Implementing ISO 27001 can often be seen as quite an administrative and procedural business process. In fact, many back away from ISO 27001, in the false belief that implementing the Standard will restrict the way they run their business.
If you’re contemplating implementing ISO 27001 but concerned about the impact on your time and management resources, check out our five tips for achieving a successful ISO 27001 implementation.
- Get the senior management team involved
The primary concern senior management has is ensuring the long-term success of the organisation: to increase profits and decrease risks. But persuading the board to invest in information security measures requires sales skills. Even though high-profile data breaches – such as those that hit TalkTalk and Sony – have put cyber security on the board’s agenda, persuading senior management to move forward and do something about it is still a major hurdle for many businesses.
Start your senior management-level security awareness as early in the ISMS implementation as possible to make sure you cover everything that’s required.
- Produce a gap analysis
The gap analysis can serve as the ideal starting point for developing a solid business case to present to the executive team. A comprehensive gap analysis will provide you with information about implementing ISO 27001 based on an analysis of requirements, objectives, existing information security arrangements (management processes and controls) and human factors.
A detailed gap analysis uses interviews with key managers to identify pertinent information, an assessment of relevant documentation, and a process to define the scope of your intended ISMS.
Addressing all the relevant requirements of the Standard can be time consuming. That’s why we recommend using a software tool to help you track your activities.
- Gain cross-functional support from co-workers
When implementing ISO 27001, it is critically important to gain support not only from senior management or the board, but also from among different groups or departments within your organisation. The first step in managing security is putting in place a governance framework to support the organisation’s security practices. Include a feedback loop that takes results and observations from employees across the organisation and sets up corrective actions to ensure that processes are improved. An effective ISMS depends on awareness and acceptance across all parties.
- Develop a project plan with key project milestones
Now that your gap analysis has identified and evaluated the discrepancies between your existing information security practices and the requirements of ISO 27001, you will have a better grasp of the magnitude of the implementation project, enabling you to set up a project plan with defined milestones.
Implementing an ISO 27001-compliant ISMS is notoriously difficult to do, however, and many companies quickly realise that their inexperience may lead them to incorrectly implement certain aspects of the ISMS.
- Focus on continual improvement
Human behaviour is complex and inconsistent, making it a rich hunting ground for would-be hackers and a significant risk to the security of your organisation. ISO 27001 encompasses people, processes and technology, recognising that information security is not just about antivirus software, implementing the latest firewall, or locking down your laptops and webservers. Again, technology and software alone are simply too weak to defend against the evolving nature of information security threats. An effective way to address this risk is to create a culture of security.