Implementation of ISOIEC 27001 – valuable tips

The process of implementation an information security management system is quite complex and difficult.

As during the implementation of any system, you have to go through certain steps to recognize that the process has been carried out correctly, and you will be able to proceed to a certification audit by an accredited body and obtain a certificate with no fear.

  1. Get to know the standard – Let’s face it … you can’t meet the requirements if you don’t know them. Therefore, the first basic step is to purchase the standard. We recommend using only legal sources, i.e. the PKN website. We are aware that standards are written in a specific language, therefore it will be difficult for a layperson to relate them to the operation of an organization. We honestly admit that we are an old hand at implementation of this system, which is why we have several lifebuoys for you. First of all, we invite you to our trainings. Our offer three-day training courses starting at PLN 900 net, which seems to be quite a competitive option. (You can always find the latest dates on our website https://ikmj.edu.pl/kalendarz-szkolen/ or https://ikmj.org/produkt/szkolenie-online-z-trenerem-audytor-wewnetrzny-i-pelnomocnik-ds-systemu-zarzadzania-bezpieczenstwem-zgodnego-iso-iec-270012017/). Why is it worth it? Well, because we know the inside out of the system and we will be able not only to explain the requirements of the standard, but also suggest what solutions you can implement in your organization. 3 days – this is how much we need to discuss the requirements of the standard in detail, present Appendix A in detail, which is an extremely important element of the system, and teach you to conduct internal audits, which you also need to perform as part of the implemented system.
    This is not the only option. If you know the system, but you need a gentle refreshment of knowledge, we encourage you to take advantage of e-learning training. The materials that will be made available to you will help you recall the key elements of the system. You will also get sample documentation that may be helpful in developing your own solutions, we will also provide you with an exam so that you can get confirmation of your competences. https://ikmj.org/produkt/szkolenia-standard-online-isoiec-270012013/
    Well, unless you are proficient and only need to confirm your competence. Pass the exam and download the certificate. Simple isn’t it? https://ikmj.org/produkt/egzamin-pelwoknik-i-audytor-wewnetrzny-systemu-zarzadzania-bezpieczeneniem-informacji-isoiec-270012013/
  2. You already have the knowledge, now it’s time to start preparing the documentation. We will not tell you what specific procedures you need to develop. It depends on the specifics of the organization. You need to be aware that a system developed in a tiny organization will be significantly different from a large enterprise, in which of course there are more processes and they are probably more complex. It shouldn’t be difficult to write a procedure if you know your organization. The procedure describes how the process is carried out. In fact, it can take any form (descriptive, graphic, flowchart). It is important that it is understandable to employees and meets formal requirements (e.g. has a purpose, or indicated a person responsible for the process).
    If you need inspiration to create documentation in your organization, we have prepared documentation for you in an editable form. It is a collection of procedures, instructions and registers. You can see what the sample system documents look like. The procedures provide an example of how to proceed. It is as universal as it can be, although it will certainly require a bit of interference to accurately present exactly what is happening in your organization. You can edit them freely and use them as part of your business. https://ikmj.org/produkt/dokumentacja-iso-iec-270012013/
    We can offer you yet another form of assistance. Our guess is that you may already have some documentation in your organization, but you are concerned about some issues and would like to consult only selected issues. Nothing easier. Take advantage of online consultations with a trainer. You choose how much time you need. https://ikmj.org/kategoria-produktu/z-trenerem/support/
  3. Is documentation developed? This is now the stage in which, unfortunately, we will not help you. You need to implement the developed documentation in the organization. So employees need to know the procedures that apply to them. Moreover, they must create records in the manner specified in the procedure. And you, as a proxy, are in a way their guide who educates, dispels doubts and points out mistakes.
  4. It’s time for an audit. You must know something. You are not allowed to audit the processes of which you are part. You simply cannot verify your work. Conducting an audit is essential. Its purpose is to check how the system works and to ensure continuous improvement. Would you like to read a little about how the entire audit process looks like from the beginning? Reach for our guide: https://ikmj.org/produkt/pwiedznik-audyt-wewnetrzny/ From the research resources, we also have a checklist, i.e. a collection of all the requirements of the standard in the form of a convenient Excel file. This will help you to accurately trace the situation of your organization and check which requirements are not covered in the system you have developed. A fun way to counter your work. https://ikmj.org/produkt/lista-kontrolna-isoiec-270012013-zalacznik-a/
  5. If the system in your organization does not show any gross deficiencies, you can proceed to the next step – certification. Briefly – an accredited certificate is issued for 3 years. Later, to maintain continuity, you need to go through a recertification process. Each year, your organization will be visited by external authors and they will verify that you meet the requirements enough for the unit to certify it with its certificate. The list of accredited units can be found on the PCA website. Of course, you can also use units that have foreign accreditations, i.e. those associated in the IAF organization – ensuring international recognition of accreditation.
Zobacz podobne  Tools that help auditors to conduct internal audits

Of course, you don’t have to do it all yourself. We can do it for you. Please do not hesitate to contact us. We will prepare an individual quote. It’s free, and at least you’ll know if you can outsource all (or some) of your activities to someone else. For more information on the implementation activities, please call: +48 500 328 182 or write to biuro@ikmj.com

Scroll to Top