If you are reading this article, it means that you are interested in ISO/IEC 27001:2013 and we understand that! It is THE leading international norm, in the field of data security.
ISO/IEC 27001:2013 sets the benchmark for ISMS, or Information Security Management System. Access control, risk analysis, asset management, human resources, communication... To be certified, it is necessary to deploy a whole set of recommendations (114 to be exact) in order to facilitate security management.
The goals? To protect the confidentiality, availability and integrity of all data within your organisation. But how do you do this?
ISO is quite an adventure. So in this article, we give you a checklist with 9 points to prepare yourself accordingly.
The checklist to be well prepared for ISO/IEC 27001:2013
1) Read the standard
It seems obvious; okay. But we assure you that many don't do it, especially if they have assistance! You need to buy it on the official website.
Since we are commited to making your life easier, we will name the titles of the 18 chapters: 00 - Governance, 01 - Continuous improvement, 02 - Audits and controls, 03 - Dashboards, 04 - Organisation, 05 - Exeptions, 06 - Communication, 07 - Resource security, 08 - Asset management, 09 - Access control, 10 - Crypto, 11 - Physical security, 12 - Operations, 13 - Network security, 14 - Physical security, 15 - Vendor management, 16 - Incident management, 17 - Continuity and crisis management.
2) Get in touch with people who have taken the plunge!
Don't hesitate to send an email to our COO Christophe Henner (chenner[at]hyperlex.fr), to ask him loads of questions about ISO/IEC 27001:2013, and to offer him a lunch to thank him. Some people already did, and we can assure you that they enjoyed the experience 100%...
3) Get a companion!
The ISO 27001 certificate is issued by a third party certification body: AFNOR in France. If you wish to be certified, we advise you to call upon a specialised provider. This is what the Hyperlex team did, and they don't regret it.
4) Clearly define who deals with the subject internally
"Alone we go faster, together we go further". You will see: the subject of security is a team effort and this African proverb illustrates it well. In order to ensure the deployment of the information security management, adequate resources must be allocated to the project. This includes dedicated time, people, and a budget. Thus the staff responsible for the subject must be adequately trained to maintain the documentation and ensure its implementation.
5) Make a clear and precise inventory of what is done in the company in terms of security!
This is the perfect time to ask the right questions. Can your premises be accessed with a badge? Are workstations equipped with strong passwords? Is sensitive material left in the office protected in a safe or in a locked room? Is the computer data encrypted?
6) Get management commitment
It is absolutely essential that the management team is part of the ISO/IEC 27001:2013 journey. Not only must management communicate the security requirements of the standard to the rest of the company, but they must also be committed to establishing, deploying, maintaining and improving the so-called ISMS. It is the management that ensures that the employees responsible for security are well trained (see point 4).
7) Get the management on board
The management should thus educate the rest of the staff about the following issues: information security policy, information security objectives and plans, this includes all functions and responsibilities regarding information security.
8) Make the subject of safety sexy for the whole company!
It can't be said enough: to be well prepared for ISO/IEC 27001:2013, communication is key. Every employee in every department of the company must be engaged in the subject of security. This is exactly what Christophe Henner did at Hyperlex! #SecurityIsSexy
9) Never take ISO for granted!
Never make this mistake! ISO/IEC 27001:2013 is about setting up, implementing, maintaining AND continuously improving an ISMS. You should know that once ISO/IEC 27001:2013 certification is obtained, a new audit per year is carried out for three years. At the end of this period, ISO/IEC 27001:2013 can be renewed (or not).
Are you curious to find out more about ISO? New articles are coming soon...
We already talked about security in companies, because it is extremely important to us...
- Read: Security: why protect your contractual data?
- Read: What is compliance?
- Read: How to protect your contractual data in the age of the cloud? Decoding.