July 08, 2012, 6:44 PM — The first step toward ISO 27001 (even before blowing your budget on the PDFs) is to establish and heartily commit to the reasons you're pursuing certification. It's going to take a lot of man hours, potentially ruffle a lot of feathers within your organization, and cost you, depending on the size and complexity of your company, likely tens of thousands of dollars -- more if you hire consultants to help with the effort. If you can't explain in your sleep why it's something you need to do, you won't get the buy-in from both upper management and the support you will need from staff that will end up following a more complicated set of procedures that you will need to be successful.
Will being certified help you gain or retain customers? Will it make your products or your production environment more secure? Will it help you discover and assess risks you might not have previously considered? Will it ensure that your technical staff follows best practice with respect to system security? Will it ultimately make you more secure? Whatever the reasons, you need to be able to express them simply and convincingly.
Of course, this all means that you will have to gain clear insights into what the standard is about. Fortunately, you can get some high level information on the ISO 27001 standard from this introduction and a useful flow chart of the certification process here. There are also a number of, albeit overly priced, books available that can give you insights into what to expect.
Before you start spending a lot of money or strong-arming your compatriots at work to support the cause, you need to make sure that upper management backs you unwaveringly. Endorsement from the highest levels in your organization is going to be critical if you're going to reach certification. It's the only way that you're going to overcome the resistance you'll inevitably get from all the hard working people in your organization who will predictably feel that the extra procedures the standard imposes on them are going to make it impossible for them to meet their already threatened production deadlines. You need to reassure them that the extra effort is going to pay off for the organization and for them.
At this point, you will also need to figure out who will be leading your certification efforts. If you can gather a team of people who represent different parts of the organization, you will more likely avoid "NIH" (not invented here) resistance from groups who feel they have no say in how the new ways of managing security are being defined.