Ten things you should know about ISO/IEC 27001

Before Certification

Don’t underestimate the number of stakeholders you will need to consult. In large organisations, stakeholder management can be a large undertaking and key requirement for a successful compliance activity.

Partner with experienced information security providers who know the implication of advice, in particular with respect to the selection of information security controls. Many controls sound like a good idea, but the implementation can be much more challenging.

Start with an understanding of risks and development of a management system before jumping into controls and technology. Investing time up front to understand your risk posture will pay long-term benefits.

During Certification

Avoid anybody who guarantees certification within 1 month. They can’t! Certification Bodies generally like to see at least 3 months of evidence at the stage 2 Audit to make a recommendation for certification to the Accreditation Body. For smaller scopes, this timeframe may be less, but it is best to plan on at least 3 months.

Certification Bodies are prevented under another ISO standard (19011) and scheme rules from performing certification and consulting/advisory services due to conflict of interest issues. Some get around this by offering extended pre-assessments of gap analysis. Whilst these may appear cheap, there are limits

Read More: https://cybercx.com.au/cyber-security-resources/ten-things-you-should-know-about-iso-iec-27001/?utm_source=rss&utm_medium=rss&utm_campaign=ten-things-you-should-know-about-iso-iec-27001