This is a recommendation of work priorities in Cyberday, when the goal is to be ready for ISO 27001 certification audit.
All steps are necessary to take, so you should familiarize yourself with the full list. However, you can tune the order of some to suit your preferences better (e.g depending on your starting compliance level).
If you're starting a new ISO 27001 implementation, you should be using the 2022 standard version.
If your goal is to be audit-ready, you should start immediately with the Full (level 3) framework. Some users have wanted to start from levels 1 or 2 to first see a limited set of tasks. This is totally fine too, as long as you remember to switch to the level 3 framework when the time is right.
To get an idea of the level your compliance is now, you should continue to the following things:
Tip: This will enable you to see the starting compliance status from the ISO 27001 compliance (Statement of Applicability) report also.
Most important data assets in Cyberday are the following:
At this point, you should invite the users as 'contributors' who you want to assign different assets for. You don't necessarily need to send out invitations yet - users can also be silently added.
Personnel awareness and guidance are big parts of your information security.
At this point you should use your existing materials or Cyberday's examples to create employee guidelines for different themes (e.g. Mobile device use, Remote working, Password usage, Phishing prevention). After you have activated some guidelines, you will see the look of your current guidance in the Guidebook tab.
You should also decide, if you want to enable training extensions in Cyberday. You can find these from Organization dashboard -> Settings -> Guidebook settings.
Guidebook will later be deployed to the whole staff in a separate step. At this point you can the Guidebook process (e.g. notifications) with your key users, to see how your staff would interact with Cyberday.
You can create all needed documents e.g. for the phase 1 ISO 27001 audit from Cyberday's Reporting-section.
The main documents needed in the phase 1 ISO 27001 audit are the following:
At this point the important thing is to create these reports, review them and fill in the parts that have the "needs your input" warning label. It's also otherwise important to get familiar with the contents, although when working with Cyberday, the app mostly guides your work to match with what the documents say.
In the screenshot below, you can see an example of the Statement of Applicability and how it could look like on an audit-ready level. Once again, this can vary from organization to organization, but generally the map should be filled green.
At this point we recommend doing the following:
The latter part will need some resources and time, so you should take into account task priorities, possible perceived risksk and your own deadlines while doing this.
At this point you may also want to invite more contributors to your account, who know most about implementation of each task.
When you've implemented previous steps, you have created yourself a great base for efficient and successful risk management.
Now it would be the time to go to Organization dashboard -> Risk management and leadership -> Cyber security risks and start the work there.
You should be:
Tasks linked to mandatory requirements on ISO 27001 (instead of controls in ISO 27002) are ones that will result in major non-conformities during the certification audit if not properly implemented.
Examples of this kind of topics are e.g. internal audits and management reviews. You need to have implemented and documented the results of at least one of both and also have the procedure document clearly defining your approach.
Other examples of common non-conformities in ISO 27001 certification audits include:
To get the employee awareness processes deployed, you will need to distribute the Cyberday app for all employees.
This can be easily done with the help of our Teams or Slack integrations.
Once you have created an app setup policy, your employee guidance will automatically run for everyone on your Teams tenant.
Finally to start the collaboration with an auditor, you will need to take a couple of steps to share content for them.
The default way we recommend is to invite the auditor to your ISMS as an external user, and limit their access to 'contributor' level.
This will enable you to share needed reports for the auditor and point them directly to the content they need. You can also use broader access rights for the auditor (e.g. core team), but that's usually not necessary nor helpful, just too much information.
You can refer to this help article about sharing reports to auditor directly via Teams.
This article should give you an overview of the main steps towards being ISO 27001 certification-ready using Cyberday.
This is just on overview though, which can be tuned to your preferences. Our team is ready and happy to assist you further. Book a 45-minute meeting with us to hear more!