Guide to ISO 27001 Implementation
Implementing an ISO 27001-compliant ISMS (information security management system) can be challenging but is worth the effort. If you are just getting started with ISO 27001 compliance, this 16-step implementation checklist has been designed to assist you.
Getting support from your management team is crucial to the success of your ISO 27001 implementation project, especially in making sure you avoid roadblocks along the way. Getting the board, executives, and managers on board can help prevent this from happening.
Note: To assist in gaining support for your ISO 27001 implementation you should promote the following key benefits to help all stakeholders understand its value.
Attesting to security control compliance shows managers the quickest “return on investment” – if the organisation is required to comply with regulations relating to data protection, privacy, and IT governance, and ISO 27001 implementation can introduce the necessary controls (policies, processes, procedures, and technology). This outcome is particularly useful for organisations operating in the government and financial services sectors.
In an increasingly competitive market, it is hard to find a unique selling point for the business/ ISO 27001 is a true differentiator and shows your customers you care about protecting their data.
Information security is usually considered as a cost to doing business with no obvious financial benefit; however, when you consider the value of risk reduction, these gains are realised when you consider the costs of incident response and paying for damages after a data breach. The level of exposure you currently have is hard to quantify but looking at it from a threat perspective, what would be the impact of an extended service interruption, loss of confidential product plans, or having to deal with disgruntled employees where there is a potential risk of insider attack?
Unfortunately, it is impossible to determine precisely how much money you will save if you prevent these incidents from occurring. However, the value to your business of reducing the likelihood of security risks turning into incidents helps limit your exposure.
Strengthens your organisation's resilience
If your organisation is growing or acquiring another business, for example, during periods of unusual organisational change, you need to understand who is responsible for security. Business functions such as asset management, service management and incident management all need well-documented processes and procedures, and as new staff come on board, you also need to understand who should have access to what information systems. ISO 27001 is extremely good at resolving these issues and helping integrate your business management systems with security.
ISO 27001 brings many benefits besides being another business certification, and if you present these benefits in a clear and precise way, management will immediately see the value in their investment.
Assemble a project implementation team. Appoint a project manager who can oversee the successful implementation of the Information Security Management Systems (ISMS), and it helps if they have a background in information security, along with the authority to lead a team. The project manager may require a team to assist them depending on the scale of the project.
Once the team is assembled, the project manager can create the project mandate, which should answer the following questions:
- What are we hoping to achieve?
- How long will it take?
- How much will it cost?
- Does the project have management support?
With the project mandate complete, it is time to determine which improvement methodologies you will use, and then draft the implementation plan. You can use any methodologies that work for you (PRINCE2, Agile, etc.) but the requirements and processes should be clearly defined, correctly implemented, reviewed, and regularly improved.
If your organisation is large, it makes sense to start the ISO 27001 implementation in one part of the business. This approach lowers project risk as you uplift each business unit separately then integrate them together at the end.
Note: Any organisation with less than 50 employees should keep the scope as the whole company.
Your management team should help define the scope of the ISO 27001 framework and should input to the risk register and asset identification (i.e. tell you which business assets to protect). Included in the scoping exercise are both internal and external factors, such as dealing with HR and your marketing and communications teams, as well as regulators, certification bodies and law enforcement agencies. Consider how your security team will work with these dependencies and document each procedure (making sure to state who the decision-makers are for each activity).
Set objectives, budgets and provide estimated implementation timescales. If your scope is too small, then you may leave information exposed, but if your scope is too broad, the ISMS will quickly become complex and increase the risk of failure. getting this balance right is crucial.
In your ISMS scope document you should include a short description of your location, floor plans and organisational charts – this is not a strict requirement by the standard, but certification auditors like them included. The ISMS scope document is a requirement of ISO 27001, but the documents can be part of your Information security policy.
The ISMS policy outlines the objectives for your implementation team and a plan of action. Once the policy is complete it needs board approval. You can then develop the rest of your ISMS, authoring the documents as follows:
Policies define your organisation’s position on specific issues, such as acceptable use and password management.
Procedures enforce the policies’ requirements.
Work instructions describe how employees should undertake the procedures and meet the needs of policies.
Records tracking such that use of procedures and work instructions are recorded for future auditing.
Risk assessments are one of the most complex tasks of the ISO 27001 implementation. Define the rules for identifying risks, impacts, probability, and the acceptable level of risk. Use a risk matrix (if you are unsure, consult ISO 31000) as this help your risk assessments remain consistent. Your security systems are focused on managing risks, so it is essential you have assessed threats targeting your organisations, and the likelihood of being attacked. You will use the value of the assets you are protecting to identify and prioritise these risks, thus risk management becomes a core business discipline at the heart of your ISMS.
