There are many reasons to adopt ISO 27001, the international standard that describes best practice for an information security management system (ISMS). It helps organisations improve their security, comply with cyber security regulations, and protect and enhance their reputation.
But implementing the Standard takes a lot of time and effort. That should be obvious, at least if you believe the phrase ‘nothing worth having comes easy’. We’ve made the process a little easier by breaking down implementation into nine steps.
- Project mandate
The implementation project should begin by appointing a project leader, who will work with other members of staff to create a project mandate. This is essentially a set of answers to these questions:
- What are we hoping to achieve?
- How long will it take?
- What will it cost?
- Does it have management support?
- Project initiation
Organisations should use their project mandate to build a more defined structure that goes into specific details about information security objectives and the project’s team, plan and risk register.
- ISMS initiation
The next step is to adopt a methodology for implementing the ISMS. ISO 27001 recognises that a “process approach” to continual improvement is the most effective model for managing information security. However, it doesn’t specify a particular methodology, and instead allows organisations to use whatever method they choose, or to continue with a model they already have in place.
- Management framework
At this stage, the ISMS will need a broader sense of the actual framework. Part of this will involve identifying the scope of the system, which will depend on the context. The scope also needs to take into account mobile devices and teleworkers.
- Baseline security criteria
Organisations should identify their core security needs. These are the requirements and corresponding measures or controls that are necessary to conduct business.
- Risk management
ISO 27001 allows organisations to broadly define their own risk management processes. Common methods focus on looking at risks to specific assets or risks presented in specific scenarios. There are pros and cons to each, and some organisations will be much better suited to one method than the other.
There are five important aspects of an ISO 27001 risk assessment:
- Establishing a risk assessment framework
- Identifying risks
- Analysing risks
- Evaluating risks
- Selecting risk management options
- Risk treatment plan
This is the process of building the security controls that will protect your organisation’s information assets. To ensure these controls are effective, you will need to check that staff are able to operate or interact with the controls, and that they are aware of their information security obligations.
You will also need to develop a process to determine, review and maintain the competences necessary to achieve your ISMS objectives. This involves conducting a needs analysis and defining a desired level of competence.
- Measure, monitor and review
For an ISMS to be useful, it must meet its information security objectives. Organisations need to measure, monitor and review the system’s performance. This will involve identifying metrics or other methods of gauging the effectiveness and implementation of the controls.
Once the ISMS is in place, organisations should seek certification from an accredited certification body. This proves to stakeholders that the ISMS is effective and that the organisation understands the importance of information security.
The certification process will involve a review of the organisation’s management system documentation to check that the appropriate controls have been implemented. The certification body will also conduct a site audit to test the procedures in practice.
We provide more detail on each of these steps in our green paper: Implementing an ISMS – The nine-step approach. This free guide shows you exactly what you need to do to meet ISO 27001’s requirements, as well as highlighting the challenges you’ll face and how you can overcome them.
You can get practical advice on implementing the Standard by enrolling on our ISO27001 Certified ISMS Foundation Training Course.
This one-day course explains how to make the most of ISO 27001 and provides a complete introduction to the key elements required to comply with the Standard.