitment and the Interests of Stakeholders

Part 6 - Principle 5 - Enhancing Societal Values

Part 7 - Principle 6 - Risk assessments determining appropriate controls to reach acceptable levels of risk

Part 8 - Principle 7 - Security incorporated as an essential element of information networks and systems

Part 9 - Principle 8 - Active prevention and detection of information security incidents

Part 10 - Principle 9 - Ensuring a comprehensive approach to information security management

Part 11 - Principle 10 - Continual reassessment of information security and making of modifications as appropriate

Part 12 - ISO 27001 Information Security Management Standard: Clauses 0, 0.1, 0.2, 1, 2 and 3

Part 13 - ISO 27001 Information Security Management Standard: Clauses 4.1, 4.2, 4.3 and 4.4

Part 14 - ISO 27001 Information Security Management Standard: Clause 5.1

Part 15 - ISO 27001 Information Security Management Standard: Clause 5.2

Part 16 - ISO 27001 Information Security Management Standard: Clause 5.3

Part 17 - ISO 27001 Information Security Management Standard: Clause 6.1

Part 18 - ISO 27001 Information Security Management Standard: Clause 6.2

Part 19 - ISO 27001 Information Security Management Standard: Clauses 7.1 - 7.4

Part 20 - ISO 27001 Information Security Management Standard: Clause 7.5

Part 21 - ISO 27001 Information Security Management Standard: Clauses 8.1, 8.2, 8.3

Part 22 - ISO 27001 Information Security Management Standard: Clauses 9.1, 9.2, 9.3

Part 23 - ISO 27001 Information Security Management Standard: Clauses 10.1, 10.2

Part 24 - ISO 27001 Information Security Management Standard: Clause A5

Part 25 - ISO 27001 Information Security Management Standard: Clause A6

Part 26 - ISO 27001 Information Security Management Standard: Clause A7

Part 27 - ISO 27001 Information Security Management Standard: Clause A8

Part 28 - ISO 27001 Information Security Management Standard: Clause A9

Part 29 - ISO 27001 Information Security Management Standard: Clause A10

Part 30 - ISO 27001 Information Security Management Standard: Clause A11

Part 31 - ISO 27001 Information Security Management Standard: Clause A12 

Part 32 - ISO 27001 Information Security Management Standard: Clause A13

Part 33 - ISO 27001 Information Security Management Standard: Clause A14

Part 34 - ISO 27001 Information Security Management Standard: Clause A15

Part 35 - ISO 27001 Information Security Management Standard: Clause A16

Part 36 - ISO 27001 Information Security Management Standard: Clause A17

Part 37 - ISO 27001 Information Security Management Standard: Clause A18

Part 38 - ISO 27001 Information Security Management Standard: Getting Certified to ISO 27001 - Selecting Your Certification Body 

Part 39 - ISO 27001 Information Security Management Standard: Getting Certified to ISO 27001 - The stage 1 Audit 

Part 40 - ISO 27001 Information Security Management Standard: Getting Certified to ISO 27001 - The stage 2 Audit 

 

 

Tags: ISO 27001, information security, ISO 27001 Certification