ISO 27001 Checklist

0 Comments
Posted July 9, 2021
ISO 27001 Checklist

Guide to ISO 27001 Implementation

by Robert McAdam, CEO

Implementing an ISO 27001-compliant ISMS (information security management system) can be challenging but is worth the effort. If you are just getting started with ISO 27001 compliance, this 16-step implementation checklist has been designed to assist you.

Step 1: Obtain management support

Getting support from your management team is crucial to the success of your ISO 27001 implementation project, especially in making sure you avoid roadblocks along the way. Getting the board, executives, and managers on board can help prevent this from happening.

Note: To assist in gaining support for your ISO 27001 implementation you should promote the following key benefits to help all stakeholders understand its value.

Compliance

Attesting to security control compliance shows managers the quickest “return on investment” – if the organisation is required to comply with regulations relating to data protection, privacy, and IT governance, and ISO 27001 implementation can introduce the necessary controls (policies, processes, procedures, and technology). This outcome is particularly useful for organisations operating in the government and financial services sectors.

Competition

In an increasingly competitive market, it is hard to find a unique selling point for the business/ ISO 27001 is a true differentiator and shows your customers you care about protecting their data.

Reduced Costs

Information security is usually considered as a cost to doing business with no obvious financial benefit; however, when you consider the value of risk reduction, these gains are realised when you consider the costs of incident response and paying for damages after a data breach. The level of exposure you currently have is hard to quantify but looking at it from a threat perspective, what would be the impact of an extended service interruption, loss of confidential product plans, or having to deal with disgruntled employees where there is a potential risk of insider attack?

Unfortunately, it is impossible to determine precisely how much money you will save if you prevent these incidents from occurring. However, the value to your business of reducing the likelihood of security risks turning into incidents helps limit your exposure.

Strengthens your organisation's resilience

If your organisation is growing or acquiring another business, for example, during periods of unusual organisational change, you need to understand who is responsible for security. Business functions such as asset management, service management and incident management all need well-documented processes and procedures, and as new staff come on board, you also need to understand who should have access to what information systems. ISO 27001 is extremely good at resolving these issues and helping integrate your business management systems with security.

ISO 27001 brings many benefits besides being another business certification, and if you present these benefits in a clear and precise way, management will immediately see the value in their investment.

Step 2: Treat it as a project

Assemble a project implementation team. Appoint a project manager who can oversee the successful implementation of the Information Security Management Systems (ISMS), and it helps if they have a background in information security, along with the authority to lead a team. The project manager may require a team to assist them depending on the scale of the project.

Once the team is assembled, the project manager can create the project mandate, which should answer the following questions:

  • What are we hoping to achieve?
  • How long will it take?
  • How much will it cost?
  • Does the project have management support?

With the project mandate complete, it is time to determine which improvement methodologies you will use, and then draft the implementation plan. You can use any methodologies that work for you (PRINCE2, Agile, etc.) but the requirements and processes should be clearly defined, correctly implemented, reviewed, and regularly improved.

Step 3: Define the scope

If your organisation is large, it makes sense to start the ISO 27001 implementation in one part of the business. This approach lowers project risk as you uplift each business unit separately then integrate them together at the end.

Note: Any organisation with less than 50 employees should keep the scope as the whole company.

Your management team should help define the scope of the ISO 27001 framework and should input to the risk register and asset identification (i.e. tell you which business assets to protect). Included in the scoping exercise are both internal and external factors, such as dealing with HR and your marketing and communications teams, as well as regulators, certification bodies and law enforcement agencies. Consider how your security team will work with these dependencies and document each procedure (making sure to state who the decision-makers are for each activity).

Set objectives, budgets and provide estimated implementation timescales. If your scope is too small, then you may leave information exposed, but if your scope is too broad, the ISMS will quickly become complex and increase the risk of failure. getting this balance right is crucial. 

In your ISMS scope document you should include a short description of your location, floor plans and organisational charts – this is not a strict requirement by the standard, but certification auditors like them included. The ISMS scope document is a requirement of ISO 27001, but the documents can be part of your Information security policy.

Step 4: Write the Information Security Policy

The ISMS policy outlines the objectives for your implementation team and a plan of action. Once the policy is complete it needs board approval. You can then develop the rest of your ISMS, authoring the documents as follows:

  • Policies define your organisation’s position on specific issues, such as acceptable use and password management.

