It requires attention to detail and thorough, systematic processes. That’s why an ISO 27001 compliance checklist is just the thing you need to simplify the certification process.
How to comply with ISO 27001
“ISO standards are internationally agreed by experts. Think of them as a formula that describes the best way of doing something.” That’s according to ISO themselves.
To comply with ISO standards, you need to follow a formula that will ensure that you have all your safety and security protocols in place and that your employees are aware of them.
The process starts with a clear understanding of your Information Security Management System (ISMS).
We’ve provided a comprehensive ISO 27001 checklist that you can use to make sure you’ve got all your bases covered as well as a sneak peak of some of the content from our Wiki (the guidebook that supports our online tool, Compleye Online).
Complete checklist for ISO 27001 compliance
1. Define your ISO 27001 strategy and ambitions
To do #1 – Organisation & Context
Organisation and Context is a mandatory topic. A good way to get insights for Organisation & Context content is to define your products by defining (per product):
- High level description
- Type of customers
- Third parties involved.
This will lead you to ask:
- What is the compliance challenge?
- What are the security requirements?
If you can answer (and document) these questions, you are complying with ISO 27001.
To do #2 – ISMS Objectives
You’ll need to define, implement and review (on at least an annual basis) your ISMS objectives. In their article Information Security Objectives in ISO 27001, ISO27001guide.com says that “information security objectives in ISO 27001 allow organisations to set their requirements from the outset and to continuously monitor to ensure they are achieving them.”
2. Determine legal & compliance requirements
To do #1 – Interested Parties & Legal Requirements
Here, you’ll dive into legal requirements that you’ll need to fulfil for your third parties and define the expectations on both sides. The external auditor will expect that you’ve documented how you’ve established this process.
Examples of interested parties (https://www.iso9001help.co.uk/)
To do #2 – Intellectual Property
Intellectual property (IP) is a category of property that includes intangible creations of the human intellect. Typical IP for tech companies could be your source code, AI models, certain databases or a method of working. In brief, IP is anything you want to keep secret for your customers and competitors and that needs to be protected when your team is using it.
To do #3 – Contracts
Make sure you have 1 folder with all your contracts so that you have a good overview – and use different folders within that folder for different types of contracts (or stakeholders). Limit the access to these contracts within your organisation. The external auditor can ask to view 1 or 2 contracts (samples) during the audit.
To do #4 – Global Impact
Entering new markets will need some research on privacy and security requirements. Personal data privacy regulations need to be taken into consideration when contracting or expanding outside of the GDPR geographical area. Additional requirements for your ISMS can be ruled by:
To do #5 – GDPR
If you’re a company based in – or performing business in – Europe, you need to comply with GDPR. As you prepare for certification, you’ll need to:
- Define on what legal basis you are collecting data.
- Give an overview of all documentation for users.
- Have a register to keep track of end-users’ requests e.g. data deletion
- Create an overview of all data breaches.
- Have an overview of all Data Process Agreements.
3. Define scope
To do #1 – Define IT Infrastructure Components
ISO 27001 requests a scope for your ISMS, so you’ll need to define what you’ll take in scope. Defining the components of your IT Infrastructure will help you to define your scope.
To do #2 – Define ISMS Scope
Check out Compleye’s article, ‘How to Write an ISO 27001 Scope Statement (+3 Examples)’.
4. Chart all risks and opportunities
To do #1 – Suppliers Overview
When implementing a set of controls and processes to address suppliers’ risks, the following could be considered:
- Executing contractual agreements with each supplier.
- Maintaining a current and easily accessible list of suppliers.
- Formulating a Supplier Management Policy and Procedures document.
- Implementing suppliers change management processes and controls.
- Ensuring that suppliers meet the contractual information security requirements.
- Determining and adequately documenting, if applicable, whether suppliers have access to your IT infrastructure.
- Determining and adequately documenting, if applicable, whether suppliers may be involved in security procedures.
- Performing the relevant Supplier Risk Security Assessment.
To do #2 – Suppliers Assessment
Supplier Assessment is a very important topic in ISO 27001, especially for technology companies because they make use of so many suppliers. You’ll need to be in control of your suppliers – assess the high risk suppliers on a yearly basis on a number of topics. The owner of the supplier will need to review the supplier on basic information and contracts.
