How to implement an ISMS aligned with ISO 27001

The rise of cyber attacks and data privacy concerns has information security a top priority for organisations. Many have chosen to mitigate the risk by implementing an ISMS (information security management system). 

An ISMS is a system of processes, documents, technology and people that helps organisations manage, monitor and improve their information security in one place. 

ISO 27001 is the international standard that describes best practice for an ISMS. 

Creating an ISO 27001-compliant ISMS is a big task, but the benefits it provides makes it an essential project. In this blog, we explain what that task involves in nine simple steps.


1. Create a project mandate

The implementation project should begin by appointing a project leader, who will work with other members of staff to create a project mandate. This is essentially a set of answers to these questions: 

  • What are we hoping to achieve? 
  • How long will it take? 
  • What will it cost? 
  • Does it have management support? 


2. Initiation of the project 

Organisations should use their project mandate to build a more defined structure that goes into specific details about information security objectives and the project’s team, plan and risk register. 


3. Adopt a methodology for the ISMS

The next step is to adopt a methodology for implementing the ISMS. ISO 27001 recognises that a “process approach” to continual improvement is the most effective model for managing information security. However, it doesn’t specify a particular methodology, and instead allows organisations to use whatever method they choose, or to continue with a model they already have in place.


4. Create a management framework

At this stage, the ISMS will need a broader sense of the actual framework. Part of this involves identifying the scope of the system – i.e. determining which parts of your organisation is covered by the ISMS. 

You should ensure that any part of your organisation that holds sensitive information is covered in your system. However, you need to be equally careful that the ISMS isn’t too large, as this will make it prohibitively expensive and time-consuming to maintain. 

There are three steps to correctly scoping your ISMS: 

  1. Identify every location where sensitive information is scored; 
  2. Determine the ways in which that information can be accessed; 
  3. Define which parts of your organisation are out of scope.


5. Identify baseline security criteria

Organisations should identify their core security needs. These are the requirements and corresponding measures or controls that are necessary to conduct business. 


6. Develop a risk management process 

ISO 27001 allows organisations to broadly define their own risk management processes. Common methods focus on looking at risks to specific assets or risks presented in specific scenarios. There are pros and cons to each, and some organisations will be much better suited to one method than the other. 

There are five important aspects of an ISO 27001 risk assessment: 

  1. Establishing a risk assessment framework 
  2. Identifying risks 
  3. Analysing risks 
  4. Evaluating risks 
  5. Selecting risk management options 


7. Create a risk treatment plan

This is the process of building the security controls that will protect your organisation’s information assets. To ensure these controls are effective, you will need to check that staff are able to operate or interact with the controls, and that they are aware of their information security obligations. 

You will also need to develop a process to determine, review and maintain the competences necessary to achieve your ISMS objectives. This involves conducting a needs analysis and defining a desired level of competence. 


8. Measure, monitor and review the results

For an ISMS to be useful, it must meet its information security objectives. Organisations need to measure, monitor and review the system’s performance. This will involve identifying metrics or other methods of gauging the effectiveness and implementation of the controls. 


9. Achieve certification

Once the ISMS is in place, organisations should seek certification from an accredited certification body. This proves to stakeholders that the ISMS is effective and that the organisation understands the importance of information security. 

The certification process will involve a review of the organisation’s management system documentation to check that the appropriate controls have been implemented. The certification body will also conduct a site audit to test the procedures in practice. 


Become an ISO 27001 expert 

ISO 27001 Expertise BundleYou can learn more about implementing an ISMS with our ISO 27001 Expertise Bundle. 

This collection of books gives you a comprehensive understanding of ISO 27001 and provides guidance on the steps to take once you have gained project approval. 

The bundle includes: 

  • A guide for presenting the compelling business case for ISO 27001 investment; 
  • A pocket guide to understand the possible breach scenarios your organisation could face and the true costs involved; 
  • An indispensable book to equip you with the sales skills you need to persuade the board to invest in information security; and 
  • An expert guide to help you get to grips with the Standard and make your ISO 27001 implementation project a success. 

A version of this blog was originally published on 29 June 2018. 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.