If you’re considering implementing an ISMS (information security management system) that conforms to ISO 27001 – the international standard for information security management – you may be daunted by the scale of the task.
Don’t give up, though.
Complying with ISO 27001 needn’t be a burden. Most organisations already have some information security measures – albeit ones developed ad hoc – so you could well find that you have many of ISO 27001’s controls in place. Bringing them into line with the Standard’s requirements and integrating them into a proper management system could be well within your grasp.
IT Governance is the global authority on ISO 27001 and has been helping organisations implement the Standard since our directors successfully led the world’s first ISO 27001 certification project.
Why should I implement ISO 27001?
Because its approach is based on regular risk assessments, ISO 27001 can help your organisation maintain the confidentiality, integrity and availability of your and your clients’ information assets by implementing controls that address the specific risks you face – whether they be from targeted or automated attacks.
It helps improve your organisation’s cyber security posture and business efficiency while ensuring you meet your legal and regulatory data protection obligations.
Organisations that implement an ISO 27001-compliant ISMS can achieve independently audited certification to the Standard to demonstrate their information security credentials to clients, stakeholders and regulators.
Once your ISMS has been certified to the Standard, you can insist that contractors and suppliers also achieve certification, ensuring that all third parties that have legitimate access to your information and systems also maintain suitable levels of security. This is especially important for GDPR (General Data Protection Regulation) compliance, as you will be liable as a data controller if any third-party data processor suffers a breach.
Approximately 25,000 organisations around the world are certified to ISO 27001, and companies looking to contract with governments or large corporate clients will increasingly find that ISO 27001 is a prerequisite for doing business.
What are the options for implementing ISO 27001?
It’s all but impossible to describe an ‘average’ ISO 27001 project for the simple reason that there’s no such thing: each ISMS is specific to the organisation that implements it, so no two projects are the same.
There are three basic approaches you can take: doing it yourself, engaging consultants to do it all for you or using a combined approach.
The entire project, from scoping to certification, could take three months to a year and cost you hundreds to thousands of pounds, depending on the size and complexity of your organisation, your experience and available resources and the amount of external support you need.
Do it yourself
If you want to implement the Standard yourself, you need a certain amount of knowledge and will benefit from tools and guidance. You’ll probably need:
- Copies of the essential standards: ISO 27001, ISO 27002 and ISO 27000
- An ISO 27001 implementation guide
- ISO 27001 lead implementer and internal auditor/lead auditor training
- An ISMS documentation toolkit
- Risk assessment software
- Staff awareness training tools
Get expert help
If, on the other hand, your time and resources are limited, you might benefit from using consultants with a solid track record of implementing ISMSs and the experience to keep the project on track. This can raise issues when it comes to maintaining your ISMS after the consultants have left, so you might also benefit from an ISMS management service.
Using a combination of tools and internal training, and a series of fixed sessions with a personal ISO 27001 coach gives you the best of both worlds. You can manage your project team while benefiting from expert guidance.
Checklist – How to implement ISO 27001 in nine steps
The IT Governance nine-step approach to implementing an ISO 27001-compliant ISMS reflects the methodology used by our consultants in hundreds of successful ISMS implementations around the world.
It covers the full extent of the project, from initial discussions with managers through to testing the completed project.
The ninth step is certification, but certification is merely advisable, not compulsory, and you will still benefit if you simply want to implement the best practice set out in the Standard – you just won’t have the certification to demonstrate your credentials.
1) Project mandate
The implementation project should begin by appointing a project leader, who will work with other members of staff to create a project mandate. This is essentially a set of answers to these questions:
- What are we hoping to achieve?
- How long will it take?
- What will it cost?
- Does it have management support?
2) Project initiation
Organisations should use their project mandate to build a more defined structure that goes into specific details about information security objectives and the project’s team, plan and risk register.
3) ISMS initiation
The next step is to adopt a methodology for implementing the ISMS. ISO 27001 recognises that a “process approach” to continual improvement is the most effective model for managing information security. However, it doesn’t specify a particular methodology, and instead allows organisations to use whatever method they choose, or to continue with a model they have in place.
4) Management framework
At this stage, the ISMS will need a broader sense of the actual framework. Part of this will involve identifying the scope of the system, which will depend on the context. The scope also needs to take into account mobile devices and teleworkers.
5) Baseline security controls
Organisations should identify their core security needs. These are the requirements and corresponding measures or controls necessary to conduct business.
6) Risk management
ISO 27001 allows organisations to broadly define their own risk management processes. Common methods focus on looking at risks to specific assets or risks presented in specific scenarios. There are pros and cons to each, and some organisations will be much better suited to a particular method. There are five important aspects of an ISO 27001 risk assessment:
- Establishing a risk assessment framework
- Identifying risks
- Analysing risks
- Evaluating risks
- Selecting risk management options
This is the process of building the security controls that will protect your organisation’s information assets. To ensure these controls are effective, you will need to check that staff are able to operate or interact with the controls, and that they are aware of their information security obligations.
You will also need to develop a process to determine, review and maintain the competences necessary to achieve your ISMS objectives. This involves conducting a needs analysis and defining a desired level of competence.
8) Measure, monitor and review
For an ISMS to be useful, it must meet its information security objectives. Organisations need to measure, monitor and review the system’s performance. This will involve identifying metrics or other methods of gauging the effectiveness and implementation of the controls.
Once the ISMS is in place, organisations should seek certification from an accredited certification body. This proves to stakeholders that the ISMS is effective and that the organisation understands the importance of information security.
The certification process will involve a review of the organisation’s management system documentation to check that the appropriate controls have been implemented. The certification body will also conduct a site audit to test the procedures in practice.