If you’re reading this, it’s because you’re interested in ISO/IEC 27001:2013, and we understand! This is THE pioneering international standard for IT security.
ISO/IEC 27001:2013 sets the benchmark for ISMS, or Information Security Management System. Access control, risk analysis, asset management, human resources, communication… To be certified, it is necessary to deploy a whole set of recommendations (114 to be exact) to facilitate security management.
Your objectives? Protect the confidentiality, availability and integrity of all data within your organization. But how do you go about it?
ISO is quite an adventure. So in this article, we give you the checklist with 9 boxes to tick to prepare yourself.
The checklist for preparing for ISO/IEC 27001:2013
1) Read the standard
It sounds obvious, all right. But we assure you that many don’t, especially if they’re accompanied! You’ll have to buy it on the official website.
The standard has 18 chapters: 00 – Governance, 01 – Continuous improvement, 02 – Audits and controls, 03 – Dashboards, 04 – Organization, 05 – Waivers, 06 – Communication, 07 – Resource security, 08 – Asset management, 09 – Access control, 10 – Crypto, 11 – Physical security, 12 – Operations, 13 – Network security, 14 – Physical security, 15 – Supplier management, 16 – Incident management, 17 – Continuity and crisis management.
2) Get in touch with people who have already embarked on this adventure
Don’t hesitate to contact your professional contacts to ask questions about ISO/IEC 27001:2013. This will help you understand the challenges your colleagues have faced and how they overcame them. It’s also an opportunity to ask for advice on adopting security standards internally.
3) Get support
The ISO 27001 certificate is issued by a third-party certification body: AFNOR in France. If you wish to be certified, we recommend that you call on the services of a specialized company.
4) Clearly define who deals with the subject internally
“Alone we go faster, together we go further”. As you will see, the subject of security is a team effort, and this African proverb illustrates it well. For an information security management system to be deployed, adequate resources must be allocated to the project. And that includes dedicated time, people and budget. And this means that the personnel responsible for the subject must receive adequate training, maintain documentation and ensure its implementation.
5) Make a clear and precise inventory of what is being done in the company in terms of safety.
It’s time to ask the right questions. Can access to your premises be gained by badge? Are workstations equipped with strong passwords? Is sensitive equipment left at the office in the evening protected in a safe or locked room? Is computer data encrypted?
7) Warn management to prepare for communication
Management needs to be educational, and in particular to pass on to the rest of the staff: an information security policy, information security objectives and plans, with roles and responsibilities for information security.
8) Involve the whole company in safety issues
It can’t be said often enough: to prepare for ISO/IEC 27001:2013, communication is key. Every employee in every department of the company must be committed to the subject of security.
9) Never take ISO for granted!
Never make this mistake! The ISO/IEC 27001:2013 standard covers the establishment, implementation, maintenance and continuous improvement of an ISMS. Once ISO/IEC 27001:2013 certification has been obtained, a new audit is carried out once a year for three years. At the end of this period, ISO/IEC 27001:2013 can be renewed (or not).
