an integrated approach how isms.online achieved iso 27001 and iso 27701 recertification banner

An Integrated Approach: How ISMS.online Achieved ISO 27001 and ISO 27701 Recertification

In October 2024, we attained recertification to ISO 27001, the information security standard, and ISO 27701, the data privacy standard. With our successful recertification, ISMS.online enters its fifth three-year certification cycle—we’ve held ISO 27001 for over a decade! We’re pleased to share that we achieved both certifications with zero non-conformities and plenty of learning.

How did we ensure we effectively managed and continued to improve our data privacy and information security? We used our integrated compliance solution – Single Point of Truth, or SPoT, to build our integrated management system (IMS). Our IMS combines our information security management system (ISMS) and privacy information management system (PIMS) into one seamless solution.

In this blog, our team shares their thoughts on the process and experience and explains how we approached our ISO 27001 and ISO 27701 recertification audits.

What is ISO 27701?

ISO 27701 is a privacy extension to ISO 27001. The standard provides guidelines and requirements for implementing and maintaining a PIMS within an existing ISMS framework.

Why Should Organisations Look to Implement ISO 27701?

Organisations are responsible for storing and handling more sensitive information than ever before. Such a high – and increasing – volume of data offers a lucrative target for threat actors and presents a key concern for consumers and businesses to ensure it’s kept safe.

With the growth of global regulations, such as GDPR, CCPA, and HIPAA, organisations have a mounting legal responsibility to protect their customers’ data. Globally, we’re steadily moving towards a compliance landscape where information security can no longer exist without data privacy.

The benefits of adopting ISO 27701 extend beyond helping organisations meet regulatory and compliance requirements. These include demonstrating accountability and transparency to stakeholders, improving customer trust and loyalty, reducing the risk of privacy breaches and associated costs, and unlocking a competitive advantage.

Our ISO 27001 and ISO 27701 Recertification Audit Preparation

As this ISO 27701 audit was a recertification, we knew that it was likely to be more in-depth and have a larger scope than a yearly surveillance audit. It was scheduled to last 9 days in total. Also, since our previous audit, ISMS.online has moved HQ, gained another office and had several personnel changes. We were prepared to address any non-compliances caused by these changes, should the auditor find any.

IMS Review

Before our audit, we reviewed our policies and controls to ensure that they still reflected our information security and privacy approach. Considering the big changes to our business in the past 12 months, it was necessary to ensure that we could demonstrate continual monitoring and improvement of our approach.

This included ensuring that our internal audit programme was up to date and complete, we could evidence recording the outcomes of our ISMS Management meetings, and that our KPIs were up to date to show that we were measuring our infosec and privacy performance.

Risk Management and Gap Analysis

Risk management and gap analysis should be part of the continual improvement process when maintaining compliance with both ISO 27001 and ISO 27701. However, day-to-day business pressures may make this difficult. We used our own ISMS.online platform project management tools to schedule regular reviews of the critical elements of the ISMS, such as risk analysis, internal audit programme, KPIs, supplier assessments, and corrective actions.

Using Our ISMS.online Platform

All information relating to our policies and controls is held in our ISMS.online platform, which is accessible by the whole team. This platform enables collaborative updates to be reviewed and approved and also provides automatic versioning and a historical timeline of any changes.

The platform also automatically schedules important review tasks, such as risk assessments and reviews, and allows users to create actions to ensure tasks are completed within the necessary timescales. Customisable frameworks provide a consistent approach to processes such as supplier assessments and recruitment, detailing the important infosec and privacy tasks that need to be performed for these activities.

What to Expect During an ISO 27001 and ISO 27701 Audit

During the audit, the auditor will want to review some key areas of your IMS, such as:

  1. Your organisation’s policies, procedures, and processes for managing personal data or information security
  2. Evaluate your information security and privacy risks and appropriate controls to determine whether your controls effectively mitigate the identified risks.
  3. Assess yourincident management. Is your ability to detect, report, investigate, and respond to incidents sufficient?
  4. Examine your third-party management to ensure adequate controls are in place to manage third-party risks.
  5. Check your training programmes adequately educate your staff on privacy and information security matters.
  6. Review your organisation’s performance metrics to confirm they meet your outlined privacy and information security objectives.

The External Audit Process

Before your audit begins, the external auditor will provide a schedule detailing the scope they want to cover and if they would like to talk to specific departments or personnel or visit particular locations.

The first day starts with an opening meeting. Members of the executive team, in our case, the CEO and CPO, are present to satisfy the auditor that they manage, actively support, and are engaged in the information security and privacy programme for the whole organisation. This focuses on a review of ISO 27001 and ISO 27701 management clause policies and controls.

For our latest audit, after the opening meeting ended, our IMS Manager liaised directly with the auditor to review the ISMS and PIMS policies and controls as per the schedule. The IMS Manager also facilitated engagement between the auditor and wider ISMS.online teams and personnel to discuss our approach to the various information security and privacy policies and controls and obtain evidence that we follow them in day-to-day operations.

On the final day, there is a closing meeting where the auditor formally presents their findings from the audit and provides an opportunity to discuss and clarify any related issues. We were pleased to find that, although our auditor raised some observations, he did not discover any non-compliance.

People, Processes and Technology: A Three-Pronged Approach to an IMS

Part of the ISMS.online ethos is that effective, sustainable information security and data privacy are achieved through people, processes and technology. A technology-only approach will never be successful.

A technology-only approach focuses on meeting the standard’s minimum requirements rather than effectively managing data privacy risks in the long term. However, your people and processes, alongside a robust technology setup, will set you ahead of the pack and significantly improve your information security and data privacy effectiveness.

As part of our audit preparation, for example, we ensured our people and processes were aligned by using the ISMS.online policy pack feature to distribute all the policies and controls relevant to each department. This feature enables tracking of each individual’s reading of the policies and controls, ensures individuals are aware of information security and privacy processes relevant to their role, and ensures records compliance.

A less effective tick-box approach will often:

  • Involve a superficial risk assessment, which may overlook significant risks
  • Ignore key stakeholders’ privacy concerns.
  • Deliver generic training not tailored to the organisation’s specific needs.
  • Execute limited monitoring and review of your controls, which may result in undetected incidents.

All of these open organisations up to potentially damaging breaches, financial penalties and reputational damage.

Mike Jennings, ISMS.online’s IMS Manager advises: “Don’t just use the standards as a checklist to gain certification; ‘live and breathe’ your policies and controls. They will make your organisation more secure and help you sleep a little easier at night!”

ISO 27701 Roadmap – Download Now

We’ve created a practical one-page roadmap, broken down into five key focus areas, for approaching and achieving ISO 27701 in your business. Download the PDF today for a simple kickstart on your journey to more effective data privacy.

Download Now

Unlock Your Compliance Advantage

Attaining recertification to ISO 27001 and ISO 27001 was a significant achievement for us at ISMS.online, and we used our own platform to do so quickly, effectively and with zero non-conformities.

ISMS.online provides an 81% head start, the Assured Results Method, a catalogue of documentation that can be adopted, adapted, or added to, and our Virtual Coach’s always-on support. Easily ensure your organisation is actively securing your information and data privacy, continuously improving its approach to security, and complying with standards like ISO 27001 and ISO 27701.

Discover the benefits first-hand – request a call with one of our experts today.

Author

Christie Rae

Christie is a content marketing specialist at ISMS.online. With over seven years' experience, she aims to write informative, engaging content and has worked across a range of industries including cybersecurity, software as a service, tech and pharmaceuticals.

View all posts by Christie Rae

Related Posts

Streamline your workflow with our new Jira integration! Learn more here.