Implementation step 1: GAP analysis

The ISO 27001 GAP analysis, also known as an ISO 27001 check or ISO 27001 baseline measurement, is the start of every implementation process. We start by performing an analysis to determine the current status of your organization. Here, we map out the processes related to information security. We prepare a report with gaps in the norm and make practical project planning with clear roles and responsibilities.

‍

The GAP analysis provides us with important insights into the current state of information security within your organization. This insight helps to identify vulnerabilities, identify required resources, and develop policy.

‍

We perform the GAP analysis where we assess every point in the standard. This is how your personal consultant paints a detailed picture of the current state of affairs. Our added value lies not only in identifying security issues within processes and procedures, but also in offering solutions. For example, if we identify a security gap according to ISO 27001 norm, we make a proposal to close this gap. This can range from implementing authentication measures to improving the monitoring of sensitive data flows.

Implementation step 2: Risk Analysis

ISO 27001 is a risk-based standard, which means that measures must be tailored to the risks of your organization. By means of an extensive risk analysis, we identify and evaluate all risks inside and outside your organization.

‍

The ISO 27001 Risk Analysis is a mandatory part of the standard. It helps identify vulnerabilities and threats that may affect your organization. It enables you to take targeted measures to mitigate these risks, which strengthens the security of your information and prevents possible damage.

‍

ISO 27001 prescribes that risks and opportunities must be identified. We do this by means of a brainstorm. With the aim of assessing the opportunity and impact. For this purpose, we have a template that complies with all parts of the standard. Thanks to our experience and knowledge, we know what an auditor pays attention to when assessing risks and control measures taken. We are also familiar with relevant risks and trends, so that we can delve deeper into your organization/industry-specific risks.

Implementation step 3: Set up a management system

A management system is the set of policies, processes and procedures that allow an organization to control its policies and objectives. At its core, a management system helps an organization:

‍

• Define its policies and objectives;
• identify and manage risks;
• stimulate continuous improvement;
• carry out security controls.

‍

Setting up the management system is the most important part of the implementation process. It provides a structured approach to managing information security, ensuring compliance with standards and demonstrating continuous improvement. There are no hard requirements for what the system should look like, only what should be in it and what the system must guarantee.

‍

Our approach is based on your organization's needs. We set up the management system for your organization and in your software. In addition to the various software, we of course have best practices. When we build a management system, user-friendliness is our top priority. After implementation, it must be easy to maintain. See here how we do that.

Implementation step 4: Awareness

Awareness simply means that, everyone within the organization is fully aware of the requirements and goals of the standard. It's about understanding the importance of handling information safely and recognizing the specific requirements set by the standard. This awareness extends across all levels of an organization.

‍

95% of the cyber incidents is the result of human error. Awareness is therefore crucial and (according to Annex A.6.3.) is a mandatory part of the standard. By making employees aware of the risks and best practices, we can reduce the risk of incidents and strengthen the overall security of your organization.

‍

We offer standard physical training so that the mandatory part of the standard is met. In addition, there are still many opportunities to raise awareness within your organization. Think about:

‍

• Microlearning through gamification;
• phishing campaign;
• job-based training courses;
• E-learning modules;
• USB drop;
• flyers, posters and newsletters.

Implementation step 5: Internal audit

The internal audit is a mandatory test moment to check whether the management system works effectively and meets all standard requirements. Periodically, the organization must have its management system independently audited by competent auditors. From this test, the auditor notes points for improvement and shortcomings.

‍

The internal audit is a mandatory part of the standard and helps your organization identify and correct any shortcomings or areas for improvement before the external audit takes place.

‍

Our consultants are certified as Lead Auditors and can therefore carry out a critical internal audit. This way, you know that if you pass the internal audit, the external audit must also work out. We guarantee independence because the internal audit is always carried out by a consultant other than the consultant who does the implementation. So you have the four-eye principle of two specialists. During the internal audit, we look for improvements in the organization's management system.

‍

Also read our article “What does an internal audit look like?”.

Implementation step 6: Management review

In addition to the internal audit, the management review is also a mandatory part. This was previously also known as the management review mentioned. In the management review, the management will evaluate the effectiveness, suitability and effectiveness of the management system. These records are recorded in the management system, which is immediately used as a burden of proof for the external audit. The management review always follows the internal audit so that these results are included in the assessment.

‍

The main goal of the management review is to continuously improve the management system and the organization. This is achieved through concrete action points that come from the management review. With the help of deadlines and responsibilities, the organization ensures that improvement measures are actually implemented within the organization.

‍

In the management review, we use a standardized approach to discuss all mandatory components with stakeholders. Together with the management, we assess whether the management system actually contributes to achieving the intended objectives. We identify opportunities for improvement and look at previous years to measure progress. This evaluation contributes to management involvement, which is important for chapter 5, “Leadership and Engagement”.

