Whether yours is a small organization with limited resources or a much larger company, obtaining ISO 27001 certification will be a challenge because you will need to have a team of people working operationally on this issue, conduct an analysis of the gaps in the company in addressing the regulatory requirements, perform a risk assessment, apply the necessary security controls, create all the necessary documentation, and deliver the training needed to create awareness among the staff. Only after all this work can you face first the internal audits and then those of the certification body.
As if this were not enough, once you have obtained ISO 27001 certification, you will need to maintain compliance over time to regularly renew the certificate and ensure that you have taken into account the changes that, in the meantime, will have occurred and that will have repercussions on the security of your information. It would be a shame that, after all this work and effort, you lost the certification, wouldn't it? Let's see, then, how to make sure that this does not happen. Let's start by trying to understand how often it is necessary to recertify according to ISO 27001.
An organization's ISO 27001 certification lasts three years, and the certificate itself will indicate the date on which the certification was issued and when it will expire. As that day approaches, the organization will need to request recertification, which can be done with the same body that performed the initial audit or with another.
Let's now see how to maintain ISO 27001 certification between one recertification audit and another and during the three years of validity of a certificate in which, however, to take full advantage of the work you have done, it will be important to ensure that the requirements of ISO 27001 continue to be respected during daily operations.
The first thing to do is to periodically review the list of risks to check if new ones have arisen. Your information security management system was created precisely to address the risks you identified during the certification process, but you must never lower your guard and consider this work as something you have done once and for all because the threat landscape is constantly evolving. For this reason, it will be necessary to regularly monitor the risks you face to ensure that your defenses are adequate.
To remain compliant, you need to complete a risk assessment according to ISO 27001 at least once a year and every time you make substantial changes to your organization.
You can also use the results of the assessment to determine whether the controls are working as expected or whether additional defenses need to be adopted.
Another fundamental thing to do to maintain certification is to ensure that the system's supporting documentation is always up to date. The policies, processes, and procedures that you have designed and implemented to get certified have been created specifically for the context and for the way your organization was operating at that time. However, if there are changes in the work environment or in the way you work, you must ensure that the documentation takes them into account.
Pay attention, therefore, to the significant changes you have made in the way you perform certain actions, to the new activities you have undertaken that involve sensitive data, to the changes that have occurred in the physical location, etc.
Internal audits should also be carried out periodically, which can provide a complete review of the effectiveness of your management system and will help you assess the status of your compliance with ISO 27001.
Obviously, it is also essential to keep the managers informed of what you have detected because, in the presence of weak points in the system, it will be necessary to address them, and you will need all their support because solving these vulnerabilities will require time and resources that must be authorized.
Another fundamental thing to do to ensure that regulatory requirements are respected over time is to establish a regular management review process to inform management of the successes of the information security management system but also to involve it in the process of maintaining certification.
There are no requirements to be met regarding the frequency with which the management review must take place, but it would be good to carry it out at least once a year and, ideally, every six months.
Remember that your management system is not set in stone and can be improved through corrective actions that will solve any problems and actions aimed simply at improving processes.
By regularly monitoring the effectiveness of your system, you should be able to make the necessary corrective actions that will be aimed at preventing any weak points from turning into serious problems. Remember that corrective actions that involve a substantial modification of the system should be discussed with management and should be subject to continuous monitoring, at least initially, and the necessary adjustments.
Finally, you will need to promote constant awareness of the staff in charge of information security because one of the key principles of ISO 27001 is that the effective security of information is everyone's responsibility. Compliance with the requirements, in fact, must not be left to the IT department or to individual managers. Anyone within the organization who manages data plays a role in the security of the organization and will need to understand the obligations for the protection of sensitive information and what is at stake.
This awareness should be done regularly to keep people updated on any changes and to remind them why it is important to proceed in a certain way.