Depending on your starting point, implementing an ISO-2700-compliant Information Security Management System (ISMS) can be a challenge.
But, if you need to demonstrate, to customers and/or regulators, that you have control of your information security, ISO 27001 is definitely worth the effort.
If you’re just getting started planning an ISO 27001 implementation, check out this 10 step checklist to help you on the journey.
1. Get the team together
Step one is to appoint a Project Leader to head-up the implementation of the ISMS. This person should have a well-rounded knowledge of information security as well as the authority to lead the team and worth with managers throughout the business.
The Project Leader will then need to work with Senior Management to assemble the project team. All key areas of the business will need to be represented, including Technical, Operations, HR and Finance.
2. Project Initiation
Once the team is assembled, their first task is to establish and document the high-level objectives for the project. The objectives should answer the following questions:-
- What are the benefits of having an ISO 27001 compliant ISMS
- What do we want to achieve?
- How long will it take?
- How much will it cost?
- Does the project have the support of top management?
3. Define the ISMS scope
Defining your scope correctly is an essential part of your ISMS implementation project. It is crucial in defining the scale of your ISMS and the reach it will have in your day-to-day operations.
It is important that you identify everything that’s relevant to your organisation so that the ISMS can meet your organisation’s needs.
It involves identifying the locations where information is stored, whether that’s physical or digital files, cloud systems or storage devices.
If the ISMS scope is too small, you may leave information exposed, endangering the security of those information assets. If the scope is too large, the ISMS will become too complex to manage and you may be trying to take responsibility for information that is outside your control.
4. Create the implementation plan
Now, you need to start planning the detailed steps to take you from where you are now to a fully implemented and compliant ISMS.
The implementation team will break down the high-level objectives into the detailed steps necessary to achieve them. The project plan can then be reviewed by the team and the project risks assessed and added to a project risk register.
5. Establish a risk management process
Risk management the core competency for any organisation implementing ISO 27001. Almost every aspect of your security posture is based around the response to threats you’ve identified and prioritised.
The Standard allows organisations to define their own risk management processes. Common methods focus on looking at risks to specific assets or risks presented in different scenarios.
Whichever process you opt for, your decisions should be the result of a risk assessment. A typical process is:-
- Establish a risk assessment framework
- Identify risks
- Analyse and Evaluate risks
- Select risk management options
The process should also include your risk acceptance criteria, according to the impact that threats may have and the likelihood of that impact occurring.
Risks are often quantified by scoring impact and likelihood on a risk matrix but qualitative methods are also valid depending on the organisational requirements. A threshold is set for the point at which a risk must be addressed.
6. Implement a risk treatment plan
The implementation of the risk treatment plan is the process of building the security controls that will protect your organisation’s information assets.
Typically, there are four approaches you can take when addressing a risk:
- Tolerate the risk
- Treat the risk by applying controls
- Terminate the risk by avoiding it entirely
- Transfer the risk (insurance or outsourcing)
ISO 27001 also requires organisations to complete a Statement of Applicability (SoA), which documents which of the standard’s Annex A controls you’ve selected and omitted and why you made those choices.
You’ll also need to develop a process to determine, review and maintain the competences necessary to achieve your ISMS objectives.
This involves conducting a needs analysis and defining a desired level of competence.
7. Policies and Processes
Most people think of an ISMS as the policies and procedures that guide business activities in relation to security.
There is no fixed set of policies for ISO 27001. However, they will need to include the following elements.
- Roles and responsibilities.
- Rules for its continual improvement.
- How to raise awareness of Information Security through internal and external communication.
The top-level ISMS Policy doesn’t need to be detailed; it just needs to outline what your ISMS seeks to achieve and how it does it. Once it’s completed, it should be approved by top management.
At this point, you can develop the rest of your document structure. A common approach is the following three-tier structure.
- Policies, defining the organisation’s position on specific issues, such as acceptable use and password management.
- Procedures to enact the policies’ requirements.
- Records tracking the procedures and compliance with policies
You will also need to determine which continual improvement methodology to use. ISO 27001 doesn’t specify a particular method, but recommends a “process approach”. This is essentially a Plan-Do-Check-Act strategy on which all ISO management system standards are based.
You can use any model as long as it is clearly defined, documented, and reviewed and improved on a regular basis. It could be included in the ISMS policy document.
8. Carry out awareness training
Awareness training should be planned and delivered to all in-scope business areas. The training should cover:-
- General Information security terms
- The type/classification of information that the organisation wishes to protect
- The kind of threats from which the organisation is trying to protect itself
- Which policies and procedures are relevant to which business areas and where to find them
- How to identify and report incidents or new risks
- Who to go to with questions about information security
Awareness training should be refreshed periodically. It is typically done annually.
9. Measure, monitor and review
You won’t be able to tell if your ISMS is working or not unless you check and review it. All areas of the ISMS should review at least annually, so that you can keep a close eye on its effectiveness.
Qualitative reviews are probably more common, but you may want to apply quantitative analysis to some areas of the ISMS where it makes sense. Checking whether security incidents are going up or down or detailing the number of staff who are up to date with training requirements, are typical examples of this.
In addition to general monitoring, you should conduct regular internal audits of your ISMS. The Standard doesn’t specify how you should carry out an internal audit, but your audit schedule should cover all clauses of the standard and all in-scope areas of the business.
The results of your internal audit feed into the Management Review, which is part of the continual improvement process.
10. Certifying your ISMS
Once the ISMS is in place, you may wish to seek certification, in which case you need to prepare for an external audit.
Certification audits are conducted in two stages. Stage 1 determines whether the organisation’s ISMS has been developed in line with ISO 27001’s requirements. If the auditor is satisfied, they will schedule a more detailed Stage 2 assessment which will audit your performance against your compliant ISMS.
You should be confident in your ability to certify before proceeding. The process can be time-consuming, and you’ll still be charged for the audit whether you pass or fail.
Certification audit finding are normally categorised into Major Non-conformities, Minor-nonconformities and Opportunities for Improvement.
A Major Non-conformity means that the ISMS is not compliant with part of the standard so something is missing and the certification body will not issue a certificate until it is fixed.
A Minor Non-conformity normally means that the ISMS is compliant with the standard but not being put into practice. The certification body may issue a certificate based on receiving a remediation plan, which will be checked during the annual review.
An Opportunity for Improvement, is suggestion for how something could perhaps be done more effectively and will not prevent certification.
There are plenty of certification bodies to choose from, but (in the UK) if you want your certificate to have credibility, you should choose a UKAS accredited certification body. You may also wish to consider whether the reviewer has experience in your industry.
I hope that you have found the above guide useful and I wish you luck with your ISO 27001 Implementation and certification project.