Maintaining an ISO 27001 Information Security Management System (ISMS) involves a continuous cycle of activities to ensure the system remains effective, adapts to changes, and complies with the standard over time. Maintenance is crucial to sustaining the integrity, security, and efficiency of the ISMS, ensuring that it evolves alongside emerging threats, organizational changes, and regulatory requirements.
Often, a lack of resource means that processes are run at the last minute and just before an audit. Certification Bodies are looking for evidence that the ISMS is run continuously throughout the year – dates are important. If your evidence shows that everything is done just before the audit – you will have an uncomfortable time with the auditor.
InfoShelter assists many of our clients with the maintenance of their ISO 27001 ISMS. This is done to great effect, with a 100% success rate of defending our client’s management systems in external audits. Depending on the level of help needed, we can either add value where needed (e.g. if this a particular internal ISMS skill deficiency), or we can become a part of your team with attendance at meetings and full responsibility of the maintenance of the ISMS, including hosting external certification and surveillance audits.
But what does ISMS maintenance look like? Below are some of the key activities required to maintain an ISMS – all of which would feature as options in our tailored packages:
Continuous Risk Monitoring: New threats and vulnerabilities emerge over time. Regularly assessing risks and updating the risk register is key to maintaining an effective ISMS.
Risk Re-Evaluation: Conduct regular risk assessments, particularly when significant changes occur (e.g., new technologies, business processes, or regulatory requirements).
Adjusting Controls: Based on new risks or changing business environments, update or implement new controls to ensure risks are effectively mitigated.
Periodic Audits: Conduct regular internal audits to ensure that the ISMS is functioning as intended, and that policies, procedures, and controls are being followed.
Corrective and Preventive Actions: Identify any non-conformities or areas for improvement and develop corrective and preventive action plans.
Audit Reports: Document findings and ensure that audit results are communicated to management and other stakeholders to maintain awareness of the ISMS status.
Incident Response: Maintain an incident management process to handle and report security incidents effectively. This involves logging, investigating, and mitigating security breaches.
Incident Review and Improvements: After resolving incidents, conduct a root cause analysis to prevent recurrence and refine the ISMS to mitigate similar risks in the future.
Learning from Incidents: Use incidents as learning opportunities to improve your controls and ISMS processes.
Periodic Reviews: Top management should regularly review the performance of the ISMS to ensure its alignment with business goals and compliance with ISO 27001.
Reviewing Objectives and KPIs: Evaluate whether information security objectives are being met and whether Key Performance Indicators (KPIs) for the ISMS need to be adjusted.
Decision-Making: Management should use these reviews to make decisions on updates, improvements, resource allocation, and changes in security strategy.
Performance Metrics: Establish and monitor key performance indicators (KPIs) to measure the effectiveness of the ISMS. For example, track incidents, audit findings, control effectiveness, and compliance rates.
Continuous Monitoring Tools: Use automated tools and systems to monitor information security activities, detect anomalies, and track performance.
Analysis and Action: Analyze monitoring results to identify areas for improvement, and take corrective action when necessary.
Update Documentation: Regularly update ISMS documentation (e.g., policies, procedures, risk registers, incident reports) to reflect changes in the organization, technology, or regulations.
Version Control: Ensure documents are version-controlled, and outdated versions are archived to maintain a clear audit trail.
Policy Reviews: Review security policies and procedures at least annually to ensure they remain relevant and effective.
Ongoing Security Training: Continuously train employees on information security best practices, incident reporting, and their specific roles within the ISMS.
Awareness Programs: Regularly update and conduct security awareness programs to keep employees informed of new threats, policy changes, and security protocols.
Testing and Simulations: Periodically test staff knowledge through security drills, phishing simulations, and tabletop exercises to evaluate awareness and readiness.
Review Supplier Agreements: Periodically review contracts and agreements with third-party suppliers to ensure they comply with your ISMS and maintain adequate security measures.
Supplier Audits: Conduct regular audits of suppliers and partners to assess their compliance with your security requirements and ISO 27001 standards.
Third-Party Risk Assessments: Evaluate and monitor the security risks associated with third-party access to your systems and data.
