ISO Blog Series Part 4: Road to ISO27001 – Document, Document and More Documenting

If you have been reading our blog series you will be following our journey to becoming ISO 27001 certified, which we achieved in February this year! In Part 3 we discussed how we utilised lockdown to get our advantage with some extra time on our hands. At that stage in our ISO journey, our ISMS was running with a high level of governance, however, it was not yet ready to get us ISO certified. There were still some pieces we needed to complete to get us over the line to achieve ISO 27001 certification. Let’s take a close look at the next stage we took on our journey to become ISO certified – one which involved a fair bit of documenting!

ISO 27001 standard

We had to go back to basics and refer to the ISO/IEC 27001:2013 standard; why did we do this you ask? Looking back at the standard helped us see where we had gaps and what wasn’t being managed yet. Armed with our copy of the standard, and referencing back to our risk management plan, we drafted our first version of our Statement of Applicability (SoA). This is a key document for ISO 27001 certification which is used to inform the auditors and your customers exactly what has been certified in your business for effective security management. By using the standard and our risk management plan we were able to make sure our SoA held the right information, including all the controls defined in Annex A of the standard.  Based on our risk management activities and business requirements we marked the controls that were required by our ISMS. Next, we started documenting our reasons for including, or not including certain controls in our SoA. This step provides assurance that there is a risk-based justification for our controls’ selection decisions. 

Time for feedback

We shared our developed documents with the team for review and opened up the floor for comments. Of course, we are fortunate that we have an entire company of information security experts! Our staff read through the documents and provided valuable feedback which we considered by the ISSG. We also had our continual improvement process documented along the way which helped us at the time so we could start using it. We used our KANBAN board as our improvement log, which later became a more mature log as we learned about what worked for us.

It’s all about risk!

Throughout the process, we did not forget that ISO 27001 adopts a risk-based approach to information security. Accordingly, we maintained an up-to-date risk register, developed a risk management plan where we allocated risk management responsibilities and tracked our risk remediation activities. We also documented how will we measure our ISMS performance against the defined objectives.

A fully documented management system

Equipped with our trusty KANBAN board and SoA it was time to involve the wider Axenic team. We still had a lot to document and implement at this stage. This included documenting the remaining artefacts required by the standard, reviewing and approving those as we go and starting to follow them while generating auditable evidence along the way. We spread the development load to our team and produced:

  • Responsible Use Policy –  to define how to use Axenic resources responsibly
  • Information Management Process – classifying our information, defining our information assets and how to handle them 
  • Equipment and Media Disposal Process – how to make sure we do not leave remnants of information when we dispose of our paper and technology storage
  • Access Control Process – how we manage access to our information and services
  • Cryptographic Policy – what we encrypt, and rules about managing the keys of what we encrypt
  • Vulnerability and Patch Management Process – how we deal with technical vulnerabilities
  • System Acquisition Guidelines – we do not build systems ourselves, but we do use information systems from suppliers, we defined what our principles of a secure system are
  • Supplier Management Process – how do we manage the relation with, and delivery of services by, our suppliers
  • Testing our Incident management process with a quick run-through scenario
  • Confirming security requirements in our existing Business Continuity Plan
  • Detailing our legal and regulatory requirements into a register

Having our processes written down allowed us to verify that we met the entire ISO 27001 requirements. The next stage was to make our high-level ISMS work for us on a certification-ready level.

If you have any questions about the documentation process and what written components you may need to become ISO 27001 certified please do not hesitate to contact us. See you next time where we will talk about pushing our approved ISMS into an operational state.

ISO27001 documenting process