Get FREE 12-month access to the AI-Powered Knowledge Base worth $450
with your ISO 27001 toolkit purchase
Limited-time offer – ends June 27, 2024

Expert Advice Community


ISO 27001:2013 Certification

Guest user Created:   Nov 21, 2022 Last commented:   Nov 21, 2022

ISO 27001:2013 Certification

First of all, I would like to congratulate you for your beautiful work, I follow you on your channels and we are partners with Advisera here in Brazil.

We are preparing for ISO 27001:2013 Certification, I would like to ask you a question, so that we can be successful in our certification, I need to focus on the mandatory documents and registration, these are the main requirements, and apply the controls that I use I need Annex A in view of my context and established scope, which are validated in my declaration of applicability.

my doubt is whether the way we are conducting the implementation process as mentioned i is correct! a big hug!

0 0

Assign topic to the user


Step-by-step implementation for smaller companies.


Step-by-step implementation for smaller companies.

Rhand Leal Nov 21, 2022

Please note that ISO 27001 provides a systematic way to implement Information Security management, and its sequence is a bit different from what you proposed:

  1. getting management buy-in for the project
  2. defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding the organizational and the requirements of interested parties
  3. development of risk assessment and treatment methodology
  4. perform a risk assessment and define a risk treatment plan
  5. controls implementation (e.g., policies and procedures documentation, acquisitions, etc.)
  6. people training and awareness
  7. controls operation
  8. performance monitoring and measurement
  9. perform internal audit
  10. perform management critical review
  11. address nonconformities, corrective actions, and opportunities for improvement.

In short:

  • part of the mandatory documents and records are created before risk assessment and treatment processes (e.g., scope, objectives, organizational structure), and the other part after it (e.g., policies and procedures documentation related to implemented controls, internal audit report, management review, etc.)
  • controls are implemented after the approval of the Statement of Applicability, not before

This article will provide you with further explanation about ISO 27001 implementation:

0 1

Comment as guest or Sign in

HTML tags are not allowed

Nov 21, 2022

Nov 21, 2022

Suggested Topics