JOnline: How to Achieve 27001 Certification: An Example of Applied Compliance Management 

Download Article

How to Achieve 27001 Certification:  An Example of Applied Compliance ManagementWith the growing risks to information, the increased use of IT in all processes and greater compliance requirements, managing information security has become a highly demanding task. The functions of security governance, management and operations need to be balanced to achieve optimal information security to enable the accomplishment of business goals.

The first chapter of How to Achieve 27001 Certification details the need for certification, as well as the goals and flow of the book. It traces the history of the standard and provides information about the International Organization for Standardization (ISO) and various security standards that assist in the plan-do-check-act (PDCA) cycle.

Chapters two through four deal with information security management systems (ISMS). They outline the foundational concepts and tools and provide detailed guidance on implementation, creating an information security policy, preparing documentation, selecting and implementing controls, managing operations and resources, and managing security incidents.

The fifth chapter provides an overview of the certification process, i.e., selecting an accreditation body, choosing a certification agency and preparing a checklist for the audit stage process. Chapter six deals with compliance management, i.e., the framework, the methodology, the tools and the metrics.

The book also includes useful appendices that provide guidance on ISMS assessment; a statement of applicability; PDCA guideline documents; policy, standard and procedure templates; a glossary; select references; and a comprehensive index.

Professionals and consultants implementing ISMS often face questions and dilemmas that need to be resolved on the job. The Useful Bits of Knowledge section provides answers to questions such as:
  • Can all types of organizations benefit from implementing ISMS?
  • Are organizations required to implement an ISMS in its entirety prior to the stage one audit?

The book is advanced but also serves the needs of intermediate users, as it is written in a systematic and easy-to-understand manner. It is primarily aimed at chief security officers (CSOs), security management professionals and managers responsible for ISMS.

How to Achieve 27001 Certification reflects the authors’ insights into designing, implementing and certifying an ISMS, and provides questions and answers that are useful for a step-by-step implementation and certification. A clear guide to ISO 27001 certification and audit, it contains sufficient, detailed documentation and will help both the novice as well as the seasoned professional meet the security, certification and compliance needs of the organization.

Editor’s Note:

How to Achieve 27001 Certification—An Example of Applied Compliance Management, is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the Journal, visit bookstore, e-mail or telephone +1.847.660.5650.

Reviewed by Vishnu Kanhere, Ph.D., CISA, CISM, AICWA, CFE, FCA
is an expert in software valuation, information systems security and IS audit. A renowned faculty member at several management institutes, government academies and corporate training programs, Kanhere is a member of the Sectional Committee LITD 17 on Information Security and Biometrics of the Bureau of Indian Standards. He is currently newsletter editor and academic relations, standards, and research coordinator of the ISACA Mumbai chapter; a member of the ISACA Publications Committee; honorary secretary of the Computer Society of India, Mumbai Chapter; convener of a special interest group on security; chairman of WIRC of eISA; and convener of the security committee of the IT cell of Indian Merchants’ Chamber. He can be contacted at or

ISACA Journal, formerly Information Systems Control Journal, is published by ISACA, a nonprofit organization created for the public in 1969. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors, employers or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.

Subscription Rates:
US: one year (6 issues) $75.00
All international orders: one year (6 issues) $90.00
Remittance must be made in US funds.