11 tips for fast ISO 27001 certification

We would like to provide valuable tips for the implementation of ISO 27001 for all companies that are aiming for certification. The ISO 27001 standard describes the requirements of an information security management system (ISMS), which also includes having a person responsible for information security. This person is often called the information security officer or chief information security officer (CISO). The practical tips we have compiled are based on our experience with 27001 certifications over the past few years, which SEC4YOU has had the privilege of supporting. The tips are intended to help smaller companies in particular to achieve ISO 27001 certification as quickly and cost-effectively as possible.

#1 Secure support from the top

Beyond divine support, which is always important, secure the full support of your senior management. For 27001 certification, you also need a “project sponsor” to provide the necessary resources, back up and remove potential hurdles.

Projects where management support is not fully in place become difficult to implement and the implemented ISMS cannot generate the expected benefits. In some cases, we also found that the effectiveness of the ISMS was jeopardized as a result. Such projects are usually tedious and not much fun for anyone involved.

Who can become a project sponsor?

Only top management can become a project sponsor, as they are responsible for the ISMS. The CISO also reports regularly to the top management.
However, the IT manager cannot become the sponsor, as the implementation of an ISMS is not an IT project. The ISMS affects the entire company, from the human resources department to purchasing, including risk management and other departments.

Tip: The company management bears the overall responsibility for the effectiveness of the ISMS and its continuous improvement. Therefore, management support is essential to motivate all departments to complete their tasks.

#2 Use appropriate ISO 27001 templates

There are many offers for ISMS templates on the market. There are some good packages, but also a lot of too complex and elaborate templates. Most ISMS packages promise easy processing and implementation: just enter company name, logo and responsible persons, done!

This is not so! By using ISMS templates you do not save the necessary adaptation of the documents to your own company. All templates usually have to be adapted considerably, since the final ISMS documents have to fit the company and not vice versa. Templates also cannot replace intensive work on ISMS content. The point is not to simply have guidelines, but to apply suitable specifications in the company.

Application of templates in practice:

Templates have up to 7 roles in information security management, this is where smaller companies need to merge roles and simplify responsibilities.
Good templates can also give you valuable content for your own documents.
Templates are not a substitute for professional advice and in very few cases increase the competence of the InfoSec officer

Tip: Do not trust the certification promise of templates! All templates need a not to be underestimated processing to implement them.

#3 Create few and compact ISMS documents

Especially for small companies, it is recommended to implement the guidelines and ISMS documents in a few and as compact as possible documents. Often, template packages come with 40–50 individual documents, but they are all required and valid for certification. Do you know an employee who can remember such a complex structure?

Consider a simple document structure at the outset, preferably in the following hierarchy
1. Policies
2. Procedural instructions/work instructions/processes
3. Forms of evidence
Less is more! Try to work with few guidelines and not with a bundle of dozens of linked individual guidelines.
In the individual chapters of the guidelines, define the target groups that the regulations affect, e.g. in Appendix A of 27001 for personnel security, “Target group: Human resources department”

Tip: We recommend that smaller companies have a general InfoSec policy for the target group IT department and other departments of around 40–50 pages, as well as a user policy directed at employees of around 8–10 pages. The content of the user policy, along with other content, is communicated to all persons in the annual security awareness training sessions.

#4 Regulate responsibilities at an early stage!

Several departments are involved in the implementation of an ISMS. For a quick realization of a 27001 certification, these areas have to take over their responsibilities independently, here are a few examples:

The purchasing department is to perform a supplier evaluation of the essential suppliers; for this purpose, it receives support from the CISO, of course, but the supplier survey and evaluation must be performed by the purchasing department.
Who keeps the participant lists for the necessary security awareness training courses? The HR department, of course! Just as for all other training measures for all employees, Human Resources is responsible for managing the training courses. HR also creates the KPI for participation levels and reports this metric to the CISO.
The security locks for the locked doors are not ordered by the CISO, but by the person responsible in Office Management or Facility Management.
In software development, of course, development management takes responsibility for ensuring that modern web applications are securely designed and developed. To this end, software development creates secure coding guidelines as well as secure coding principles and commissions penetration tests.

The CISO creates the necessary guidelines, but the implementation is the responsibility of the company departments such as IT, HR, Facilities, Procurement, etc.

Tip: The responsibility for individual measures always lies with the department that is named as the contact person for the auditor in the certification audit. It is therefore essential that implementation takes place in the departments. Involve the departments in the audit planning at an early stage and prepare the employees for the challenge!

#5 Start with an environment analysis, setting the scope, and then the security policy

Starting an ISMS implementation is often difficult because you have a big list of tasks to do in front of you. Here, we recommend the following initial steps that easily lead to the right next phases:

Perform an environment analysis and define the scope (how do you see the scope of information security?).
Define responsibilities: who will take on the role of the information security manager / CISO?
Create the security policy (see link for content)
From the security policy, all further documents such as the risk management (content see link) and the InfoSec guidelines (content see link) and the user policy (content see link) arise

Tip: The scope of an ISMS can cover the entire company or only the data center operation or, for example, a subarea such as software development. The decisive factor here is that the subarea can be delineated as an organizational unit. Individual products or IT services cannot be certified. For smaller companies, it is advisable to certify the entire company, whereas for larger companies it is perfectly conceivable to certify only the IT department.

#6 Take your time, but not too much…

An ISMS implementation with subsequent ISO 27001 certification requires a certain lead time and a functioning operation of the InfoSec processes. Only then can you meaningfully proceed with certification. Depending on the size of the company, this initial phase of implementation requires at least 3 months even for small companies, and 6 months or more for medium-sized companies.