To do #3 – Vendor Assessment
Follow the following steps:
- Review existing vendors.
- Assign each vendor a security rating.
- Respond to security risks and define vendor performance metrics.
- Continuously monitor your vendors.
To do #4 – Data Classification
In the context of information security, data classification is based on its level of confidentiality and the impact on the organisation should that data should be disclosed, altered or destroyed without authorisation. Consider the following questions when classifying your information:
- What stakeholder data does your organisation collect?
- What data do you create as part of daily operations?
- What data, if lost, would have a particular impact on your organisation?
- What data would be classified as confidential?
- What data qualifies as personal data?
- Who is responsible for the integrity and accuracy of the data?
- Who can and should access the data.
To do #5 – Business Continuity Plan
At Compleye, we advise that you perform the BCP before internal audit and management review as this assessment will probably result in the last improvements you need to have in place to be ready for certification. Alternatively, perform the BCP twice: first, when you start implementing your ISMS and second, before your external audit.
To do #6 – ISRA
The Information Security Risk Assessment (ISRA) is the most important risk assessment in the ISMS and must be performed with your ISMS team. You’ll need to perform an ISRA on a yearly basis using the same method every year so that you can compare outcomes and results.
To do #7 – DRP & PEN Tests
Here’s a quick exercise for defining your crisis/disaster DRP:
Define what you (for your business) consider:
- An event
- An incident
- A disaster / crisis
When it comes to pentesting, Breachlock says it best with this great infographic:
To do #8 – GDPR Assessment
GDPR risks and opportunities abound. Three of each can be explored in this comprehensive Comforte article: “Three Risks and Opportunities of GDPR”.
Compleye Online provides a 22-question GDPR Assessment template.
To do #9 – Data Privacy Impact Assessment
A DPIA might be needed if you have multiple products: perform a DPIA per product (or service). If you work with different types of projects (eg Proof of Concept) you will also need to perform a new DPIA per project. When performing business with e.g. governmental organisations, it is likely that they will ask you to share a copy of your DPIA.
5. Decide on security policies & procedures
To do #1 – Security Policies & Procedures
Before you can add records, you will need to adopt Policies & Procedures. One of the ISO 27001 mandatory policies is the Security Policy – describing the intentions and ambition (objectives) you have defined for your ISMS.
To do #2 – Templates
There are numerous mandatory policies and procedures that need to be implemented in your ISMS. Creating this documentation can be time consuming and you might not be sure that you’ve covered all the necessary items. Using templates such as those supplied by an online tool like Compleye Online will provide the guidance that you need to meet the requirements to achieve certification.
To do #3 – Checklists
Your ISMS needs continuous improvement and maintenance.
Creating checklists is a lean way of keeping track of activities and steps when following improvement and maintenance procedures.
6. Set up a system for measures and controls
To do #1 – Security Metrics
Security Metrics are ‘KPIs’ defined to check if the information security management system is working effectively.
You will need to:
- Define what an incident is;
- Keep track of your incidents;
- Address incidents with corrective actions ;
- Dive into the root cause to define how you will prevent it in future.
- Keep track of your service levels.
To do #2 – Asset Management
Hardware assets that carry information, servers and data are all assets. To manage these you need to keep track of all of your assets and know what assets are being used and whether they are company-owned. You also need to keep track of changes and the movement of assets.
To do #3 – Controls
Annex A consists of 114 controls. You’ll need to adopt, implement and maintain controls. There are 2 ways that you can define and implement controls:
- Take the ISO 27001 Annex A list and define all the controls at the beginning;
- Gradually define controls as you work towards certification and adopt policies/procedures or perform assessments. Check that all Annex A controls are in place at the end.
To do #4 – Access Management
Access Management in general is an important topic for your ISMS. Not being in control of software access can easily cause incidents turning into data breaches.
You will need an Access Management Policy and must be in control of different types of access:
- Access to the office location
- Access to Hardware
- Access to Software
- Access to Documentation Storage
- Access to Data Overall
7. Implement operational checkpoints and follow-ups
To do #1 – Security Meetings
During Security Meetings with your ISMS team, you can make decisions on all topics related to your ISMS. You will need to assign a security meeting owner, document changes, check controls and evaluate improvements.
