Are you ready for ISO 27001 Certification?
For many businesses, getting ISO 27001 certified is demanded by customers, stakeholders, and even regulators.
But how do you know when your business is ready? Take our assessment below to get an indication of whether or not you are ready to approach certification.
Join over 1,500 companies who have their compliance firmly under control.
ISO 27001 Readiness Assessment
How ready are you for ISO 27001 certification? Use this assessment to get an estimate! Simply answer this short series of questions, giving honest answers about your current activities. This will give you an indication of whether or not your business is ready for certification.Start assessment
Legal notice: Your answers and your final result in this assessment will not be stored by our system or passed on to our team if you fill out a contact form. They are completely private to you. This assessment is designed to give an estimate of your readiness for ISO 27001 certification only.
Is your management team aware of the need to protect information?
Is there awareness of exposure to risks? Is there awareness that IT security and information security overlap, but are not simply the same thing?
Do you have a list of all the information you are protecting?
Examples include information stored in cloud services (Office, G-Suite), or inside tools like Salesforce, Pipedrive, Workday, Cognos and Slack. It also includes prototyping tools like Figma and Miro, or any other cloud-based tool or platform that your team uses. It should also include information on servers, information that resides with subcontractors/suppliers, information received from customers, etc.
For each piece of information you are protecting, do you know where it is stored or located?
Are you aware of the risks the information is exposed to?
This includes natural/physical risks, technical risks, legal risks, contractual risks, compliance risks, and financial risks.
Are you aware of the impact that an information incident, breach, or attack might have on your business?
This could be a tangible financial risk. For example, if confidentiality is breached, if information stops being available (server crash, cloud service unavailable), or if information cannot be trusted (somebody might have forged it). In such cases, what’s the potential damage to your business?
Do you know how to mitigate the risks?
For example, awareness of measures to protect data while they’re in a cloud system? Awareness of insurance possibilities? Awareness of how to continue to run the business if services become unavailable?
Are you training your team to be aware of the need to protect information?
Can you confidently say that your team members know what to do if information is breached, lost, or stops being available?
Do you know everyone who is entering and exiting your office or workplace?
Examples: Can anybody walk into the office without being challenged? Is it accepted practice that the smokers among your team leave the door permanently open? For those working from home, is your hardware protected from visitors and children?
Do you know everyone who has access to the information you are protecting?
Do you manage access to computers, service, and physical facilities? Do you know how suppliers and/or vendors handle your data?
How sure are you that your partners, vendors and suppliers protect your information adequately?
Have you ever visited a key supplier? Do you have contracts or agreements in place with them?
Will you recognise an incident, breach, or attack?
When Yahoo! reported its large password breach in September 2016, the actual incident had in fact occurred sometime in late 2014 and affected over 500 million Yahoo! user accounts. Would you be faster?
Are you using the right preventative measures, tools or platforms to protect your information against incidents, breaches, or attacks?
The basics include firewalls and anti-virus tools. If you run a web platform, have you run a penetration test? Have you done so recently? How do you make your developers aware of security advisories affecting the open-source libraries they use?
Have you tested your playbook for recovery from an incident, breach, or attack that does happen?
Do you know which compliance requirements you may need to fulfil?
Data protection laws are a clear example, but you should also consider other applicable laws. For example intellectual property or licenses that you use, security-related laws that apply in one country but are different in another, and many more.
It seems your business still has a lot of work to do if you want to certify. Remember, external auditors will fail you instantly if your business is unprepared.
It looks like your business is on the right track, but you still have a lot of work to do if you want to certify.
Well done! You're almost at the finish line. It looks like your business could soon be ready for ISO 27001 certification.
If you want more information about ISO 27001 certification, download our free ISO 27001 implementation roadmap. This is a six step guide to help you prepare for certification, guiding you through the process and outlining the deliverables at each step.
Alternatively, if you want to speak with a member of our team, get in touch via the form on the right.
Want to speak with an expert? Get in touch for a free consultation!
WANT TO LEARN MORE?
Browse our InfoSec articles and resources
ISO 27001 AND DUE DILIGENCE PROCESSES
Information security is one of the core topics of due diligence audits. We explain what it means and what businesses should take note of throughout its implementation.
Talk to an expert
If you have specific questions around information security in your company or if you’re facing challenges with preparing for ISO 27001 certification, contact us – we’d love to help you! Drop in your business email on the right and a member of our team will get back to you.