ISO 27001 - what to do after certification
1. Just a quick question. After you go through all the steps in the ISO27001, and after you get the recertification, do you need to redo a risk assessment every year? Or do you just follow-up on the risks?
2. And risk-wise, do you do a threat modeling/profiling to better capture risks or what would you recommend?
3. And finally, what would you recommend to do yearly (and plan yearly) so that the certificate is kept in good health? Thank you very much in advance, any help is indeed greatly appreciated.
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1. Just a quick question. After you go through all the steps in the ISO27001, and after you get the recertification, do you need to redo a risk assessment every year? Or do you just follow-up on the risks?
For ISO 27001, it is mandatory that risk assessment be performed at planned intervals, or when significant changes (i.e., related to defined criteria to perform risk assessment) are proposed or occur. Considering that, you cannot just follow-up on identified risks, but you have to perform at least one risk assessment between the audits planned by your certification body. For example, if your surveillance audits are annual, then you have to perform at least one risk assessment per year.
2. And risk-wise, do you do a threat modeling/profiling to better capture risks or what would you recommend?
Threat modeling/profiling is a good approach to help identify risks, but please note it is not mandatory for ISO 27001, so you should consider the costs and benefits of such approach for each risk assessment you perform (e.g., for a big and complex risk assessment it may be useful, but for a smaller scope of risk assessment of a simple brainstorm technique may be simpler and obtain quite good results).
3. And finally, what would you recommend to do yearly (and plan yearly) so that the certificate is kept in good health? Thank you very much in advance, any help is indeed greatly appreciated.
One of the main advantages of a management system is that it already defines what must be done to keep the system up and running. The main points to be performed are:
- risk assessment and treatment
- awareness and training
- monitoring, measurement, analysis, and evaluation of controls and security objectives
- internal audit
- management review
By performing these activities, you will be aware of which corrections and improvements are needed and the priority they need to have to ensure the ISMS is continuously compliant and achieving its objectives.
These articles will provide you further explanation about these topics:
- How to maintain the ISMS after the certification https://advisera.com/27001academy/blog/2014/07/14/how-to-maintain-the-isms-after-the-certification/
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
- How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
- Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/
Comment as guest or Sign in
Dec 11, 2019