To do #2 – Calls to action for follow-ups
Security meetings are a mandatory part of the operational ISMS where the team gets to align, perform periodic checks, work collaboratively on tasks, planning, etc. All follow up tasks required from the ISMS team are defined with Calls to Action following the security meeting.
8. Take care of roles, responsibilities, leadership and management
To do #1 – Assign ISMS Roles
ISO 27001 requires that you have an ISMS team for set up, implementation and maintenance. You must also have an overview of all team members so security and privacy can be created around people and processes.
To do #2 – Assign Mandatory Security Roles
We advise that you start by assigning a minimum of 2 team members responsible for your ISMS. Always ensure that there is knowledge of technology and business within your ISMS.
Also assign a Security Officer (SO), Privacy Officer (PO) and Compliance officer (CO).
To do #3 – Office Security
If you have an office, you’re responsible for the physical security of your office and for keeping track of who’ll have access to the office (by key/card/code).
To do #4 – New Hires and Contracts
If you hire people, ISO 27001 expects that you’re in control of the number of team members, their job titles and who will lead/mentor each person. You’ll need to be in control of your labour contracts. If you’re in the scaling phase, it’s handy to have expiry dates etc. in one place.
To do #5 – Training
You will need to:
- Demonstrate how you support development of competencies of your (ISMS) Team members.
- Organise annual security awareness training.
- Prove what was on the agenda and who attended the training.
- Perform training evaluation.
To do #6 – HR & Organisation
ISO specific HR/Organisation requirements include:
Chapter 5: Top Management Responsibilities
- Demonstrate leadership and commitment
- Establish the Security Policy
- Establish and communicate responsibilities and authorities for ISMS roles
Chapter 7: Resources- Determine and provide the resources needed for the ISMS implementation, maintenance & continuous improvement.
- Focus on the Competencies needed to perform the job
- All ISMS team members should acknowledge their responsibilities as well as their contribution towards an effective ISMS
- Determine What, When, and How to communicate the ISMS priorities both internally and externally
- Determine and maintain what needs to be documented (in compliance with this standard).
9. Prepare for the actual ISO 27001 certification
To do #1 – Internal Audit
The goal of internal audit is to make sure that your ISMS conforms to your organisation’s own requirements (information security policy, procedures, security objectives, etc.) as well as to the requirements in ISO 27001 and evaluates whether the ISMS is effectively implemented and maintained. Check out our ‘It’s Internal Audit Time’ article to learn more.
To do #2 – Management Review
A management review is performed on an annual basis and you will need to assign a person who is responsible for the review. The process, although complex, can be distilled into three steps:
- MT/CEO meeting is planned to discuss all topics and suggestions for improvement.
- MT/CEO defines and accepts final improvements.
- MT/CEO finalises and approves the management review report to be shown as evidence during external audit.
To do #3 – Documentation
Next to the mandatory policies, procedures and records, there are 4 Mandatory Documents that need to be available and ready for the external audit certification:
- Management Review
- Internal Audit Report
- Scope of ISMS
- Statement of Applicability
To do #4 – Statement of Applicability
The SoA is a summary of your organisation’s implementation status on each of the 114 controls of Annex A of ISO 27001 and must define which controls are identified by your organisation to tackle the risks involved in the business. This can be done by conducting an ISO 27001 gap analysis and risk assessment.
10. Organise real-time ISO 27001 certification audit
To do #1 – Accredited Lead Auditor
Once you’re ready for audit, assign an accredited lead auditor. Lead auditors have been through extensive training, so you’re in good hands.
To do #2 – Plan to Maintain Certification
Once an organisation achieves ISO 27001 certification, it’s important to maintain the Information Security Management System (ISMS) on an ongoing basis to ensure it remains effective, relevant, and aligned with the organisation’s objectives. This is where the Compleye ISO 27001 maintenance package comes in.
You’re ready to start ticking off your Complete Checklist For ISO 27001 Compliance (2023)
Learn more about how Compleye can help you with your ISO 27001 compliance.
Chat to one of our super sales people and start ticking off your complete checklist for ISO 27001 compliance.