Implementing and maintaining an ISMS (information security management system) aligned to ISO 27001 requires up-to-date, accurate and compliant documentation.
There are three approaches to tackling the documentation requirements of the Standard; the length of time that the project will require will depend very much on the methodology adopted.
1. Trial and error
The first methodology trial and error. Because those charged with deploying the ISMS first have to learn how to perform every single aspect of the task, it is the most time-consuming of the three, has a high risk of failure, and extends the period during which the organisation continues to fail to meet its information security objectives.
2. External expertise
The second, equally traditional, method is to bring in outside expertise in the form of experienced consultants to produce your documentation. It is a quicker approach than trial and error, but substantially more expensive. Its major advantages include considerably reducing project time, reducing the risk of failure, increasing the speed of organisational learning and overcoming resource deficiencies.
3. Third-party documentation toolkit plus guidance
While this approach is most appropriate for organisations that prefer to tackle internal change projects largely without external consultant support, it is an approach that depends as much on the quality and extent of senior management support and commitment as it does on the quality of the tools themselves.
The major advantages of this approach are that documentation toolkits:
- are designed to meet ISO 27001 requirements from the outset;
- are fast to deploy;
- are very cost-effective (with low TCO and high ROI);
- generate substantial cost savings compared with traditional approaches;
- are full of best practice;
- will be cross-functional and company-wide, with a continual improvement cycle;
- create a very low likelihood of project failure;
- have continual improvement built in from the start.
Tackling your project with a documentation toolkit
It is essential that any documentation toolkit is designed to meet the detailed requirements of the Standard, and that it comes with detailed guidance on how to tackle the project and all of the detailed drafting requirements.
At IT Governance, we designed and built the ISO 27001 ISMS Documentation Toolkit to meet the requirements of the Standard. It reflects our experience successfully developing certifiable information security management systems, and was developed specifically for organisations that want to avoid the costs and disadvantages of learning by trial and error.
This toolkit is also specifically designed so that it can easily be integrated into additional management systems, ensuring that the opportunity to build an integrated management system that meets multiple standards is available from the outset. The documents can be easily customised and the one-click formatting feature for styling and branding your templates allows you to embed the documentation into your organisation quickly and easily.
And unlike others on the market, our toolkit is proven to have helped organisations go on to achieve certification.
Excerpts in this blog post were taken from Alan Calder’s Nine Steps to Success – An ISO 27001 Implementation Overview, Third edition.