ISO-27001-certification

How to maintain your ISO 27001 certification

Guide to maintaining your ISO 27001 certification

Maintaining ISO 27001: Even with the best help and support available, achieving ISO 27001 certification is challenging. Finding the right certification body and getting through the certification process takes time, effort and real organisational commitment.

So once you’ve succeeded, it can be tempting to celebrate and then just stop thinking about it all.

But ISO 27001 isn’t a fire and forget standard.  In order to maintain your ISO 27001 certification, you must undergo a three-year audit cycle.

Your ISO 27001 certification body will be keeping a close eye on your information security management system or ISMS. It will undergo regular external maintenance audits during your certification’s three-year life cycle. You’ll need to run effective internal audits too. They’re as big a part of the audit process as your initial certification audits.

And at the end of those three years, you’ll need to be ready for ISO 27001 recertification.

Here are our top five tips for maintaining ISO 27001

We always say that good information security is a bit like looking after your car.

To keep driving around happily and safely, you need to stay on top of everything from road tax and insurance to regular services and MOTs. And you’ll regularly check all the little details, from how your tires are wearing to whether you’re running out of windscreen cleaner.

Information security isn’t just a box you tick. It’s an entire process that’s always ongoing.

Remember that your ISMS is for life, not just for ISO 27001 certification day

The best way of maintaining your ISO 27001 certification is to make ISMS care part of your day-to-day business operations. The more you can smooth it all out, the fewer maintenance peaks you’ll have to climb and troughs you’ll get stuck in. And the safer your data assets will be!

Start by keeping your ISMS’ internal audits chugging along. Try and do one a month for eleven months. That’s much better than leaving them all to the last minute, then suddenly finding that all your internal management system audits are due a couple of days before your external auditors arrive.

Make sure you’re carrying out periodic reviews across your organisation

You’re not the only one who needs to keep an eye on your ISMS.

Involving your senior leaders through a regular management review process is a key ISO 27001 requirement. There’s no set frequency for them. One a year’s considered acceptable, but for a properly managed ISMS we recommend holding management reviews at least every six months.

That’ll help you:

Keep senior managers up to date with the fast-moving world of data security, sharing details of:

  • Any cyber security threats or data breaches your ISMS has dealt with
  • Your risk assessment and risk management strategies
  • Other ISMS or ISO 27001-relevant events and developments

Maintain their buy in and general or specific support, so they:

  • Support and drive best practice across your business
  • Remain compliant with your ISMS themselves
  • Stay aware of any internal processes that need their involvement

Take their strategic aims into account as you manage and evolve your ISMS, to:

  • Guide you as you continually improve it
  • Make sure all your activities are on the right track
  • Check in on any third parties they’re dealing with at a senior level

And if other departments look after parts of your ISMS, make sure you stay in regular touch with them. It’s very frustrating to be on top of your own responsibilities, then find at the last moment that your human resources, legal or even intellectual property people (for example) have dropped the ball.

An avoidable data breach in another part of your organisation is an unwelcome surprise, but with a little best practice behaviour it’s a simple one to avoid. And that’s the kind of excellent business behaviour ISO standards are built to define and encourage.

Don’t let ISMS compliance drop off your colleagues’ radar

We recommend an ongoing information security awareness and communications programme.

You’ve probably already shared details of the ISO 27001 certification process. An ongoing comms programme that keeps running after certification will help your colleagues:

  • Stay aware of the security controls that apply to them
  • Remain compliant with them
  • Keep a broader lookout for potential incidents or issues

Letting them know when your ISMS has fended off cyber attacks or dealt with any other information security challenges will also help them understand its value to your business.

Possible comms activities include:

  • Monthly posters sharing details of any information security attacks or events
  • Regular spoof phishing emails to see how many people respond appropriately
  • Ongoing information security training and refresher sessions
  • Making sure the right people can access relevant parts of your ISMS documentation

And that’s just for starters. There are many more ways you can ensure compliance across your organisation. If you have an internal comms team, we recommend setting up a regular review session with them. And if you don’t, you’ll need to implement your own ISO 27001 comms programme.

Correct any ISMS issues as soon as they appear

An unexamined ISMS is not worth having. So you’ll keep a constant eye on it. And when you identify any issues, you’ll log corrective actions and implement a response to them. That’s where many organisations slip up. They collect and log actions, but then lose focus and just ignore them. Don’t make that mistake!

  • Always stay on top of your corrective actions.

Not responding to corrective actions is probably the easiest way to get a non-conformance at your next audit. Which also makes it one of the easiest problems to avoid. Just build regular corrective action sessions into your weekly and monthly schedule. Why risk audit problems when it’s so easy to avoid

Keep an eye out for ISMS evolution opportunities

ISO certification can cover a lot more than just information security. And achieving compliance or certification with other standards and regulations will boost:

  • Your organisation’s brand and efficiency
  • Your return on your governance, risk and compliance investment

We make it easy to evolve your ISO 27001 certified ISMS into an integrated management system that covers multiple ISO and other standards. They include:

  • Privacy management focussed ISO 27701
  • Business continuity focussed ISO 22301

The ISO certification process is very similar from standard to standard, so once you’ve achieved one certification getting the next one will be a simpler task. If you’ve built an integrated management system using our platform it’ll be easy to re-use work done for one standard to achieve another.

And it’s not just about ISO certification. Your ISMS can also help you show compliance with regulations like GDPR and POPIA too.

Frequently asked questions

How long does ISO 27001 certification last for?

Your organisation's ISO 27001 certification will last for three years.

What are the benefits of maintaining your certification?

Your ISMS will evolve with external threats and your own company's growth. It'll stay robust, relevant and effective, minimising risks to your organisation's information security. And of course avoiding non conformities during your certification's three-year lifespan is an achievement in itself.

Are ongoing audits part of the ISMS maintenance process?

During the three year lifespan of your ISO 27001 certification you'll undergo annual external audits from your certification body and carry out your own internal audits. We recommend carrying out internal audits once a month, rather than in a rush just before your external audit.

Can your colleagues help maintain your certification?

Yes. Once you've celebrated certification you need to make sure they stay aware of your ISMS. They should understand which policies and controls affect them and maintain compliance with them. We recommend creating comms procedures to keep them in touch with your ISO 27001 systems.

Can your senior managers help maintain your certification?

Yes, that's essential. Keeping your senior business leaders involved and in the loop during your certification is a key ISO 27001 requirement. You'll need their support and buy-in to implement, maintain and evolve your ISMS. And you need to make sure you're in compliance with their strategy, and they're complying with any relevant policies and controls.

Can your suppliers help maintain your certification?

If the companies your organisation works with fall within your ISMS' scope then you'll need to demonstrate their compliance with it. That means sharing relevant parts of its documentation with them and making sure their employees comply with any relevant policies or controls.

Do your customers need to know about your ISMS?

Absolutely yes! It'll build their trust in you, helping your business win new customers and retain existing ones. Make sure the details of your ISO 27001 certification are easy to share with other companies during your sales process and keep your customers updated with any relevant security achievements.

The Benefits of ISO 27001 »

Last Edited: January 26th, 2022
Author

Al Robertson

Al is a professional writer and published author who covers a range of topics. He has written a range of articles on compliance and especially on information security and how ISO 27001 certification can help organisations grow.

View all posts by Al Robertson

Related Posts

Explore ISMS.online's platform with a self-guided tour - Start Now