  • Procedures enforce the policies’ requirements.

  • Work instructions describe how employees should undertake the procedures and meet the needs of policies.

  • Records tracking such that use of procedures and work instructions are recorded for future auditing.

Step 5: Define the Risk Assessment Methodology

Risk assessments are one of the most complex tasks of the ISO 27001 implementation. Define the rules for identifying risks, impacts, probability, and the acceptable level of risk. Use a risk matrix (if you are unsure, consult ISO 31000) as this help your risk assessments remain consistent. Your security systems are focused on managing risks, so it is essential you have assessed threats targeting your organisations, and the likelihood of being attacked. You will use the value of the assets you are protecting to identify and prioritise these risks, thus risk management becomes a core business discipline at the heart of your ISMS.

 

Step 6: Perform the Risk Assessment

Implement the risk assessment you defined in the previous step. The objective of a risk assessment is to define a comprehensive list of internal and external threats facing your organisation’s critical assets (information and services).

 

The risk assessment process should identify mitigation strategies to help decrease risks, done by implementing the controls from Annex A in ISO 27001. Establish your organisation’s security baseline, which is the minimum level of activity required to conduct business securely.

 

A Risk Assessment Report should be written, documenting the steps taken during the assessment and mitigation process. Approvals are needed relating to the level of residual risks leftover in the organisation once the project is complete, and this is documented as part of the Statement of Applicability.

 

A focused risk assessment helps you identify your organisation’s biggest security vulnerabilities and any corresponding ISO 27001 controls that can mitigate those risks (see Annex A of the Standard).

 

Step 7: Write Statement of Applicability

The purpose of the Statement of Applicability is to define the controls which are applicable for your organisation. ISO 27001 has 114 controls in total, and you will need to explain the reason for your decisions around how each control is implemented, along with explanations as to why certain controls may not be applicable. The Statement of Applicability can be used to obtain authorisation from management for Implementation.

Step 8: Write Risk Treatment Plan

The Risk Treatment Plan defines how the controls from the Statement of Applicability are implemented. Implementing a risk treatment plan is the process of building the security controls that protect your organisation’s assets. To ensure controls are effective, you need to check staff can operate or interact with the controls and are aware of their security obligations.

You also need to define the process used to review and maintain the competencies to achieve the ISMS objectives. This involves conducting a requirements analysis and defining a level of competence across your workforce.

Step 9: Define Measure of Controls Effectiveness

You need to measure the controls you have in place to ensure they have achieved their purpose and enable you to review them regularly. We recommend doing this at least annually, to keep a close eye on the evolving risk landscape.

The review process involves identifying criteria that reflect the objectives you laid out in the project mandate. A common method is using quantitative analysis, in which you assign a value to what you are measuring. This is helpful when focusing on risks relating to financial costs or resource time. Alternatively, you can use qualitative analysis, in which measurements are based on judgement. Qualitative analysis is used when the assessment may be categorised by someone with experience as ‘high’, ‘medium’ or ‘low’.

In addition to this process, you need to start running regular internal audits of your ISMS. This audit would be undertaken one department or business unit at a time. This helps prevent significant losses in productivity and ensures your team’s efforts are not spread too thinly across the business. Complete the audit quickly since it is important that you analyse the results and fix any issues. The results of your internal audit form the inputs for a management review, feeding into the continual improvement process.

Step 10: Implement Controls & Procedures

This is where you implement the documents and records required by clauses 4 to 10 of the standard, and the applicable controls from Annex A. This is usually one of the riskiest activities in the implementation project because it requires that you enforce new behaviours. New controls, policies and procedures are needed, and oftentimes people can resist these changes. Therefore, the following step is vital to avoid this risk turning into an issue.

Step 11: Implement Training & Awareness Programmes

Now that you have new policies and procedures it is time to make your staff aware. Organise training sessions, webinars, etc. Provide them with a full explanation of why these changes are necessary, this will help them to adopt the new ways of working.

To comply with ISO 27001, your security awareness training programme should consider:

  • Roles and responsibilities for running the programme

  • Security awareness poster campaigns

  • Computer-based security awareness training

  • Simulated phishing exercises

  • Cyber security alerts and advisories

The absence of these activities in an ISMS is one of the most common reasons for project failure.

