How to stay ISO 27001 compliant
Yeah! ISO 27001 certified! And now?
No matter if you are a small organization with limited resources or a large international company, ISO 27001 certification is a challenge.
Especially those who have been and continue to be more deeply involved in this process know this. Apart from the fact that everyone in the company is part of this project in whatever intensity, a responsible team has to be put together, which has to deal with gap analysis, perform risk assessments, apply security controls, create plenty of documentation and conduct employee training (yes, every employee contributes his piece). And when all that is already done, there's still no certification hanging on the wall in a pretty picture frame - matching the office décor! To all the "remote players": "Certified" is one of the most popular tattoos these days. If you later change industries and prefer to do photography.... sure thing. "Certified" always matches!
Then, when the certification is finally in the bag, because one has prepared oneself excellently, real life starts. Yes, after the wedding is before the divorce, and since that wasn't the purpose of all the effort, you naturally want to maintain the compliance status of ISO 27001 certification. Whether the obligatory "Date-Wednesday" will suffice in this case is somewhat doubtful.
Why is all this necessary in the long run? Quite clearly, anyone who is certified also has a responsibility. If you get a pet raccoon, you can't celebrate the day it moves in with party hats and Instagram posts and then leave the animal to its own devices. The fact is, the raccoon doesn't help with the dishes. He has everything else on his mind but keeping things "in order"! So, organizations that claim to be "ISO 27001 certified" need to ensure that compliance practices are maintained while fully embracing changes in the way they operate. What was preached in the audit must be continuously maintained!
So how do we maintain hard-won ISO 27001 compliance?
The process of maintaining ISO certification
Yes, okay, we have the certification for now, please take a breath. Sorry, no. The ISO 27001 certification that we have received will not last forever. As mentioned earlier, ISO certification is an ongoing process.... kind of like "breathing!" It is valid for three years. Just like some marriages or pets (hamsters). However, your auditor will perform a preliminary audit each year to review certain aspects of your ISMS and determine if they are still compliant.
If those aspects are not in order, you will have to undergo another full audit, just like the first year, to keep your certification.
If everything is "good", this is a "normal" schedule:
Year 0: You successfully complete a full audit and receive your ISO 27001 certification.
Year 1: Surveillance Audit
Year 2: Surveillance Audit
Year 3: New full audit
Difference between Surveillance Audit and Certification Audit (full audit)
The main purpose of the Surveillance Audit is for the certification body to find out whether or not your management system really works in daily practice. The focus is on things that could not be checked in the Certification Audit: i.e. the surveillance audit focuses on points that were identified as weaknesses in the certification audit or in a previous surveillance visit - minor non-conformities and areas where the auditor made some observations.
Quickly, aspects of your ISMS can change and no longer comply with ISO 27001. This can be due to built-in software updates, incorrect implementation of security policies, or any number of other reasons.
So what to do to stay compliant during the three-year audit cycle and beyond?
Set up and implement a well-defined onboarding and offboarding process
A key component of ISO 27001 compliance is restricting access to sensitive data so that it is only visible to specific employees. Compliance depends on removing access rapidly and thoroughly when employees and contractors leave the company or change roles.
Therefore, it is important to implement a streamlined onboarding and offboarding process to ensure that these changes are made quickly and correctly. Make sure this process is also well documented, because even employees who make these changes may change roles within the company or just take new paths outside.
Establish a clear succession plan
This is where a clearly defined succession plan comes into play. This specifies which person on the team will take over which aspects of ISO 27001 compliance in the event of an unexpected departure. Again, the "ISO-popular" word "documentation" comes up here. This is because these detailed specifications enable the successors to take over the tasks quickly and smoothly.
So let's take a closer look at the role of the responsible team members!
Clear designation of the responsible employees
The faster the company grows, the bigger the ISMS. So there's no denying that certain things are easily overlooked. ISO compliance can quickly be threatened. This happens especially in larger companies. The internal communication devil can quickly creep in and so it can unintentionally happen that an employee is not even aware of his task. To avoid this, it must be clearly defined which team member is responsible for which aspects of the ISMS. This is the only way to maintain ISO 27001 compliance.
Updating risk management policies as new threats emerge
Hackers are constantly finding new ways to get around security roadblocks. New hacking opportunities are continually evolving, and new vulnerabilities are emerging at the same time. Helpful here: a team member who keeps up to date on the latest risks.
Maintaining a single repository for all ISO 27001 documentation
For every audit, they need to have all the documentation your auditor wants and needs to see. These documents include, for example, policies and procedures, security vulnerability reports, etc. Therefore, you should set up consistent locations where all documentation is stored. Tip here: Quickly identifying when the last update of each document was will help prepare for the next audit! Maybe something needs to be "refreshed"....
Continuous monitoring with an automated compliance platform is best.
The tools and platforms you integrate, including cloud providers and other key aspects of your ISMS, impact compliance with the ISO 27001 standard. That's because if you don't monitor your integrated products, as well as everything else in your ISMS for violations and issues, you're not compliant and their certification can quickly go out the window. So you need a continuous monitoring strategy.
An automated platform alerts you immediately when something is wrong. This allows you to take immediate action so you're not caught off guard the next time a pre-audit occurs. Instead of manually monitoring your system, an automated compliance tool can scan your system, gather evidence of compliance, and alert you to missing requirements - all without you having to do anything yourself.
And we can help you do it! Get a trustworthy compliance tool on your side and schedule a consultation with us!