Implementation step 7: External audit

The external audit is the official test moment carried out by an independent party (Certification Body) to verify that your organization complies with the ISO 27001 standard. After the audit, the auditor will give positive or negative advice to certify the organization.

‍

The external audit is part of the external audit process that consists of a 3-year cycle. The 3-year audit cycle starts with the initial audit, which consists of the preliminary investigation (phase 1) and the certification audit (phase 2). A control audit (surveillance audit) then takes place twice. At the end of this cycle, the recertification audit determines whether the certificate will be renewed and the organization will enter a new 3-year cycle.

‍

Our role in the external audit is to prepare and support your organization. We have experience dealing with external auditors and understand expectations and requirements. Examples include answering questions, analyzing areas for improvement and requesting the certificate. During the external audit, we get to speak for your organization to guide the audit to success.

Implementation step 8: Maintenance

Maintaining of the management system is a mandatory part of the standard. Maintenance is checking and keeping the management system up to date. Tasks that are important:

‍

• Perform the annual planning controls (e.g. making backups, testing the continuity plan and checking issued authorizations);
• Measuring and monitoring set objectives;
• Checking that procedures are actually being followed (for example, before leaving employment when someone leaves). It is important to remain critical and ask yourself whether your organization is actually complying with the policy that has been drawn up.

‍

Now that your organization has been certified and has the intended certificates, you naturally want to keep them. Dusting the certificate is not an option. Every year, the management system is checked by a control audit. By maintaining and continuously improving the management system, you will show during the next audit that you, as an organization, are in control and remain certified.

The costs of an ISO 27001 implementation

Periodically, your organization makes adjustments to the management system. This is how you ensure that the management system remains up to date. With the help of an annual plan, you carry out all the annual mandatory parts of the standard. We still support 98% of our customers in maintaining the management system and carrying out the internal audit annually.

‍

The costs You probably have the pressing question: “How much does it cost to get ISO 27001 certified?” Unfortunately, there is no one-size-fits-all answer. In addition to time, how much you spend implementing an ISO 27001 depends on various factors. It starts with the current state of information security within your organization:

‍

• Do you already have a policy on how to handle information?
• Do you already have an information security management system?
• Have you already mapped out processes?

‍

Factors such as company size and complexity also play a role. This is determined by the number of employees, locations, products and services, and the diversity of your processes. Size isn't necessarily an indicator of complexity; a small company with multiple processes can be just as complex. By submitting multiple requests for quotes, you can compare price and quality ratios.

‍

Want to know more about how the costs of ISO certification are structured? Read here our blog!

What can you expect from us during the ISO 27001 implementation?

Implementation processes require a lot from the internal organization. We take a pragmatic approach and take the needs of your organization into account very much. Remote or on location? Weekly meetings or short updates? Your own software or a new tool?

We are your knowledge partner and are always available for questions. Your organization does not need knowledge of the standard. As a fresh team of specialists who grew up in the digital world, we love clear and smooth communication, so don't hesitate to call, email or app.

‍

Every organization is different, which is why we offer two types of implementation processes:

‍

Accompanying implementation process

In this process, we offer coaching and advice on the implementation of the management system and associated policy documents. This system will be set up process-based and will serve as a tool for identifying risks and subsequently managing them. During this process, we think along with your organization, provide templates and best practices that you can apply to your organization. In addition, our consultants are available daily for your organization for questions, deepening and advice.
‍

For whom?

For organizations that want to do the implementation themselves and need advice, templates and support with mandatory parts of the standard such as internal audit and management review.
‍

Workload?

Within your organization, we expect approximately the following workload expressed in the number of hours per week. Please note: this is an estimate.

Careful implementation process

In this process, we fully take over the responsibility for a successful implementation from you. Our consultant takes care of your organization and takes you from A to Z through the process. This allows your people to keep doing what they've always done: running the company.
‍

For whom?

For organizations that do not want to do the implementation themselves and only want to edit and answer organization-specific questions.
‍

Workload?

Within your organization, we expect approximately the following workload expressed in the number of hours per week. Please note: this is an estimate.

What we expect from you during the ISO 27001 implementation

For clear and smooth communication, we expect a point of contact within your organization. Often this is called the Security Officer mentioned. It is important that the Security Officer has knowledge of internal systems. It is also nice to agree on a regular fixed time when we are in contact together.

Benefits of an ISO 27001 implementation partner

Working with an experienced implementation partner has a number of advantages: Need help choosing the right implementation partner? Read here which 7 criteria you should pay attention to.

Choosing Fendix as implementation partner

We hope that this blog has provided you with a clear insight into what an implementation process looks like. Need ISO 27001 help? Then we would love to hear from you. Check out our website for more information or contact us directly for an informal, free consultation.

‍

‍