If you have been following our ISO Blog Series you would have seen that in Part 4 we talked about the documentation stage we took during lockdown. At this stage of the game, we had a lot of documents that had been reviewed by our ISSG. We had also received valuable feedback from the Axenic team members. The ISMS documents we had after stage four were now ready to inform our first set of final documents.
First steps
First, we needed to set up an approval process for the review of our policies, processes, and other documents/registers. The process should allow us to manage our work with a visible approvals that includes timestamps and approvers. The approval process should also enable setting reminders for the periodic review of the documents. Approved documents were deposited in a SharePoint document library with a view that shows only the approved versions (which you’ll see if you read on – we learned the hard way!).
As the documents got approved, we started operationalising the ISMS by following and implementing the provisions within these documents.
Certification audits are conducted in two stages. In stage 1, the auditor validates that the essential requirements for an ISMS as per the ISO 27001 standard are in place. The auditor goes through the requirements of Clauses 4 – 10 of the standard and asks for the corresponding documentation. For example, the auditor asks if the organisation has an information security policy and reviews the provided documents table of content. They confirm that the table of contents indicates that the document covers the essential topics. Similarly, they ask for other documents relevant to the clauses such as the ISMS objectives, context, interfaces and dependencies. Whilst doing that, they verify that the documents are formally approved and versioned. They do not go into the details of each document and the provisions listed, or how these are implemented at this stage. This is saved for stage 2 of the audit.
Some organisations may consider only the implementation of an ISO 27001 ISMS, while others may consider certification. Our guidance on To ISO or not to ISO can be used to help you/your organisations make that call.
Getting an approved ISMS
Our first attempt did not work as well as we had expected. For a start, it was very time-consuming. Every small change and last-minute tweak involved getting everyone together again to reprint and sign each document, just to scan the signed documents back in.
We learnt the hard way after trying to manually sign two documents that getting everyone around a table to sign ISMS documents was not going to work. Armed with this lesson, Terry our MD came up with the idea that we could use the same solution that we use to sign client contracts. Our digital signing solution was born and this made life much easier.
Automating the approval process made it easy to ensure that timestamps and approval records are tracked. It also enabled us to set reminders before the review due dates.
Final documentation ready
Once the signing of the backlog documents was complete, we then started publishing them to our SharePoint. Now we were ready to communicate and share these documents with our staff. At last, we had our final versions ready, including:
- Organisational context
- Information security policy
- Acceptable use policy
- Access control process
- Document control process
- Information management process
- Change management process
We also checked our documents against the ISO 27001 standard clauses requirements to make sure we didn’t miss anything.
Ready to start your own journey?
Are you interested in starting your own journey to ISO 27001 certification? If you have any questions about the process please contact us.
Meanwhile, keep an eye out for our next blog in the series when we share our implementation experience – Putting it all into Practice.