As with many projects, the hardest part of implementing ISO 27001 tends to be knowing where to begin.
The Standard, which describes best practice for an ISMS (information security management system ISMS), explains the requirements you need to meet, but it doesn’t show you how to implement them.
In this blog, we explain in nine steps exactly what you need to do to implement ISO 27001.
1. Assemble an ISO 27001 implementation team
The implementation project should begin by appointing a project leader, who will work with other members of staff to create a project mandate. This is essentially a set of answers to these questions:
- What are we hoping to achieve?
- How long will it take?
- What will it cost?
- Does it have management support?
2. Develop the ISO 27001 implementation plan
The next step is to use your project mandate to create a more detailed outline of your information security objectives, plan and risk register.
This includes setting out high-level policies for the ISMS that establish:
- Roles and responsibilities;
- Rules for its continual improvement; and
- How to raise awareness of the project through internal and external communication.
Find out more about each of these steps by downloading Implementing an ISMS – The nine-step approach.
This free guide shows you exactly what you need to do to meet ISO 27001’s requirements, highlighting the challenges you’ll face and how you can overcome them.
By following our nine-step approach, you’ll save time and money during your implementation project and ensure that you’ve adequately addressed your information security concerns.
3. ISMS initiation
Now it’s time to adopt a methodology for implementing the ISMS. The Standard recognises that a “process approach” to continual improvement is the most effective model for managing information security.
However, it doesn’t specify a particular methodology, and instead allows organisations to use whatever method they choose, or to continue with a model they already have in place.
Part of this process involves developing the rest of your document structure. We recommend using a four-tier strategy:
- Policies at the top, defining the organisation’s position on specific issues, such as acceptable use and password management.
- Procedures to enact the policies’ requirements.
- Work instructions describing how employees should meet those policies.
- Records tracking the procedures and work instructions
4. Management framework
At this stage, you need to gain a broader understanding of the ISMS’s framework. The process for doing this is outlined in clauses 4 and 5 of the ISO 27001 standard.
The most important part of this process is defining the scope of your ISMS – i.e. which parts of your organisation you’ll be protecting. Creating an appropriate scope is an essential part of your ISMS implementation project.
If your scope is too small, then you leave information exposed, jeopardising the security of your organisation, but if it’s too large, your ISMS will become too complex to manage.
5. Baseline security controls
An organisation’s security baseline is the minimum level of activity required to conduct business securely.
You should define your security baseline using the information collected during your ISO 27001 risk assessment.
6. Risk management
Risk management is a core part of any ISMS. After all, it’s no good identifying and prioritising information security threats if you’re unable to deal with them effectively.
This stage isn’t about managing risks themselves but establishing how you’ll approach the task. There are several ways you can do this, but most methods involve looking at risks to specific assets or risks presented in specific scenarios.
However you go about the task, the risk assessment process is crucial. After identifying, evaluating and assigning values to your threats, you’ll know which risks pose the biggest problem.
You should take those and determine whether to:
- Treat the risk by applying information security controls laid out in ISO 27001
- Terminate the risk by avoiding it entirely
- Share the risk (with an insurance policy or via an agreement with other parties)
- Accept the risk (if it doesn’t pose a significant threat)
Any risks that you treat should be documented in an SoA (Statement of Applicability). This should explain which of the Standard’s controls you’ve selected and omitted and why you made those choices.
7. Implement the risk treatment plan
Now it’s time to implement your risk treatment plan. To ensure these controls are effective, you will need to check that staff are able to operate or interact with the controls, and that they are aware of their information security obligations.
You will also need to develop a process to determine, review and maintain the competences necessary to achieve your ISMS objectives.
This involves conducting a needs analysis and defining a desired level of competence.
8. Measure, monitor and review
You won’t be able to tell if your ISMS is working or not unless you review it. We recommend doing this at least annually, so that you can keep track of the way risks evolve and identify new threats.
The main objective of the review process is to see whether your ISMS is in fact preventing security incidents, but the process is more nuanced than that.
You should be comparing its output to the objectives you laid out in the project mandate – i.e. what you hoped to achieve. These can be measured quantitatively and qualitatively.
Quantitative assessments are useful for measuring things that involve financial costs or time, whereas qualitative assessments are better suited for objectives that are hard to define, like your employees’ satisfaction with new processes, for example.
Once the ISMS is in place, organisations should consider seeking certification from an accredited certification body.
This proves to stakeholders that the ISMS is effective and that the organisation understands the importance of information security.
The certification process will involve a review of the organisation’s management system documentation to check that the appropriate controls have been implemented. The certification body will also conduct a site audit to test the procedures in practice.
Get ISO 27001 certified with IT Governance
If you’re looking for help implementing the Standard’s requirements, we are here to help.
IT Governance offers a range of ISO 27001 consultancy services, so whether you’re looking for guidance on specific issues – such as the gap analysis or internal audit – or would like an expert to manage the process, we have the solution for you.
A version of this blog was originally published on 23 June 2020.