ISO 27001 is one of the most popular information security standards in the world, outlining the best practice for an ISMS (information security management system).
The framework provides a systematic approach to data security, demonstrating the ways you can use processes, technology and people to protect your organisation’s sensitive information.
Organisations that implement an ISMS are better able to prevent cyber attacks and other security incidents, and are equipped to stay on top of the evolving regulatory landscape.
How ISO 27001 implementation works
There are nine steps to implementing an ISMS:
1. Create a project mandate
The implementation project should begin by appointing a project leader, who will work with other members of staff to create an initial plan.
2. Initiate the project
Organisations should use their project mandate to build a more defined structure that goes into specific details about information security objectives and the project’s team, plan and risk register.
3. Adopt a methodology for the ISMS
ISO 27001 recognises that a “process approach” to continual improvement is the most effective model for managing information security.
However, it doesn’t specify a particular methodology, instead allowing organisations to use whatever method they choose, or to continue with a model they already have in place.
4. Create a management framework
This begins by identifying the scope of the system, which will depend on its context. The scope needs to account for your offices, employees’ mobile devices and teleworkers.
5. Identify baseline security criteria
These are the requirements and corresponding measures or controls that are necessary to conduct business.
6. Create a risk management process
ISO 27001 allows organisations to broadly define their own risk management processes.
Common methods focus on looking at risks to specific assets or risks presented in specific scenarios. There are pros and cons to each, and some organisations will be much better suited to one method than another.
7. Create a risk treatment plan
This is the process of building the security controls that will protect your organisation’s information assets.
To ensure these controls are effective, you will need to check that staff are able to operate or interact with the controls, and that they are aware of their information security obligations.
8. Measure, monitor and review the results
For an ISMS to be useful, it must meet its information security objectives. Organisations need to measure, monitor and review the system’s performance.
This will involve identifying metrics or other methods of gauging the effectiveness and implementation of the controls.
9. Seek certification
Once the ISMS is in place, organisations should seek certification from an accredited certification body.
This proves that the ISMS meets the requirements of ISO 27001, and allows organisations to experience the benefits of certification.
Find out more about implementing an ISMS by downloading our free green paper: Cyber Security and ISO 27001 – Reducing your cyber risk.
You’ll learn more about the threat landscape, how ISO 27001 helps protect your organisation and why so many organisations have decided to adopt its framework.
How you can get started
If you’re considering adopting ISO 27001, our fully accredited practitioner-led courses can help start your organisation on the right track.
We offer classroom and online training across a range of options, delivered by experts and updated in line with the latest version of ISO 27001, which was released in October 2022.
If you’re just starting out on your career, the Certified ISO 27001 ISMS Foundation training course provides an ideal introduction to the Standard.
The course was developed by the team that led the world’s first ISO 27001 certification project, and we’ve since helped more than 7,000 people around the world gain professional ISO 27001 qualifications.
A version of this blog was originally published on 8 April 2019.
