4 phases of an ISO27001 Information Security Management System implementation.

More and more companies are seeing the value of obtaining an ISO27001 certificate. After all, there are continuously new cyber threats and attacks and more and more legislation and certain sectors require companies to implement specific security standards. A security certificate is therefore becoming a key business enabler. 

The digital security coaches of Toreon support you in implementing an ISO27001 Information Security Management System (ISMS) in your organization. Such a process consists of 4 phases. 

1. Shaping your ISMS
2. Implementing ISO27001 
3. Monitoring and controlling your ISMS
4. Improvement and certification 

Phase 1: Shaping your ISMS

With the help of our consultant, we will draw up the necessary documentation (security policy, processes, instructions) so that the requirements of the standard can be translated into a ‘security operating model‘ tailored to your organization. 

This happens in practice in 2 steps.  

1. The consultant draws up a first version of the documentation, based on the security risk assessment results and the Toreon document database. This database contains many examples of detailed ISMS documents, which the coach can use to create efficient and qualitative documentation for you.  
2. Then the feedback from your stakeholders is processed, after which the coach sets up an ISMS, with documents tailored to your company. The 80/20 rule applies here. 80% of the documentation is sector-specific, as the same measures often recur, and 20% is organization-specific.

Phase 2: Implementing ISO27001 

In phase 2, your consultant coaches you to technically and operationally implement technical controls that were determined in the first phase. 

In this phase, you take charge of the ISO27001 implementation process, applying all processes and controls. Toreon’s high-tech security experts are available to support you. The goal is to make your security officer self-reliant so that he can maintain the system himself. In this phase, Toreon also provides ‘security awareness‘ sessions to communicate all new security requirements to all your employees. 

Phase 3: Monitoring and controlling your ISMS 

Toreon performs a first internal audit to check if you are ready to obtain the ISO27001 certificate. Such an internal audit is also a hard condition to obtain your certificate. This audit is done by consultants who were not involved in the implementation of your ISMS, to ensure sufficient objectivity and neutrality. 

The consultants use the same method as external auditors, in accordance with the requirements of ISO19011. In this way, your organization is optimally prepared for an external certification audit.  

Phase 4: Improvement and certification 

The non-conformities that have come to light from the internal audit must be eliminated before your organization can be certified. Toreon coaches you on this and at the same time helps you to administratively plan the certification. Your consultant is also present during the external audit to talk to the auditors. Toreon’s consultants have experience in external audits and know very well what external auditors expect and can translate their expectations to the measures implemented by the organization.