Copyright © 2013 BSI. All rights reserved. The journey to ISO 27001 certification
Jul 16, 2015
Copyright © 2013 BSI. All rights reserved.
The journey to ISO 27001 certification
Copyright © 2013 BSI. All rights reserved.2
The start of the journey –who will manage this?
Copyright © 2013 BSI. All rights reserved.3
So what is the journey to certification?
• At some point the business has a brainwave
• Or a client asks ‘do you have certification to ISO 27001?’
• And of course we don’t
• So what happens next?
• The idea of certification is then bounced around the business – do we need it? What will cost? Who will do it?
Copyright © 2013 BSI. All rights reserved.4
The journey to certification (cont.)
• And then the question is asked does it belong to the IT Director or the Quality Director or the Security Manager?
• And it lands on your desk, with no background of why and where.
• So what do we do next?
• What are we going to ask?
• Who are we going to turn to for help?
Copyright © 2013 BSI. All rights reserved.5
The journey to certification: What are the questions?
• What is this for?
• What money do we have?
• Do we have any resources?
• Is there any training?
• Has anyone looked at the Standard?
• What will be the Scope of the Certification?
• How much time do we have?
Copyright © 2013 BSI. All rights reserved.6
The journey to certification: What will we need in the ISMS?
• Security policy
• Organizational security
• Asset classification and control
• Personnel security
• Physical and environmental security
• Communications and operations management
• Access control
• System development and maintenance
• Business continuity management
• Compliance
Copyright © 2013 BSI. All rights reserved.7
The journey to ISO 27001 certification: Planning
30/01/2015
Copyright © 2013 BSI. All rights reserved.8
Planning phase
We now need to spend time planning the task –We should spend:
But we spend:
80% of our time planning
20% of the time implementing
20% of our time planning
60% of the time fire fighting
20% of the time implementing
Which then ends up lasting the life of the system or to our retirement which ever comes sooner.
Copyright © 2013 BSI. All rights reserved.9
Planning phase
• Security policy
• Organizational security
• Asset classification and control
• Personnel security
• Physical and environmental security
• Communications and operations management
• Access control
• System development and maintenance
• Business continuity management, ISO 22301
• Compliance
Copyright © 2013 BSI. All rights reserved.10
What are the next steps for implementation?
Copyright © 2013 BSI. All rights reserved.11
Project plan
• We will be following a defined project plan
• The plan has 4 stages and 18 defined steps
Copyright © 2013 BSI. All rights reserved.12
The journey to ISO 27001 certification
Stage 1: Commitment to implement
Copyright © 2013 BSI. All rights reserved.13
Commitment to Implement
Copyright © 2013 BSI. All rights reserved.14
The journey to ISO 27001 certification
Stage 2
Copyright © 2013 BSI. All rights reserved.15
The journey to ISO 27001 certification: Stage 2
• Receive Training
• Perform Gap Analysis
• Prepare Implementation Project Plan
• Estimate Costs
Copyright © 2013 BSI. All rights reserved.16
Where we are …
Copyright © 2013 BSI. All rights reserved.17
The journey to ISO 27001 certification
Stage 3
Copyright © 2013 BSI. All rights reserved.18
Implement and Operate
• Support Project
• Monitor Project
Copyright © 2013 BSI. All rights reserved.19
The journey to ISO 27001 certification
Stage 4
Copyright © 2013 BSI. All rights reserved.20
Monitor, Measure and Review
• Management review
• Prepare for Certification
Copyright © 2013 BSI. All rights reserved.21
The journey to ISO 27001 certification
Lessons Learned
Copyright © 2013 BSI. All rights reserved.22
So what are the lessons learned?
We rarely look at the lessons learned. Let’s look at some of the main lessons for us all.
1. Lack of Commitment
2. Time
3. Resources
4. Scope and boundaries creep
5. Training and awareness – Impact to our process.
6. Project Management – The need of good project management.
Copyright © 2013 BSI. All rights reserved.23
The journey to ISO 27001 certification
Certification process with BSI
Copyright © 2013 BSI. All rights reserved.24
The registration process
• Obtain quotation and submit application
• Client manager appointed
• System reviewed to ensure standard requirements addressed and registration assessment planned
• Initial assessment conducted
• Conformity and effectiveness of system to standard assessed
• Corrective action plan (if required) submitted
• Registration confirmed
• Certificate issued
• Continuous assessment programme (3 year cycle)
• Total client care
Copyright © 2013 BSI. All rights reserved.25
Consider certification
Contact BSI
Stage I Assessment
Stage II Assessment
Certification
• www.bsiamerica.com• 1-888-429-6178• Ask your Account Manager
• Documentation Review• Assessment of the MS Planning and readiness• Corrective action (if applicable)• Planning for Stage II
• Assessment of the implementation of the MS• Assessment of risk management• Corrective action (if applicable)• Certification recommendation
• Clear corrective actions• Certification review process• Surveillance assessments• 3-yearly recertification assessments
Copyright © 2013 BSI. All rights reserved.26
Contact Us
Address: BSI Group America Inc.
12110 Sunset Hills Road, Suite 200
Reston, VA 20190
Main Office Telephone: 888-429-6178
Fax: 703 437 9001
Email: [email protected]
Links: http://www.bsiamerica.com