by Arjan Zwanenburg - Senior Security Consultant & Project Manager
| minute read

Now that digital is the new normal, information security is becoming increasingly important for every organisation. Doing nothing is no longer an option. So it’s time to get started! We recently implemented an information security management system (ISMS) for a customer who demanded compliance with ISO 27001, the global standard for information security.

The purpose of an ISMS is to better protect (confidential) information. For example, if you’re working with a standard for information security, such as ISO 27001, you have to set up an ISMS. Because our customer also required us to provide proof that we’d implemented the ISMS to that standard, we decided to go for full ISO 27001 certification.

Policies and guidelines

That decision was easy enough to make. However, the implementation of an ISMS within a consortium that has teams working in different locations and even different countries wasn’t that straightforward. A first attempt failed due to a lack of experience in how to establish a solid policy base and guidelines that cover all the technical, functional, and organisational requirements. These not only had to cover risk mitigation but also the management of all legal and contractual requirements. On top of that, you had to be able to measure it all.

Our second attempt started with setting up an overview of all the legal, contractual, and ISO standard requirements, an exhaustive risk analysis, and a set of policies to develop. We divided the policies into four sections: requirements, policy statements, process descriptions, and governance. We based the policies on our customer’s current way of working and made improvements to meet the requirements of the policy.

When a policy is applied to an operational process, new issues inevitably arise. That’s why implementing those policies, adjusting our customer’s way of working, collecting and logging the evidence took several months. We then reintroduced or finetuned the existing processes and made sure the evidence could be collected in a secure manner.


The internal audit, executed by our independent audit team in France, revealed some major and minor anomalies. We needed to resolve these before we could go to the accredited ISO 27001 auditor.

That external audit was split into two phases: the documentary audit phase and the on-site verification audit phase. In the first phase, the auditor checks whether the ISMS is properly documented, that the compliance requirements can be met, and that the organisation is ready for certification. Then we had two months to deal with the remaining issues noted in the documentary phase.

The on-site verification audit took place over 35 sessions and involved about 15 participants. These sessions were held across seven days at three locations in three different countries. The auditor interviewed the participants and requested evidence of compliance with our policies and processes. This demanded a clear understanding of the scope of the environment, the risks that might impact the environment, and the mitigations in place to provide the required level of control from the ISMS.

A rewarding journey

After a lot of team effort, we managed to deliver an information security management system that is now ready for certification, with only two areas left for improvement. Looking back, we’ve learned a great deal on this journey and achieved a rewarding result, thanks to everyone who set up, implemented, and maintained the ISMS and everyone who took part in the audit sessions and helped to clarify things to the auditor.

Do you have questions about ISMS and ISO 27001? Or would you like to share your own experiences with ISMS implementation? We’d love to hear from you.