Nine steps plus one to success – from ISO 27001 Experts

Every director, CEO, executive or a manager wants their company to run smoothly and be successful. But how do we determine ‘success’? Through profit, human factor, client base, good reputation, length of business? Absolutely – the answer is ‘yes’ to all.

In the current technology climate, information security is of paramount importance. Without it all of the above elements wouldn’t work as effectively. If your corporate data is not safe your business is likely to underperform, resulting in profit loss and bad reputation. Implementing Information Security Management System (ISMS) is a first step towards success.

Needless to say, recent government regulations have greatly contributed to companies in India implement information security projects (ISPs) and pursue ISO 27001 certification. Our Nine Steps to Success. An ISO 27001 Implementation Overview from Alan Calder lists all the important steps that will help your organisation comply with a new law.

1.       Initial Approach

The first key to ISO 27001 success is, in other words, to set up for success. Setting up for success means four things:

  • Knowing – and being able to clearly communicate – why information security is important for any organisation and, in particular, for yours;
  • Knowing specifically why ISO 27001 is the right way to provide information security  – and this also means having a background knowledge of the standard and how it works;
  • Knowing how the project is going to be structured, what the key elements are (there are nine of them), and why this is the best way to go about it;
  • Knowing whether you’re going to use consultants or do it yourself, and the pros and cons of both.

2.       Management Support

Information security is both a management and a governance issue. It involves the following elements:

  • Strategic Alignment
  • Prioritisation and endorsement
  • Change management
  • The CEO’s commitment
  • Senior management support

3.       Scoping

Scoping is hugely important because you need to know the boundaries of what you are planning to implement and because the standard itself requires it. It involves the following:

  • Establishing endpoint security
  • Defining boundaries
  • Phased approach
  • Network mapping
  • Cutting corners

4.       Planning

Planning is an essential precursor to project success and whilst ISO 27001 promotes the adoption of a ’process approach’, planning fulfils this approach via the PDCA (‘Plan-Do-Check-Act’)

5.       Communication

The rule ‘communicate early and communicate often’ applies. Communication is so important that it is one of the nine keys to ISO 27001 project success.

It involves two key elements:

  • Staff buy-in
  • Information security policy

6.       Risk Assessment

Risk assessment is said to be at the heart of the ISMS. Understanding its significance to the overall process is critical, and is one of the keys to project success.

Risk management plans have four linked objectives, which are to:

  • Eliminate risks
  • Reduce those risks that can’t be eliminated to ‘acceptable’ levels; and then to either
  • Live with them, exercising carefully the controls that keep them ‘acceptable’, or
  • Transfer them, by means of insurance, to some other organisation.

7.       Control Selection

The concepts of risks and controls are interrelated and are fundamental to ISMSs. Alan Calder distinguishes four types of control:

  • Deterrent controls reduce the likelihood of a deliberate attack
  • Preventative controls protect vulnerabilities and make an attack unsuccessful or reduce its impact
  • Corrective controls reduce the effect of an attack
  • Detective controls discover attacks and trigger preventative or corrective controls.

8.       Documentation

A properly managed ISMS will be fully documented. ISO 27001 describes the minimum documentation that should be included in the ISMS.

There are three approaches to tackling the documentation requirements of The Standard:

  • Trial and error
  • External expertise
  • Third Party Documentation Toolkit plus guidance

9.       Testing

Testing is probably the most crucial element of the successful ISP. There are four types of testing that should be considered:

  • Straightforward audit
  • Limited ‘paper test’
  • Limited ‘real-life’ test
  • Large-scale scenario test

*10.       Successful Certification

After all the hard work you’ve done towards the ISO 27001 certification now it’s time to get finally certified. ITG Asia offers a wide variety of information, resources as well as useful tips and advice.

To find out more, download Nine Steps to Success. An ISO 27001 Implementation Overview today or if you have any questions regarding implementation of an ISP do not hesitate to contact us.