Information security is a top priority for all organisations nowadays. Data breaches are occurring in record numbers as cyber criminals look to make a quick profit compromising databases and selling the information online.
Meanwhile, organisations are doing themselves no favours, with one report estimating that 95% of security incidents involve human error.
It’s no surprise, then, to learn that many organisations are turning to ISO 27001. It’s the international standard that describes best practices for implementing an ISMS (information security management system), providing a framework for protecting information in all its forms.
The implementation project can be complex, and there’s a lot that you need to know before getting started. In this blog, we break down three things you should understand to ensure that your ISMS is a success.
1. The value of risk assessments
In many cases, risk assessments are perceived as a tick-box exercise to demonstrate that you have a basic understanding of the challenges that await.
But that couldn’t be further from the truth with ISO 27001. The risk assessments is the foundation from which your ISMS is built.
The goal of the implementation project is to adopt appropriate security controls to deal with security risks, but you’ll soon learn that there are too many risks for you to address them all.
As such, you need to identify which ones pose the biggest problem, which ones can be ignored and how best to manage them all.
To do this, you must first create a complete list of risks that your organisation faces. You must then assign each one a score based on how likely it is to occur and the damage it will cause if it does occur.
The scenarios with the highest scores should be prioritised, with the most attention given to the ISO 27001 controls that address the relevant issues.
The Standard provides a list of measures that can help, and it’s up to you to determine which ones to implement. As such, if there are no risks that justify the use of a certain control, you don’t need to implement it.
2. The difference between a risk assessment and a gap analysis
The risk assessment isn’t the only time you need to review your information security practices. To implement an ISO 27001-compliant ISMS, you must also perform a gap analysis.
An ISO 27001 gap analysis gives organisations an overview of the progress they have made in implementing each of the Standard’s controls.
Fortunately, gap analyses only need to be performed when developing a Statement of Applicability, which means you don’t need to analyse the clauses contained in the main part of the Standard, only those in Annex A.
The process can be a simple exercise, with the unchecked requirements forming the gaps that might need to be addressed (not all clauses need to be implemented).
Alternatively, you could choose a more varied set of criteria other than simply implemented–not implemented. For example, you could assess whether:
- There is no plan to implement the requirement;
- There is a plan but it hasn’t been implemented;
- The requirement has been partially met;
- The requirement has been met but hasn’t been reviewed;
- The requirement has been met and is regularly reviewed.
A risk assessment helps organisations understand which of ISO 27001’s controls need to be addressed. However, it doesn’t factor in whether those controls have already been implemented, which is why a gap analysis must also be conducted.
A gap analysis shows organisations which of ISO 27001’s controls are already in place, and in some cases provides additional information about their progress in meeting the Standard’s requirements.
3. Documenting your practices is essential
You can prepare as much as you like for your ISMS with risk assessments and gap analyses, but that effort will be in vain if you don’t properly document your actions. This is where your findings are codified, helping you to make sense of your assessments and how best to proceed.
The documentation stage is often the most time-consuming part of the whole project, and can take up to a year to complete.
Part of the issue is that ISO 27001 doesn’t contain specific guidance on what the documentation should look like – the reason being that there isn’t one single solution that’s best for everyone.
The steps you take, and the end product, should be based on your organisation’s specific requirements. It could require some level of trial and error to find out how best to design the ISMS.
You might also wish to bring in external expertise in the form of information security consultants. They can review your operations and help you decide the best way to proceed. Although this approach will reduce the risk that your ISMS will fail to meet ISO 27001’s compliance requirements, it’s also expensive.
As an alternative, you could purchase documentation toolkits. These are templates designed by experts that outline the all the written information you need to comply with ISO 27001. All you need to do is customise the documents to meet your organisation’s needs.
You can find out more about this process with IT Governance’s ISO 27001 Toolkit.
It contains more than 140 customisable ISO 27001 documentation templates, including policies, procedures, work instructions and records.
The toolkit also comes with tools to help you complete the gap assessment, Statement of Applicability and roles and responsibilities matrix, as well our Implementation Manager tool and two staff awareness e-learning licences.
