Whitepaper: ISO 27001 certification

What are the steps to become ISO 27001 certified?

ISO/IEC 27001 is an internationally supported basis for information security. This standard specifies a management system with the intend to bring information security under control of the management by specifying controls required to secure information.

The ISO 27001 certificate is recognized worldwide as a basis for data security. The guidelines and requirements from the standard enable organisations to regulate information security on a structural basis. That makes ISO 27001 certification a solid foundation for securing business information. Certification is of added value for every organization that has to deal with financial risks and risks in the area of privacy-sensitive information.

Many organizations already have some form of controls in place to manage information security, but with ISO 27001 this can be formalized. With ISO 27001 certification, organizations not only demonstrate customers, partners and suppliers that they handle sensitive information accordingly, but also that they safeguard the privacy of their employees. This will increase stakeholders’ confidence in interacting with these organizations and provides ease of mind around the business’ security risks.

Although every implementation of ISO 27001 differs this whitepaper provides a guideline on some of the mandatory steps which should be included in every implementation.

Create business case

Every implementation of ISO27001 starts with a business case. The business case describes the benefits the organization hopes to achieve by implementing a management system for information security.

Management support

Involvement from top management is critical to the design and effectiveness of any information security program. Having management support further ensures information security is aligned with enterprise strategy and governance and helps with allocating the right resources for the project.

Inventory information assets

When implementing ISO 27001 an inventory is needed of the information assets that require protection. These information assets will be the subject of a risk analysis in a later stage. Information assets can include digital and physical sources, applications, IT hardware, etc.