4 tips on preparing for ISO 9001,14001 and 27001 certification

Helena: 

There are both internal and external benefits. For example, certification enhances the clarity and systematics of documentation and processes. It is also a confirmation of the quality level by an independent actor, which may be used, for example, connected to internal company goals, etc. It is also an advantage and possibility in negotiations – whether the actual certification is a requirement or optional.

Annika: 

The most important thing about certifying your company against ISO 27001 is that you get a basis for your internal security work, where you map your information flow and get an insight into which security gaps exist within the company. You also enhance your company profile towards customers and can prove that you have a security mindset and that your company is working to constantly improve security.

Annika: 

The first thing is actually to understand the requirements of the standard in question. The certification process then starts with performing a GAP analysis to get a picture of what is available within the company today and what needs to be developed. Once this baseline has been identified, work begins to develop policies, guidelines, processes, etc. As that work begins to be completed, everything must be implemented in the company – the employees must be informed and trained, as well as the management. The implementation ends with an internal audit as the last step before the certification audit. Sigma Technology can assist you as a guiding resource, or we can manage projects through the entire process.

Helena: 

Yes, we will help ease the process toward certification by coaching and/or performing hands-on activities in all of these areas, including the internal audit. The actual certification revision, however, is made by an external certification organization that is accredited by the national accreditation body – that is, Swedac, in Sweden, for example.

Helena:

It very much depends on how mature the organization is! It’s fundamental to understand that the standards specify what to do, but it’s up to each organization to decide and describe how to do it – and this may be a challenge!

Annika: 

When it comes to ISO 27001, the information security management system needs to cover the entire business operation. The biggest challenge during the process may be that the company does not have enough resources to implement the management system in a fulfilling way or that they underestimate how long the work takes. The most important aspect is that the management is involved in the ongoing information security work after certification is in place.

Annika: 

When starting your work on an information security management system, it is important to try to keep the business informed of what is happening and where in the implementation process you are. Talk openly about information security with the staff to increase both awareness and understanding of the actual work that is being performed. And after you have become certified, it is important that the work continues and that you constantly strive to become even better in your security work.

Helena: 

The implementation of a management system may be hard work in the beginning – but in my experience, it also gives a deeper knowledge of the organization and serves as a possibility to identify improvements. As Annika said, it is important to inform and involve all employees during the course of the process! This will create good conditions for a management system that is well understood and used in day-to-day work. ‘Systematizing common sense’ may be one way to look at the ISO standards – they are basically common sense compiled systematically!