When thinking about achieving ISO27001 certification, many people don’t think much beyond the day when the external auditor utters those important words “Congratulations. I am recommending you for certification to ISO27001”.

But once you have completed your audit, and you have received your formal notification from the Certification Body, what next? 

You’ve done the hard work, right? You’ve passed your ISO27001 certification audit so it’s time to rest and put up your feet, right?! 

Sadly, no… Not quite.

There are steps you need to think about, post-certification so let’s take a look at what you need to do.

No 1: Celebrate

We believe your first step is in fact, to celebrate your success! You did a lot of work to get the certificate on your wall, and it’s an achievement you should celebrate with those who helped you. 

It’s a good news story for you, your team and your business so think about internal and external communications.  Remember during the process of building your ISMS, you identified internal and external ‘interested parties’, so who on that list would be interested in knowing you have achieved ISO27001?

Your landlord and bank might not be interested, but your customers will be. Your investors and employees will be interested to hear, and they’ll most likely want to know what it means to your business.

You should celebrate by thanking those who helped you achieve the certification, such as the HR function, and the IT function. They will most certainly will have been involved in the external audits, so recognise their contribution. You’re going to need their support moving forward, so give them the credit they deserve and you’ll have their support for future audits.

No 2: Follow your Audit Plan

During the build phase of your ISO27001 ISMS, you put together an internal audit plan, and now is the time to put it into practice.

You must follow the plan so that audits are conducted as per the plan that you devised.

In our experience, this is where the wheels (quickly) come off for most organisations. As the saying goes “Time waits for no one”, and it certainly doesn’t wait for audits or auditors.  Before you know it, you’ll turn around and you’re looking at 3 months gone by, and no audits conducted! 

You have a plan, so stick to it and conduct those audits that you committed to during your build phase.

Oh, one more thing… Some auditors say that you should audit ALL the controls in the Annex A controls, on an annual basis. This is not true. Your audits should be based on risk. If you have outsourced a lot of operations, then supplier management may need more scrutiny and audits than other areas.

No 3: Carry out your Management reviews

In ISO27001, Clause 9.3.1, states that Top Management shall carry out reviews of the ISMS at “Planned intervals”. What the planned intervals are is down to you. But we would suggest that in the first year they should be at least quarterly, but this may increase depending on your risk profile (i.e. the size of your business, the sector you are in, and customers that you serve).

Whatever the intervals are, make sure these are planned and are in YOUR diary and in the top management’s diary too. This way you won’t get to the end of a year and see that you’ve had no management reviews at all!

No 4: Carry out Training and Awareness

Things change, internally and externally and your interested parties need to be kept up to date with the latest threat intelligence about risks, threats and vulnerabilities. Your training and awareness programme will be specific to your business, and can include anything from simple team briefings, to extensive awareness campaigns.

Whatever approach you take, make sure you update your training materials and communicate this to your interested parties.  This also needs to be carried out when there are any significant changes in your business, such as a change of systems, policies or procedures. Of course, if you acquire a new business then this is a significant change and could require further training.

No 4: Carry out Emergency Exercises

You may think this relates specifically to Business Continuity Exercises, but this is only part of the task here.  You should not only carry out a Business Continuity or Disaster Recovery exercise, but you should also conduct a fire evacuation test, and backup recovery exercise. 

Your BCM exercise could include any of these things, but you should most certainly see them as three separate aspects of emergency preparedness that you should cover.

No 5: Run a Risk Workshop

Although you will talk about Risks, and risk management in the management review meetings, I would suggest that you should conduct a risk workshop on an annual basis. This is an extended review of all the risks on your risk register, and may include additional members of the business (who are not involved in your management reviews).

As this is a workshop, it takes longer planning and will take longer to execute (allow at least 2hrs).

It’s all about Continual Improvement

Once you have achieved ISO27001 certification you can quite rightly be proud of this achievement. But it is just the start of your journey to becoming a more secure business. 

ISO27001 is all about continual improvement, and therefore you should be looking for incremental improvements in all aspects of your security programme.

This is what needs to be considered following the certification process.

Failure to do the above will no doubt result in a rush of activity in 12 months time, when you are due your scheduled ISO27001 surveillance audit.  This isn’t good for you, and it’s not good for the standard. 

By embracing the steps and the tasks outlined above you can ensure your ISO27001 doesn’t become a paper-shield that simply looks nice, but won’t protect you from cyber incidents and events.

Of course, if you find yourself confused by any of the above or you need help with your ISMS programme, you can get in touch with us to discuss how we can help. There are also some topics that we cover on our ISO27001 FAQ page, so check that out too as that might also help.