Certification projects that are set up with a duration that is too long often do not have the necessary pressure in the first few months and do not get off the ground.

Tip: Start on time, but do not plan an ISMS implementation that takes more than 1 year, because experience shows that with long project durations, time is not used efficiently.

Tip: Select the audit service provider as early as possible and arrange an audit date as soon as possible. Good audit service providers and experienced auditors often have long lead times or even waiting lists.

#7 An internal or an external information security officer or CISO?

The start of an ISMS project requires the appointment of a CISO (= information security officer) for the operation and further development of the ISMS. For this, it must be taken into account that the CISO must have resources (own time and cost budget) as well as professional competencies.

One possibility is to nominate a person already employed in the company who will undergo further training and take on the role of CISO/information security officer. Often, the internal person’s skills are supported by external InfoSec consultants during the initial period.

If there is no internal person who can assume the role of CISO, then an external CISO can be appointed temporarily or permanently. “Rent-a-CISO” or “CISO-as-a-Service” offers are available from consulting companies, also from SEC4YOU.

For smaller companies, the appointment of an external CISO is advisable, especially if there are no resources or know-how available internally.
The larger the company, the more likely a full-time internal CISO will take on this responsibility.
When appointed in regulated industries such as banking, insurance or financial services, there is a requirement for a CISO who is independent of IT and reports directly to senior management.
Assigning the role of CISO as a staff union with other functions in the company only makes sense if there is no conflict of interest. For example, an operational IT employee cannot simultaneously control his/her work as CISO.

Tip: The CISO’s job description includes the goal of achieving compliance with ISO 27001. He/she must ensure that the individual departments meet all requirements. This means that the CISO role has corresponding competencies and is a management task.

Tip: Do not place the CISO in the IT department, but instead depict the CISO in the org chart as a staff position in middle management, for example.

#8 Choosing the right ISMS tools

An ISMS tool requires intensive study and learning of the tool and is a major distraction from the real task at hand, which is understanding a management system and creating the necessary documents and processes. Most ISMS beginners get the impression that a tool will structure their work and relieve them of many tasks. Not at all! In the 5–10 days it takes to acquire, configure and learn about a tool, they would have already created a majority of their policies. At a later stage — e.g. one or two years after certification — you should of course think about whether their tasks are so complex that an ISMS tool can help them.

What is the case for a tool:

This helps meet complex requirements, for example:
- support collaboration in large teams,
- link a variety of business processes and assets, and
- Generate automatic reports and query/calculate KPIs.

Arguments against a tool:

the high learning curve for the tool
the loss of focus on the essential building blocks of an ISMS
the additional costs for the tool, of course in consideration of the cost-benefit ratio

Tip: Especially in the first year, the most important ISMS tools are paper and pencil or their digital twins Word and Excel! An information security management system is not about a software system, but about the methodology of the information security management system.

#9 Courage to fill the gap!

Risk management often involves identifying a large number of threats that pose a high or very high risk to the company. However, certification does not require that all of these risks be addressed immediately, but rather that the risks be addressed in planned actions. Likewise, it is conceivable that certain risks will be accepted.

If a company does not meet individual points of the standard during certification, there is the possibility of a follow-up audit within a few months. It is then up to the auditor, depending on the severity of the non-conformity, whether to recommend temporary 27001 certification. The certificate is not issued by the auditor himself, but by the certification body on the recommendation of the auditor.

Tip: There are several options when dealing with risks: Risk acceptance (smaller risks can be accepted), risk mitigation (e.g. through further measures), risk avoidance (e.g. banning cameras, BYOD, or USB sticks), risk offloading (usually through insuring).

#10 What is important to the 27001 auditor?

During certification, it is particularly important to the auditor whether the management system is actually established and is accepted and understood by the acting persons. This also includes that it is not the external consultant who provides the answers during certification, but the InfoSec manager(s) as well as the departments themselves who feel responsible and act.

In addition, it is imperative that there is consistent tracking of measures and that a downstream review of the effectiveness of the measures set is understood and implemented.

The focus must be on the systematic nature of the management system and not on individual technical details. The systematic approach also includes regular reporting and the determination of effectiveness by top management. The auditors also attach particular importance to the visible support of top management.

Tip: Train top management early on about their strategic InfoSec responsibility and have top management accurately represent this essential responsibility during the audit.

Tip: The transparent presentation of the ACTUAL state is very important during the audit. You will quickly lose the auditor’s trust if you try to deceive him.

#11 The right choice of 27001 audit service providers and consultants

The testing service provider, also called the certifier, is responsible for issuing the ISO 27001 certificate. The test service provider usually proposes a test engineer who can be accepted by the customer or rejected under certain circumstances.

In the run-up to the audit, the audit service provider or auditor should be selected who:

has experience with the respective industry
fits the size of the company;
takes into account the culture of the country and the company
has the necessary repudiation, as they usually also want to advertise with the certificate.

The cost of certification depends on the sites to be audited, the scope, the size of the company and other criteria, and starts at a few thousand euros per year for small companies. The larger portion of the cost should be planned for external consulting fees. Here, depending on the experience of the CISO and the involvement of the company, calculate with at least 10–20 person-days.

Tip: In addition to the costs of the audit service provider, calculate the external consulting costs and also the number of person-days of the internal employees for the ISMS implementation.

Tip: Arrange an (online) meeting with the proposed auditor to find out whether the chemistry is right.

Do you have any questions?

We are happy to help with any questions you may have about implementing a certified ISMS system.

Yes, I have a question!

11 tips for fast ISO 27001 certification