top of page

The Journey after the ISO 27001 Certification

Updated: May 4, 2023

Information Security is a journey, and it is not a destination. Many think that once after the certification audit, they have reached the goal. But to reap the actual benefit of the implementation of the information security system, one needs to continue the journey.

For an organization, It is very important to perform well in a certification audit, but it is also very important what they do during the period between the certification audit and the next surveillance audit.

Here are some quick guides to make the journey more successful.

  1. Continue the Journey: Once after the certification audit, the certification body will conduct a yearly surveillance audit. They will look into the last internal & external audit reports to verify the corrective action performed. One needs to ensure that all corrective and preventive measures are in place.

  2. Institutionalize: Institutionalize the policies and procedures documented. Will have to make a deliberate attempt to practice what is documented. Instilling this in the culture will help the Organization to make it part of their BAU. Gone are those days where organizations remember about the information security records during the audit time. Institutionalising the policies and procedures will help in generating implementation records.

  3. Ownership: Identify the process owners and assign responsibility to make the process relevant to the Organization and make periodic improvements. In today’s time, one should think about making simple procedures pertinent to the business practice.

  4. Monitor: Do a regular risk assessment review. The best practice is to use a risk assessment plan tracker. A standard risk assessment review will ensure that whether the existing controls are adequate.

  5. Measurement: Measure the Information Security Objectives. Have a list of security events and incidents. Regular monitoring and recording of events will help to measure it against its objectives. Ensure that each of the encountered security events has a corrective, preventive action.

  6. Identify Improvements: Periodic Internal audits will further strengthen the effectiveness of the Information Management System. Practice it as a tool to identify the improvements rather than a fault-finding mechanism. Conducting Internal Auditor training will help improve the audit quality and to identify the new auditors in the Organization.

  7. Management Responsibility: Ensure that top management involvement in the information security of the Organization. Conduct regular management review meetings. These meetings are the platforms for the top management to review the audit findings, security events etc. also will get an opportunity to look into the corrective and preventive actions.

Intertech Software Development – ISD has software development capabilities for design and develop high-quality software applications for situational awareness and remote communication to monitor, verify, resolve, and manage events from remote locations. RAMsys is one of the flagship software products and has been built in our Intertech Development Environment (IDE), which follows all the best management practices for software development and a Certified ISO27001 Organization. All our software products are released after conducting a VAPT and successfully addressing all its findings.

4 views0 comments

Recent Posts

See All


bottom of page