A detailed comparison between ISO 9001 and 27001
Download our detailed ISO 9001 and 27001 comparison today
There are a few preparatory steps to take before looking for gaps between your ISMS (Information Security Management System) and the ISO 27001 controls. First, of course, the organization needs to have an ISMS up and running. Additionally, the documentation tied to the ISMS must be readily accessible because that is a key part of ISO 27001 compliance. It is also important to assign roles in the company so that the pre-assessment process is effective and efficient. Ideally, management and an internal audit will be executed as part of this process.
The best way to identify gaps between ISO 27001 controls and the company’s existing ISMS is to purchase a copy of the ISO 27001 standard and simply run through it like a checklist. Where is your organization already checking the boxes and where does work need to be done?
This stage should not simply be left in the hands of the quality manager or IT manager. There should be, as much as is possible, representation from leaders of multiple departments so that there is a coherent company-wide approach to ISO 27001 compliance.
Once you feel you have filled all of the gaps, your organization is ready to be audited by an ANAB accredited certification body (like Smithers). It is advisable to get an assessment done shortly after you have fulfilled the objectives from your gap assessment. The further in time you move away from that work, the more possible it is that some facets will not be as strong as they should be for the official audit.
If your organization is weighing the pros and cons of pursuing ISO 27001 compliance, feel free to contact us with any questions you have about the certification or the audit process. We are happy to help. Additionally, whether you are seeking assistance with a pre-assessment or an official ISO 27001 audit, we can work with you in that regard as well. Contact our experts today to learn more.