How do I implement ISO 27001?

Information security breaches are becoming the new normal. Security teams must now take dedicated measures to reduce the risk of suffering a damaging breach. The only solution to the growing threat of cyber attacks is to implement a robust approach that tackles all aspects of information security and business continuity throughout the organisation.

What is ISO 27001?

ISO 27001 is an international management standard that uses an integrated set of policies, procedures and technology to manage data security within a cyber security ecosystem. This ecosystem is known as an information security management system (ISMS). An ISMS is based on the regular identification and management of information security risks, and provides guidance to implement appropriate measures for mitigating those risks.

Achieving accredited certification to ISO 27001 demonstrates that your company is following information security best practice, and delivers an independent, expert assessment of whether your data is adequately protected.

How to implement ISO 27001

Implementing an ISMS based on ISO 27001 will involve your whole organisation. An ISMS is specific to the organisation that implements it, so no two ISO 27001 projects are the same. The entire project, from scoping to certification, can take three months to a year depending on the complexity and size of the organisation.

Here are the most common elements of implementing an ISMS:

Conducting a gap analysis determines what is required from an organisation’s current information security process in order to meet the Standard’s requirements. It identifies the resources and capabilities an organisation needs to fill the gap.

Scoping involves deciding which information assets are going to be protected. This is often a difficult and complicated process for larger organisations. If the project is incorrectly scoped, your organisation can be vulnerable to risks that had not been considered.

An information security policy should be put in place that reflects the organisation’s view on information security. This policy will then need to be agreed by the board.

A risk assessment is at the core of any ISMS. A risk assessor will identify the risks that an organisation faces and conduct a risk estimation and evaluation of those risks. The risk assessment helps to identify whether controls are necessary and cost-effective for the organisation.

Controls should be put in place to reduce or manage risks after the risk assessment has been completed. ISO 27001 has its own list of best-practice controls that an organisation will need to compare its own controls against.

Documentation needs to be developed to support every planned control and component of the ISMS. This documentation will then establish a point of reference to ensure consistent application and improvement.

All staff members should receive regular training that will increase their awareness of information security issues.

ISO 27001 requires regular audits and testing to be carried out. This is to ensure that the controls are working as they should be and that the incident response plans are functioning effectively.

The certification body will need to review your management system documentation and check that you have implemented all the appropriate controls. This will be followed by a site audit that will test the procedures in practice.

We have helped more than 400 clients achieve ISO 27001 certification, and our implementation tools, training and resources can help you too

Find out how IT Governance can help your organisation achieve ISO 27001 certification >>

One Response

  1. Annon 30th November 2017