Regulatory Changes: Stay informed of changes in relevant laws and regulations (e.g., GDPR, HIPAA) and update the ISMS to ensure ongoing compliance.
Contractual Obligations: Ensure the ISMS aligns with any new contractual requirements imposed by clients or partners regarding information security.
Certification Maintenance: Ensure that your organization continues to meet the ISO 27001 requirements for certification during surveillance audits or recertification cycles.
Review Control Effectiveness: Regularly assess the effectiveness of existing security controls. This may involve reviewing incident reports, risk assessments, or audit findings to determine if controls are still appropriate.
Technological Updates: Keep the ISMS aligned with the latest technology and security tools (e.g., updates to encryption protocols, firewalls, and threat detection systems).
Continuous Improvement (PDCA Cycle): Follow the Plan-Do-Check-Act (PDCA) cycle to continuously improve the ISMS. This involves planning improvements, implementing them, monitoring results, and taking further action as needed.
Updating Security Goals: Review and adjust security objectives based on business needs, regulatory changes, and lessons learned from audits or incidents.
Alignment with Business Strategy: Ensure that security objectives remain aligned with broader business goals and risk appetite.
Surveillance Audits: After the initial certification, regular surveillance audits (usually annually) are required to ensure that the ISMS continues to meet ISO 27001 standards.
Recertification Audits: Every three years, a full recertification audit is required to renew the ISO 27001 certification. Maintenance activities ensure that the organization is always prepared for these audits.
We suggest a no-obligation discovery call to talk about your requirements and determine how we can help.
After we get a broad understanding of your needs we will run a gap analysis of your ISMS processes and ascertain whether they are being run in accordance with the requirements set out in the ISO 27001 standard and in your own documentation.
We will collate our findings and feedback to your team with recommendations for a way forward.
Based on the outputs of the debrief session, we will define a bespoke ISMS maintenance programme. In this, we highlight ways in which we will interface with your team in order to manage your ISMS in the most efficient and effective way.
We will start by scheduling meetings with key members of your team who have an active role in ISMS operations to discuss our involvement and establish lines of communication. Then, we'll get started!
"John is a highly talented ISO 27001 professional with both deep understanding of the standard as well as the convivial character that allows it to be understood and implemented both in the business and the technical areas of his clients. During his time with me, he was my "go-to" consultant for delivery as he could rapidly understand a complex set of requirements and turn them into actionable outcomes for our clients. I have no hesitation in recommending John as he is an outstanding consultant in whom I have always had the most faith and always knew he would deliver a top rate service."
Dave Martin, (Retired) Director of Cyber, CGI - https://www.cgi.com/en
"Thanks to the work of John and his team we were successful in our ISO 27001 extension to the whole of the Firefish group. This means that we would have had nearly 5 years of successful ISO 27001 certification with InfoShelter’s help. They collaborate intimately with our team and are always available to offer assistance with both security questions and in their capacity as Data Protection Officer"
Antonia Delgado Turner, Chief Operating Officer, Firefish Group - https://firefish.ltd.uk/
"I got back in touch with John to request help with Illuminas' preparations for GDPR and an upcoming ISO 27001 re-certification audit. After knowing and working with John for a number of years the Illuminas Partners and I were confident he would be ideally placed to help us with both of these projects. We were not disappointed. John's in-depth knowledge of ISO 27001, thorough auditing skills, and strategic thinking helped us sail through our re-certification. John also became our DPO and trusted advisor on all things privacy after his pragmatic, flexible approach to helping us meet the requirements of the Regulation in full. I would have no hesitation in recommending John to any company, particularly any research agency, looking to become ISO 27001 certified."
John Connaughton, CEO Illuminas Ltd - https://www.illuminas.com/eu/
"I have worked with John and the Infoshelter team for a few years now across a couple of different businesses and would wholeheartedly recommend. Approachable, flexible, explain what's needed well in non-tech terms, made our Cyber Essentials and ISO27001 processes stress free and have also helped on BCP plans, data protection advice and other areas."
Natalie Pilch, The Unlikely Saboteur - https://saboteur.studio/