Win 1 year's access to Information Security E-Learning at our 50th Cyberzone(register)
Certification is not an end in itself. There's an aftermath.
You've already achieved ISO 27001 certification after a complex, time- and energy-consuming project. You're thinking that now there's not much left to do. But that's just not true!
You've set up a system for certification, now it's time to bring it to life.
Whether you're in the process of being certified, certified or planning to become certified, having this knowledge will save you time and make the project truly profitable and relevant to your business.
Bringing your ISMS to life means taking action, monitoring andadapting to change.Organization is the key. Here's a detailed look at what maintenance involves.
You'll have internal audits, which include all the follow-up activities to the certification audit, and checks on safety measures. Then there are annual or quarterly management reviews.
Next comes the document review. This consists of reviewing a number of strategic documents, especially those relating to safety policy.
Raising people's awareness is very important, and is almost mandatory to keep employees committed to the safety approach.
Drawing up a risk analysis. This is a dynamic document which must be reviewed at least once a year. The purpose of this review is to complete the safety measures in place, re-evaluate risks, update the treatment plan, add new identified risks and new actions to deal with them, and also group together or eliminate risks that are of little importance to the organization. The idea here is really to have a manageable list of risks.
We recommend that youadd risks as soon as you identify them, and not wait until the annual review to do so. Risk analysis should be a tool used as soon as a safety decision is taken. It will enable you to justify the choice to the auditor, and on your side to measure the risks, define actions and monitor them in the risk treatment plan.
Review the declaration of applicability. This is a scorecard of the safety measures in place. It should be updated at least once a year, and is recommended whenever a new measure is introduced or a new risk is identified. This document is very useful for answering customers' safety questions, and if it's up to date, the work of filling in questionnaires will be more efficient.
Finally, we monitor and update security measures. Of course, not everything needs to be controlled, just what is relevant to the company. A company can change controls every year to simplify them or make them more relevant to the ISMS. Every control must have a record or proof.
We advise you to draw up a list of checks to be carried out. For example:
Don't forget to plan the time needed to carry out the checks, and to assign a person responsible...
In short, you need to be well organized!
Watch our dedicated video here:
Prioritize findings. For example, some companies tend to want to do everything in the list of findings given by the auditor, or on the contrary, to delay as long as possible the implementation of corrective actions following the certification audit.
Difficulties of appropriation. Here, many companies find it hard to get employees involved, and to make them really understand the importance of safety.
Overly complex tools, which can cause problems. For example, when it comes to these tools, it can be difficult simply to update something, because there is too much documentation linked to the subject. The fact that there's a lot of security or documentation related to the subject complicates the task.
Lack of anticipation, or preparing for certification at the last minute, is also problematic for the organization. This is particularly the case for companies where the management system was set up in the first year, for example, but where there was no anticipation of what was to come.
Difficulties in carrying out audits. You may end up with control activities that are not necessarily well received, or people simply don't have the time to do them. That's why you need to aim for something really realistic, and not carry out a huge number of controls and audits, but rather spread them out over your certification cycle.
Don't forget to update your risk analysis frequently.
Continuous improvement will bring your system to life and enable you tooptimize your choices.
Here are the most important steps to plan for.
Firstly, management. It's a question oforganizing quarterly reviews to ensure that your management remains truly regular. It's also important to simplify your ISMS and your documents.
Then, when it comes to deviations, don't hesitate to prioritize them and put the others to one side, or in some cases settle them at a minimum for the auditor.
Next, think about simplifying your system. Invest in software that will not only simplify your procedures, but above all save you an enormous amount of time! We're talking about time savings of 50-80%!
These tools will enable us to move faster on security management, awareness-raising and training, instead of spending too much time reinventing solutions and tools!
Risk analysis is a management tool at the heart of your system.
This risk analysis is the basis for determining what is included in the system, in the documents or in the security measures.
Every time you make a change, you need to check new tools, people or suppliers against this risk analysis.
In fact, you need to check whether there are impacts, risks to be eliminated, strong or weak risks. If they are low and seem derisory, group them together or remove them.
It's important to understand that risk analysis is your tool for understanding your safety. It's your decision-making tool.
The declaration of applicability brings together all the safety measures you have put in place. So it's not just a question of copying the standard, but of explaining the concrete safety measures you've put in place, and how these measures relate to the risks.
Updating it on a regular basis will enable you to keep accurate track of progress and respond more quickly to questions from auditors or customers.
Realize that you can't audit everything every year. Target the security measures you want to check. For example, if you carry out security or rights reviews, this gives you the opportunity to check that access management is working properly.
Indicators can also be a means of control.
In short, your objective is to target your controls and audits.
Documentation is often a critical point. We need to simplify it, by making documents really useful and applicable.
In addition, simplifying the document management process will depend on the way in which you have built up your documentation.
The simpler and more concrete it is, the better it will describe the measures implemented, and the easier it will be to update.
The management review covers a number of topics. These include :
When we talk about a review, we mean a catch-up loop during the year to check the effectiveness of your management system.
Of course, you don't have to go through them all, but rather review them regularly by priority. Safety incidents can be a great source of learning.
Automation is a good way to progress.
We have a solution to discover on our website: ISMS software - Feel Agile
Risk analysis coversyour entire standardmanagement system, but is above all multi-referential. This is a really important point. For example, if you wish to implement new procedures, new certifications or other, these will fit in very easily.
Automation is the best solution for your SME in terms of cybersecurity monitoring, since it will automate your security management.
This ISMS management solution will really help you set up your system. First, you'll define your policies, security objectives, context and challenges. Then you'll formalize security measures, monitor awareness actions, and finally have an audit, control and review plan. Finally, you'll be able toinitiate improvement actions.
It's really a department that covers the whole standard and the whole implementation of the ISMS.
We recommend phishing, micro-learning and awareness solutions.
Secondly, we also have an e-learning solution solution we've developed forISO 27001.
And finally, we have the Cyber War Game solution, a board game that can be used torun securityawareness sessions.
Using these automation tools for your system will make your maintenance process much easier!
2025 FeelAgile
