Addressing ISO 27001 compliance and certification
ISO 27001 uses a top-down, risk-based approach. Earning certification in this standard is not based on adhering to a set of predetermined rules. Instead, an organisation is certified based on a set of controls that are specific to its risks. These controls comprise the company’s Statement of Applicability, a document that ISO auditors use to certify against.
ISO 27001 certification is not a checkbox list of requirements. It’s an ongoing process of cataloging risks, assessing the severity of risks, applying controls, planning for remediation, and providing evidence that an organization is performing the tasks it identified as important to its risk management. The certification also requires organisations continually improve their operations from a risk-based perspective.