Implementing ISO 27001
Related links: ISO 27000 standards | ISO 27001 books | ISO 27001 training | ISO 27001 toolkits | ISO 27001 consultancy | ISO 27001 solutions | Complete ISO 27001 catalogue
This page provides comprehensive information on implementing an information security management system (ISMS) based on the international best-practice standard ISO/IEC 27001, and details resources to smooth the path to implementation. Our global ISO27001 implementation solutions enable organisations of any size, sector or location to implement an ISMS at a pace and budget appropriate to their needs and project approach.
On this page
Implementing an Information Security Management System (ISMS) based on the best-practice specifications of the international information security management Standard ISO 27001 is a complex undertaking that will involve the whole organisation.
Whether you’re implementing ISO 27001 solely for your own business efficiency or you intend to attain accredited certification, it can be difficult to know how the Standard’s specifications should be applied to your organisation’s particular circumstances. If you fail to understand or comply with a particular requirement of the Standard, it could jeopardise your implementation project, which in turn could mean you fail the certification audit. It is therefore essential to make sure you use the best resources your budget allows.
The best starting point for any individual or organisation interested in ISO 27001 is the Standard itself.
A typical ISO 27001 implementation project
An ISMS is specific to the organisation that implements it so no two ISO 27001 projects are the same, and it can take anything from three months to a year from scoping to certification, depending on numerous factors specific to the organisation. (IT Governance’s FastTrack consultancy, for example, guarantees certification for small businesses in three months.)
This is why IT Governance has created a series of packaged ISO 27001 implementation solutions to suit organisations or all sizes, types, or global locations. Click here for more information >>
Although there is no typical ISO 27001 implementation project, most will follow this pattern, or something very similar:
A gap analysis, which determines how far short of its requirements your current processes fall.
Determination of the organisational context and interested parties to define the exact scope of the project and the objectives for information security.
A risk assessment, which identifies the risks and/ or assets and conducts a risk estimation and evaluation of those risks.
The identification and selection of appropriate controls in order to develop an appropriate risk response plan.
Preparation of a Risk Treatment Plan and a Statement of Applicability, which shows the controls that have been selected and the reason for their selection, and those that have not been selected and the justification for their exclusion.
Development of Management System documentation, including relevant policies and procedures.
Assessment of staff competence, in addition to training and awareness requirements, followed by any training, if required.
Performance evaluation and preparation for an internal audit, which determines the extent to which your new procedures are successful.
Implementation of a management review process.
Development of relevant documented processes and related procedures for non-conformity, corrective action and continual improvement.
Preparation for the certification audit.
Surveillance, continual improvement and maintenance of your ISMS.
You should then be ready for the certification audit itself, which should be carried out by an accredited third party certification body.
Why you should only use accredited certification bodies
It is vital to ensure that the certification body you use is properly accredited by a recognised national accreditation body which is a member of the IAF, such as UKAS (United Kingdom Accreditation Service).
The IAF website carries a full list of recognised national accreditation bodies by country, from which it is easy to identify whether or not a particular organisation has been officially accredited. If you can’t find an accreditation organisation on this list, you can safely assume that it is not an officially recognised accreditation body and that any 'certificates' issued under its aegis will have no official standing in any country in the world.
Any organisation that claims to be an accredited certification body will be able to show you a current copy of its certificate of compliance with ISO/IEC 17021:2011, the international Standard that sets out the requirements for bodies providing audit and certification of management systems.
The certification process
The certification body will first review your documentation (including the scope of the ISMS, risk assessment and treatment documents, and Statement of Applicability) and check that you have implemented appropriate controls from Annex A. It will then carry out a site audit to see the procedures in practice. Then, if it is satisfied of successful implementation, the certification body will issue your certificate. The time period for the certification process inevitably varies depending on the size and type of the organisation, but typically takes days rather than weeks.
Ongoing support and maintenance
Smaller organisations often don't have the resources or expertise required to maintain the ISMS once accredited certification has been achieved, which can render the entire implementation project worthless. After all, with no promise of longevity there is little point in having implemented the new systems in the first place. ISO27001 compliance is an ongoing process: auditors will return at least annually to ensure you are still operating the system as you intended. (The annual audit normally takes less time than the initial certification audit.)
Therefore, to support your maintenance of the ISMS and ensure ongoing certification to ISO27001, IT Governance is able to provide ongoing support in three ways:
ISMS maintenance, which will advise on corrective and preventive actions, document updates and risk reviews.
Our internal auditing service will check that the controls in place are working as expected and, where necessary, will advise on how they can be improved.
IT Governance will provide the lead auditee on site during certification audits to answer the external auditors’ questions.
ISO 27001 solutions
We have created four packaged solutions that will enable you to implement ISO 27001 at a speed and budget that is appropriate for your individual needs and preferred project approach.
Each fixed-price solution is a combination of products and services that can be accessed online and deployed by any company in the world.
Find out more about our ISO 27001 packaged solutions and which one is right for you.