Scribd Logo
Upload

Welcome to Scribd!

  • 1) Operate The ISMS.: Maintaing Iso 27001:2013 After Certification

    Uploaded by

    Bhavana certvalue
    8 views3 pages
    1) To maintain ISO 27001 certification, companies must operate their Information Security Management System (ISMS) by complying with all policies and procedures, producing real records of activities. 2) They must also update documentation periodically as circumstances change, nominating owners to review documents at least yearly and recommend changes. 3) Additionally, companies must review risk assessments annually or when significant changes occur, updating controls based on changes to threats, vulnerabilities and risks.

    Original Description:

    Original Title

    ISMS maintainenace

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    1) To maintain ISO 27001 certification, companies must operate their Information Security Management System (ISMS) by complying with all policies and procedures, producing real records of activities. 2) They must also update documentation periodically as circumstances change, nominating owners to review documents at least yearly and recommend changes. 3) Additionally, companies must review risk assessments annually or when significant changes occur, updating controls based on changes to threats, vulnerabilities and risks.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    8 views3 pages

    1) Operate The ISMS.: Maintaing Iso 27001:2013 After Certification

    Uploaded by

    Bhavana certvalue
    1) To maintain ISO 27001 certification, companies must operate their Information Security Management System (ISMS) by complying with all policies and procedures, producing real records of activities. 2) They must also update documentation periodically as circumstances change, nominating owners to review documents at least yearly and recommend changes. 3) Additionally, companies must review risk assessments annually or when significant changes occur, updating controls based on changes to threats, vulnerabilities and risks.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    of 3

    MAINTAING ISO 27001:2013 AFTER CERTIFICATION

    If you thought that your job was over after the ISO 27001 certification, you’re
    wrong – the real job with your Information Security Management System (ISMS)
    has just begun.
    OK, but where do you start? The good news is that you already have all the
    directions in your documentation, but here’s an overview on what you have to
    focus on:
    1) Operate the ISMS. 

    First of all, you have to make sure you perform all the activities described in your
    policies and procedures. And I don’t mean just artificially creating some records
    and pretending that you are doing some activities because of the auditors – I mean
    really walking the talk, complying with all the requirements in all of your
    documents and producing the real records. If you think this makes no sense, then
    you have to simplify your documents or delete some documents that are not
    mandatory.

    2) Update the documentation. 

    Circumstances in your company will change – you’ll create some new products,
    you’ll purchase some new software, your organization will change, etc. This means
    you’ll have to update your policies or procedures or they will become useless. Best
    practice is to nominate an owner for each document, and that person will have to
    review his or her document periodically (usually once a year), and recommend
    possible changes.

    3) Review the risk assessment. 

    Again, because of the changed circumstances, the threats and vulnerabilities will
    change, meaning your risks will change; and if your risks have changed, this means
    your existing controls won’t be enough. This is why you should send the results of
    the last risk assessment to the risk owners so that they can review them and update
    if necessary – once this is done, you have to implement new controls based on
    those results. This review must be done at least once a year, or more often if some
    significant change has occurred.
    MAINTAING ISO 27001:2013 AFTER CERTIFICATION

    4) Monitor and measure the ISMS. 

    Although this one seems too abstract and probably the most difficult one to
    achieve, it is also one of the most important – otherwise, how would you know
    whether you’re doing a good job or not? When speaking about monitoring, you
    have to keep an eye on various security-related events like incidents, errors,
    exceptions, etc. Based on this information, you can learn what to do better and how
    to prevent future incidents from happening. But this is not all – you have to
    measure whether your ISMS achieves the intended results. To do this, you have to
    measure if you have achieved the objectives – for example, if the objective was to
    decrease the number of incidents by 50% in the current year, you have to take the
    actual number from the results of monitoring, and compare it with the number of
    incidents in the previous year.

    5) Perform internal audits. 

    This might seem just like one of those “Oh no, another useless ISO 27001 job,” but
    the fact is – when done properly, an internal audit can reveal to you many more
    security weaknesses than most of the other activities together. To achieve this, you
    have to either train some of your employees to do this job, or hire an external
    auditor. No matter which option you choose, you have to enable this person to do
    the job thoroughly and be prepared to act upon the audit results.

    6) Perform management review. 

    This is a crucial activity, since it actively involves your top management in your
    information security. You have to inform them about the key issues related to your
    ISMS, and ask them to make crucial decisions – for example, changes in
    organization, providing the budget, eliminating obstacles, etc.
    MAINTAING ISO 27001:2013 AFTER CERTIFICATION

    7) Perform corrective actions.

    Again, this is not some “ISO 27001 job,” because corrective actions are something
    you perform regularly – most probably you do make improvements to what you are
    doing, only you don’t call them “corrective actions,” so the trick is to continue
    making those improvements in the form that is acceptable to ISO 27001. And don’t
    forget that the certification body will perform surveillance visits at least once a
    year – they will check all the seven issues listed above, but also whether you
    closed all the non-conformities from their last visit, so make sure you didn’t forget
    about them.
    But basically, the maintenance of your ISMS comes down to this: you should do it
    because of yourself, in order to make your company more secure – not because of
    a certification auditor.

    You might also like