Part 41 - Getting Certified to ISO 27001 – You're Certified.
After many thousands of hours and plenty of hard work, you have created, established and are maintaining your information security management systems (ISMS). Subsequently your ISMS:
- Has been audited by a Certified Body (CB) in two stages (Stage 1 and Stage 2)
- Is certified and a new ISO 27001 certificate on the wall at reception, and
- Has been celebrated with a big party or a couple of biscuits at a morning tea.
Therefore … job well done.
Don’t Rest on Your Laurels
Well, for one thing you don’t do is rest on your laurels. Don’t think that the job is over and done with.
More work is required to make sure that the ISMS keeps adding value to your business.
You may have spent thousands of dollars on consultants and the CB external audit. Plus you have spent time on the systems, this will be a cost to the business. Therefore, your Management Team and even your Board maybe looking at you, the Information Security Manager, and asking “show us the money” or “where is the return on our investment in an ISMS?”
Therefore, you need to show pay-back. How do you do that?
Your ISMS Needs to Show Pay-Back
Well you need to work hard and measure the value-add to your business. This requires foresight and planning ahead.
Think about the areas of your business where the ISMS has helped to reduce costs.
In addition think carefully where the ISMS could have been used to reduce waste.
Finally ask the sales team and see if they have won extra jobs from your organisation being ISO 27001 certified.
Add that value up and present it to the Management Team or Board to prove that getting certified wasn’t a waste of time.
Review Your ISMS
What else should you do? Well for one you should be reviewing the ISMS regularly.
For example, one thing we are doing here at Mango is to have all our employees attend the monthly Management Review meeting. In that meeting we talk about the adequacy, effectiveness and value the ISMS is bringing to the business. We discuss the objectives in detail and look at the results against the objectives.
You need to keep improving and updating your ISMS so that it remains effective and keeps adding value to your business.
You need to demonstrate to Management that the ISMS is not a time suck and that it makes their job easier.
Winning over Management will mean that the ISMS will have longevity.
Takeaways
- Start measuring the pay-back of your ISMS.
- Present the results to Management and the Board.
- If the ISMS is adding no value to the business stop doing it.
View previous blogs in this series "ISO 27001 Information Security Management Standard":
Part 1 - Reasons why you need to meet this standard
Part 2 - Principle 1 - Analysing the Protection of Your Information and then Applying Controls
Part 3 - Principle 2 - Awareness of the Need for Information Security
Part 4 - Principle 3 - Assignment of Responsibility for Information Security
Part 5 - Principle 4 - Incorporating Management Commitment and the Interests of Stakeholders
Part 6 - Principle 5 - Enhancing Societal Values
Part 9 - Principle 8 - Active prevention and detection of information security incidents
Part 10 - Principle 9 - Ensuring a comprehensive approach to information security management
Part 12 - ISO 27001 Information Security Management Standard: Clauses 0, 0.1, 0.2, 1, 2 and 3
Part 13 - ISO 27001 Information Security Management Standard: Clauses 4.1, 4.2, 4.3 and 4.4
Part 14 - ISO 27001 Information Security Management Standard: Clause 5.1
Part 15 - ISO 27001 Information Security Management Standard: Clause 5.2
Part 16 - ISO 27001 Information Security Management Standard: Clause 5.3
Part 17 - ISO 27001 Information Security Management Standard: Clause 6.1
Part 18 - ISO 27001 Information Security Management Standard: Clause 6.2
Part 19 - ISO 27001 Information Security Management Standard: Clauses 7.1 - 7.4
Part 20 - ISO 27001 Information Security Management Standard: Clause 7.5
Part 21 - ISO 27001 Information Security Management Standard: Clauses 8.1, 8.2, 8.3
Part 22 - ISO 27001 Information Security Management Standard: Clauses 9.1, 9.2, 9.3
Part 23 - ISO 27001 Information Security Management Standard: Clauses 10.1, 10.2
Part 24 - ISO 27001 Information Security Management Standard: Clause A5
Part 25 - ISO 27001 Information Security Management Standard: Clause A6
Part 26 - ISO 27001 Information Security Management Standard: Clause A7
Part 27 - ISO 27001 Information Security Management Standard: Clause A8
Part 28 - ISO 27001 Information Security Management Standard: Clause A9
Part 29 - ISO 27001 Information Security Management Standard: Clause A10
Part 30 - ISO 27001 Information Security Management Standard: Clause A11
Part 31 - ISO 27001 Information Security Management Standard: Clause A12
Part 32 - ISO 27001 Information Security Management Standard: Clause A13
Part 33 - ISO 27001 Information Security Management Standard: Clause A14
Part 34 - ISO 27001 Information Security Management Standard: Clause A15
Part 35 - ISO 27001 Information Security Management Standard: Clause A16
Part 36 - ISO 27001 Information Security Management Standard: Clause A17
Part 37 - ISO 27001 Information Security Management Standard: Clause A18