If you are reading this article, it means that ISO/IEC 27001:2013 is of interest to you and we understand that! It is THE leading international norm in the field of data security. ISO/IEC 27001:2013 sets the standard ISMS, or Information Security Management System. Access control, risk analysis, asset management, human resources, communication, etc. In order to be certified, it is necessary to deploy a whole range of recommendations (114 to be exact) to ease security management.
Goals? Protect the confidentiality, availability, and integrity of all data within your organization. But how to do so?
ISO is a whole new adventure. In this article, we shall give you the checklist with 9 boxes to check and properly get ready.
Here is the checklist to be properly ready: ISO/IEC 27001:2013
1) Read the norm
Alright, so this may seem obvious! But we can confirm that not many people do so, especially if they are being assisted! You’ll need to buy it on the official website. As the author of this article is generous, she’ll give you the titles of the 18 chapters: 00 – Governance, 01 – Continuous improvement, 02 – Audits and controls, 03 – Dashboards, 04 – Organization, 05 – Derogations, 06 – Communication, 07 – Resource security, 08 – Asset management, 09 – Access control, 10 – Crypto, 11 – Physical security, 12 – Operation, 13 – Network security, 14 – Physical security, 15 – Supplier management, 16 – Incident management, 17 – Continuity and crisis management.
2) Get in touch with the people who got involved in this adventure!
Don’t hesitate sending an email to our COO Christophe Henner (firstname.lastname@example.org), to ask him as many questions as you want, about ISO/IEC 27001: 2013, and take him out for lunch to thank him. Some have already done this, and genuinely enjoyed their experience…
3) Get some assistance!
The ISO 27001 certificate is issued by a third-party certification body: AFNOR in France. If you want to be certified, we advise you to call upon a specialized company. This is what the Hyperlex team did, and they don’t regret it.
4) Clearly define who is dealing with the matter in-house
“Alone we go faster, together we go further”. As you shall see, the subject of security leans on teamwork, and this African proverb portrays it rather well. It should be noted that in order to deploy an information security management system, suitable resources must be allocated to the project. This includes the time which is dedicated, the people, not to mention, the budget. But this also means that the staff who is responsible for the area, must receive adequate training, preserve the documentation and ensure its implementation.
5) Make a clear and precise inventory of what is done within the company in terms of security!
This is the time to ask the right questions. Can we access your premises through a badge? Do the workstations have strong passwords? Is sensitive material left at the office during the night and protected in a safe or in a locked room? Is computer data encrypted?
6) Obtain management commitment
It is extremely important for the management team to be involved in the ISO/IEC27001: 2013 adventure. Management must not only convey the standard security requirements to the rest of the company, but also commit to establishing, deploying, maintaining, and improving the famous ISMS. As they are the ones who make sure that the employees, who are responsible for security are properly trained (see point 4).
7) Support management in preparing for communication
The management must be an educator and mostly pass on to the rest of the staff: an information security policy, information security goals and plans, along with roles and responsibilities of the data security field.
8) Make the safety topic sexy for the entire company!
One will never say this enough: prepare well for ISO/IEC27001:2013, communication is key. Every employee in every department of the company need to be committed, when it comes to safety. This is what Christophe Henner did at Hyperlex, and this is why this article is currently being written…#SecurityIsSexy
9) Never take ISO for granted!
Never make this mistake! The ISO/IEC27001: 2013 standard relates to the establishment, implementation, updating AND CONTINUOUS improvement of an ISMS. It should also be noted that once ISO/IEC 27001: 2013 certification has been obtained, a new audit on a yearly basis is carried out for three years. At the end of this period, ISO/IEC27001: 2013 may or may not be renewed.
Want to find out more about ISO? New articles are on the way… Check out our website : https://hyperlex.ai/en/
Marguerite de Rodellec | Inbound Marketing Manager | Hyperlex Software
Read more articles from Modern Law Magazine here