Home Page What is ISO 27001 ISO 27001 Certification Programme Colin Bycroft Profile

Consultancy with broad horizons


No two certification programmes are exactly the same but the end goal doesn't change... to demonstrate compliance with the standard. Consequently, we know the following steps will generally be required even though what actually happens at each stage will vary from client to client.

1. Gap Analysis

The first step of any certification programme is to perform a Gap Analysis. Through structured interviews with key staff we will gain an understanding of your business, what policies and processes are in place and what needs to be developed and introduced or modified to ensure you will ultimately have an ISMS (Information Security Management System) that conforms to ISO 27001. Our findings are presented back in a detailed report which also includes an Action Plan; the plan effectively maps out the remainder of the certification programme.

2. Perform a Risk Assessment

It is a mandatory requirement that a Risk Assessment is undertaken for all the organisation's Information Assets. We will facilitate this, either using your own existing Risk Assessment process if you have one or ours if you don't. Any Medium or High Risks discovered during the workshop will need actions to address them, these actions are added to the Action Plan.

3. Create the ISMS Framework

We need to create the structure of the Information Security Management System, the contents of which will vary based on the output from the Gap Analysis and Risk Assessment. Here at Vita Fugit we prefer to develop an ISMS Framework Document that describes the ISMS as a whole: it summarises in one light document all the policies and processes etc. that form the ISMS and points to the actual detailed documents themselves so people can quickly and easily gain a high level understanding and then, just as quickly and easily, drill down to the detail when they need to.

We will also develop an ISMS Dashboard which provides feedback to the management team on important aspects such as: outstanding actions, recent incidents, audit schedules, current document versions, etc. Having all this information available in one place makes management of the ISMS straightforward.

4. Develop and document any missing policies and processes

The next step is to develop and write up any policies or processes that have been identified as being required but don't currently exist or do exist but are undocumented. These documents will then be filed in the ISMS Structure to create the ISMS as a whole.

Any newly created or modified policies and processes also need to be implemented in the organisation under the direction of the management team.

5. Internal audits

Most management standards employ the Plan, Do, Check, Act lifecycle to ensure the Management System continually improves. Along with the CAVs (Continual Assessment Visits) from the certifying body, e.g. BSi or LRQA, Internal Audits form a major part of the Check activity and provide an opportunity to identify where improvements can be made. We will carry out two Internal Audits on different aspects of the ISMS prior to the Stage 1 Assessment in order to get the Continual Improvement cycle started.

6. Stage 1 assessment

During the Stage 1 assessment the auditor reviews all the documents that make up the ISMS including all the documented policies and processes relating to security management in the organisation. If the auditor believes there is an adequate and appropriate set of policies and processes in place and that they meet the requirements of the standard, he will recommend going ahead with the Stage 2 assessment.

7. Review and act

It is quite possible the auditor will have found some things during the Stage 1 Assessment that he / she feels need to be developed in order to comply with the standard, we now have an opportunity to make and implement changes before the Stage 2 Assessment

8. Security Awareness Training

We will have developed or modified a number of policies and processes during the programme so far and will now ensure all staff members are familiar with what has been done by giving Security Awareness Training to all personnel.

9. Stage 2 Assessment

Stage 2 provides the auditor with an opportunity to see how well implemented the management system is. This is achieved through talking to key managers and other personnel throughout the organisation, asking them questions about how they perform their role and looking for evidence that processes have been followed, e.g. looking at completed Change Request Forms, Employee Equipment Schedules, Access Control Registers etc.