How to implement an ISMS

If your organisation is at all concerned about data protection, it should have an information security management system (ISMS).

An ISMS is a system of processes, documents, technology and people that helps organisations manage, monitor and improve their information security in one place. ISO 27001 describes best practice for an ISMS, and certifying to the Standard means you can be sure that your organisation’s security measures are as effective as possible.

Implementing an ISMS can be hard work, and it will involve your whole organisation. The project can take anywhere from three months to a year, and however you proceed, you need to take into account your organisation’s size, the threats it faces and the measures it already has in place. Nonetheless, any implementation project should always contain these 14 steps:

1. Conduct a gap analysis

This helps you determine the areas of your organisation that aren’t compliant with ISO 27001 and what you need to do to become compliant.

2. Scope the ISMS

Scoping requires you to decide which information assets to ring-fence and protect. Doing this correctly is essential, because a scope that’s too big will escalate the time and cost of the project, and a scope that’s too small will leave your organisation vulnerable to risks that weren’t considered.

3. Develop your information security policy

A policy should reflect the organisation’s view on information security and be agreed upon by the board.

4. Conduct a risk assessment

Risk assessments are the core of any ISMS. An assessor will identify the risks the organisation faces, and estimate and evaluate them.

The risk assessment also helps identify whether the organisation’s controls are necessary and cost-effective.

5. Select your controls

Controls should be applied to manage or reduce risks identified in the risk assessment. ISO 27001 requires organisations to compare any controls against its own list of best practices, which are contained in Annex A.

6. Create a Statement of Applicability (SoA)

An SoA lists all the controls identified in ISO 27001, details whether each control has been applied and explains why it was included or excluded.

7. Set up a risk treatment plan (RTP)

An RTP describes the steps an organisation should take to deal with the risks identified in the risk assessment.

8. Create your documentation

Organisations need to document every planned control and component of the ISMS to make sure they are applied consistently and can be improved if necessary.

Creating documentation is the most time-consuming part of implementing an ISMS.

9. Roll out a staff awareness programme

All employees should receive regular training to increase their awareness of information security issues and the purpose of the ISMS.

10. Conduct regular testing

To determine whether controls work as they should, ISO 27001 requires organisations to conduct regular internal audits of their ISMS. Regular testing should also be conducted to make sure your incident response plans function effectively.

11. Conduct management reviews

Top management should review the performance of the ISMS at least annually.

12. Choose your certification body

The certification body you use should be properly accredited by a recognised national accreditation body and member of the International Accreditation Forum.

13. Gain accredited certification

Your chosen certification body will review your management system documentation, check that you have implemented appropriate controls and conduct a site audit to test the procedures in practice.

14. Manage and review your ISMS

Once the ISMS has been implemented, you need to maintain and continually review it. ISO 27001 specifies the requirements for doing this.

ISO 27001 auditing

If you want to gain the skills to manage an ISO 27001 compliance project, you should enrol on our ISO27001 Certified ISMS Internal Auditor Training Course.

This two-day course is presented by an experienced ISO 27001 practitioner with real-world insights into implementing and maintaining an ISMS that complies with the Standard. You’ll learn everything about ISO 27001 auditing, including the role the auditor plays, the documents you need to be aware of and the ins and outs of planning and conducting an audit.

Find out more about our ISO27001 Certified ISMS Internal Auditor Training Course >>