This is a recommendation of work priorities in Cyberday, when the goal is to be ready for ISO 27001 certification audit.
All steps are necessary to take, so you should familiarize yourself with the full list. However, you can tune the order of some to suit your preferences better (e.g depending on your starting compliance level).
1. Activate ISO 27001 framework (2022 or 2013 version)
Where to find this view: Dashboard -> Organization name drop down -> Frameworks -> Edit frameworks
If you're starting a new ISO 27001 implementation, you should be using the 2022 standard version.
If your goal is to be audit-ready, you should start immediately with the Full (level 3) framework. Some users have wanted to start from levels 1 or 2 to first see a limited set of tasks. This is totally fine too, as long as you remember to switch to the level 3 framework when the time is right.
2. Map starting status of critical, high and normal priority tasks
To get an idea of the level your compliance is now, you should continue to the following things:
- Invite users you want to assign as theme owners
- Set theme owners
- Each theme owner goes through pending tasks, activates the ones that you have implemented (at least partially) and sets them to the correct status
Tip: This will enable you to see the starting compliance status from the ISO 27001 compliance (Statement of Applicability) report also.
3. Create and assign your asset inventory
Most important data assets in Cyberday are the following:
- Data systems - the software assets used for processing and storing data
- Data stores - different big logical data repositories (e.g. customer data vs. personnel data) where data can be stored in multiple formats and locations
- Data sets - the data either in data systems or other electronic / physical formats needed for carrying out certain task (e.g. billing, authentication)
- Other assets - e.g. other critical equipment, if you have some
- Offices - your physical premises
At this point, you should invite the users as 'contributors' who you want to assign different assets for. You don't necessarily need to send out invitations yet - users can also be silently added.
4. Create personnel guidelines
Personnel awareness and guidance are big parts of your information security.
At this point you should use your existing materials or Cyberday's examples to create employee guidelines for different themes (e.g. Mobile device use, Remote working, Password usage, Phishing prevention). After you have activated some guidelines, you will see the look of your current guidance in the Guidebook tab.
You should also decide, if you want to enable training extensions in Cyberday. You can find these from Organization dashboard -> Settings -> Guidebook settings.
Guidebook will later be deployed to the whole staff in a separate step. At this point you can the Guidebook process (e.g. notifications) with your key users, to see how your staff would interact with Cyberday.
5. Create and review needed documents / policies / reports
You can create all needed documents e.g. for the phase 1 ISO 27001 audit from Cyberday's Reporting-section.
The main documents needed in the phase 1 ISO 27001 audit are the following:
- ISMS description and scope
- Information security policy andobjectives
- Risk management procedure and results
- Statement of Applicability (SoA)
- Personnel awareness and guidanceprocedure
- Internal audit procedure and results
- Management review procedure and results
At this point the important thing is to create these reports, review them and fill in the parts that have the "needs your input" warning label. It's also otherwise important to get familiar with the contents, although when working with Cyberday, the app mostly guides your work to match with what the documents say.
In the screenshot below, you can see an example of the Statement of Applicability and how it could look like on an audit-ready level. Once again, this can vary from organization to organization, but generally the map should be filled green.
6. Fill task assurance information and close gaps
At this point we recommend doing the following:
- Making sure that the tasks tell the correct story of your security readiness, i.e. filling assurance information for tasks
- Implementing important tasks, which are not activated yet
The latter part will need some resources and time, so you should take into account task priorities, possible perceived risksk and your own deadlines while doing this.
At this point you may also want to invite more contributors to your account, who know most about implementation of each task.
7. Start working on risk management
When you've implemented previous steps, you have created yourself a great base for efficient and successful risk management.
Now it would be the time to go to Organization dashboard -> Risk management and leadership -> Cyber security risks and start the work there.
You should be:
- reviewing the risk list and adjusting evaluations if needed
- adding custom tasks / controls, which are controlling some risks but are missing from your ISMS
- queuing top risks for treatment
8. Make sure you have implemented ISO 27001 specialities
Tasks linked to mandatory requirements on ISO 27001 (instead of controls in ISO 27002) are ones that will result in major non-conformities during the certification audit if not properly implemented.
Examples of this kind of topics are e.g. internal audits and management reviews. You need to have implemented and documented the results of at least one of both and also have the procedure document clearly defining your approach.
Other examples of common non-conformities in ISO 27001 certification audits include:
- Insufficient risk treatment - e.g. the linkage from risk evaluation to risk treatment broken (6.1)
- Missing information security requirement listing - you need to list e.g. customer requirements, other national legislations, other standards followed on top of ISO 27001 (A.18.1.1)
- User access rights not reviewed (A.9.2.5)
- Asset inventory not properly documented (A.8.1.1)
9. Deploy Cyberday for your staff
To get the employee awareness processes deployed, you will need to distribute the Cyberday app for all employees.
This can be easily done with the help of our Teams or Slack integrations.
Once you have created an app setup policy, your employee guidance will automatically run for everyone on your Teams tenant.
10. Finalize your ISO 27001 audit readiness
Finally to start the collaboration with an auditor, you will need to take a couple of steps to share content for them.
The default way we recommend is to invite the auditor to your ISMS as an external user, and limit their access to 'contributor' level.
This will enable you to share needed reports for the auditor and point them directly to the content they need. You can also use broader access rights for the auditor (e.g. core team), but that's usually not necessary nor helpful, just too much information.
You can refer to this help article about sharing reports to auditor directly via Teams.
Feel free to ask more guidance from us!
This article should give you an overview of the main steps towards being ISO 27001 certification-ready using Cyberday.
This is just on overview though, which can be tuned to your preferences. Our team is ready and happy to assist you further. Book a 45-minute meeting with us to hear more!