Implement the risk assessment you defined in the previous step. The objective of a risk assessment is to define a comprehensive list of internal and external threats facing your organisation’s critical assets (information and services).
The risk assessment process should identify mitigation strategies to help decrease risks, done by implementing the controls from Annex A in ISO 27001. Establish your organisation’s security baseline, which is the minimum level of activity required to conduct business securely.
A Risk Assessment Report should be written, documenting the steps taken during the assessment and mitigation process. Approvals are needed relating to the level of residual risks leftover in the organisation once the project is complete, and this is documented as part of the Statement of Applicability.
A focused risk assessment helps you identify your organisation’s biggest security vulnerabilities and any corresponding ISO 27001 controls that can mitigate those risks (see Annex A of the Standard).
Roles and responsibilities for running the programme
Security awareness poster campaigns
Computer-based security awareness training
Simulated phishing exercises
Cyber security alerts and advisories
ISO 27001 requires the following for the control of your ISMS records:
Distribution, access, retrieval, and use – you need to define who has access to each type of record and for what purpose.
Storage and preservation – define where the records are archived and how they are protected from unauthorised access.
Control of changes – assign a new version number for each update.
Retention and disposition – how long records are kept and how they are destroyed.
There are two ways to document these rules:
- Write a centralised policy or a procedure that would define the rules for controlling all your records.
- Define the rules in different policies and procedures separately for each type of record.
How are your ISMS processes performing? How many incidents do you have and of what type? Are all procedures being carried out properly? Monitoring your ISMS is how you ensure the objectives for controls and measurement methodologies come together – you must check whether the results you obtain are achieving what you have set out in your objectives. If something is wrong, you need to take corrective and/or improvement action.
Performance monitoring and measurement are also important in the maintenance and monitoring stage. Without an assessment of your ISMS performance, you cannot determine if your processes and procedures are efficient and delivering reasonable levels of risk reduction.
Clause 9.1 of ISO 27001 establishes several things that must be identified to ensure proper monitoring and measurement:
- Monitoring: Identifying all business results and processes that can be affected by variations on information security performance, including the information security controls and processes themselves and mandatory requirements like laws, regulations, and contractual obligations.
- Method: You can choose any method. What is critical is that it must be verifiable.
- Frequency: Different needs require different monitoring or measurement times. For example, an application can have monitoring or measurement points at data input, during data processing, or at data output. Restricted internal use applications may be monitored or measured periodically but may be longer for Internet-oriented applications.
- Value: To add business value, the monitoring and measurement results must be considered on decisions and actions at appropriate times. Considering them too early or too late may result in wasted effort and resources, or lost opportunities.
- Responsibility: As important as when the data is analysed and evaluated is who does this. In most cases, the analysis will be done at the operational level while management staff perform any evaluations.
To fulfil clause 7.5. charts, checklists, and analysis reports should be reviewed by management and proper documentation preserved.
- Frequency: A small company should undertake one audit per year across the entire business. Larger organisations should perform audits in each department per year, but rotate your auditors around each department, potentially once per month.
- Guidelines: If you implemented ISO 9001 – for quality management – you can use the same internal audit procedure you established for that. Your auditors can perform internal audits for both ISO 9001 and ISO 27001 at the same time – if the person has knowledge of both standards, and has knowledge about IT, they will be capable of doing an integrated internal audit.
- Procedure: A written procedure that defines how the internal audit should be performed is not mandatory but is highly recommended. Normally, employees are not familiar with internal audits, so it is a good thing to have some basic rules written down and an audit checklist.
Frequency: The management review should be annual as a minimum unless there are major changes.
Meeting Minutes: The most common way to document the management review is meeting minutes. For large organisations, more formal proceedings can take place with detailed documented decisions.
Results: Communicating the results can be done via email or a follow-up meeting.
Material: Most commonly, the Chief Information Security Officer or Business Continuity Coordinator will collate the input information for management consideration, but large organisations may use department heads.
In conclusion, executives make the following decisions:
- Determine if the ISMS has fulfilled its objectives
- Agree which improvements will be implemented (funded)
- Agree on the changes to the scope if needed
- Agree on investing in more resources to support the security programme
- Ensure policies and procedures are up to date
It is also a good opportunity to educate the executives on the basics of information security and compliance.
The purpose of the management system is to ensure that all “non-conformities” are corrected or improved. ISO 27001 requires that corrective and improvement actions be done systematically, which means that the root cause of a non-conformity must be identified, resolved, and verified.
If you found this ISO 27001 checklist useful and would like to discuss how you can get certification for your own business, get in touch by Contacting Us today for ISO 27001 assistance and certification.