Step 12: Operate the ISMS

Records management should become a crucial part of your everyday routine. ISO 27001 certification auditors love records – without records, it is extremely hard to prove that activities have occurred. Keep clear, concise records to help you monitor what is happening, and ensure your employees and suppliers are performing their tasks as expected.

Automatically created records:

  • Logs created within your information systems

  • Reports created from the information systems

Manually created records:

  • Reports where additional input was needed

  • Training records

  • Records from drills, testing, and exercising

  • Meeting minutes

  • Corrective actions

  • Asset inventories

  • Checklists

  • To-do lists

  • Change history within documents

  • Post-incident review results

  • Visitor’s logbook

ISO 27001 requires the following for the control of your ISMS records:

  • Distribution, access, retrieval, and use – you need to define who has access to each type of record and for what purpose.

  • Storage and preservation – define where the records are archived and how they are protected from unauthorised access.

  • Control of changes – assign a new version number for each update.

  • Retention and disposition – how long records are kept and how they are destroyed.

There are two ways to document these rules:

  1. Write a centralised policy or a procedure that would define the rules for controlling all your records.
  2. Define the rules in different policies and procedures separately for each type of record.

 

Step 13: Monitor the ISMS

How are your ISMS processes performing? How many incidents do you have and of what type? Are all procedures being carried out properly? Monitoring your ISMS is how you ensure the objectives for controls and measurement methodologies come together – you must check whether the results you obtain are achieving what you have set out in your objectives. If something is wrong, you need to take corrective and/or improvement action.

Performance monitoring and measurement are also important in the maintenance and monitoring stage. Without an assessment of your ISMS performance, you cannot determine if your processes and procedures are efficient and delivering reasonable levels of risk reduction.

Clause 9.1 of ISO 27001 establishes several things that must be identified to ensure proper monitoring and measurement:

  1. Monitoring: Identifying all business results and processes that can be affected by variations on information security performance, including the information security controls and processes themselves and mandatory requirements like laws, regulations, and contractual obligations.
  2. Method: You can choose any method. What is critical is that it must be verifiable.
  3. Frequency: Different needs require different monitoring or measurement times. For example, an application can have monitoring or measurement points at data input, during data processing, or at data output. Restricted internal use applications may be monitored or measured periodically but may be longer for Internet-oriented applications.
  4. Value: To add business value, the monitoring and measurement results must be considered on decisions and actions at appropriate times. Considering them too early or too late may result in wasted effort and resources, or lost opportunities.
  5. Responsibility: As important as when the data is analysed and evaluated is who does this. In most cases, the analysis will be done at the operational level while management staff perform any evaluations.

 

To fulfil clause 7.5. charts, checklists, and analysis reports should be reviewed by management and proper documentation preserved.

Step 14: Conduct an Internal Audit

People are often unaware they are carrying out an activity incorrectly, especially when something has changed for the purposes of information security. This lack of awareness can hurt your organisation, so regular internal audits can bring these issues to light and help you educate the workforce in how things need to change. The point here is not to initiate disciplinary action, but to take corrective and/or preventive actions.

Options for auditing:

  • Frequency: A small company should undertake one audit per year across the entire business. Larger organisations should perform audits in each department per year, but rotate your auditors around each department, potentially once per month.
  • Guidelines: If you implemented ISO 9001 – for quality management – you can use the same internal audit procedure you established for that. Your auditors can perform internal audits for both ISO 9001 and ISO 27001 at the same time – if the person has knowledge of both standards, and has knowledge about IT, they will be capable of doing an integrated internal audit.
  • Procedure: A written procedure that defines how the internal audit should be performed is not mandatory but is highly recommended. Normally, employees are not familiar with internal audits, so it is a good thing to have some basic rules written down and an audit checklist.

 

Step 15: Management Review

The reason for the management review is for executives to make vital decisions that impact the ISMS. Your ISMS may need a budget increase, or to move location. The management review is a meeting of top executives to discuss issues to ensure business continuity and agrees objectives are met.

Frequency: The management review should be annual as a minimum unless there are major changes.

Meeting Minutes: The most common way to document the management review is meeting minutes. For large organisations, more formal proceedings can take place with detailed documented decisions.

Results: Communicating the results can be done via email or a follow-up meeting.

Material: Most commonly, the Chief Information Security Officer or Business Continuity Coordinator will collate the input information for management consideration, but large organisations may use department heads.

In conclusion, executives make the following decisions:

  • Determine if the ISMS has fulfilled its objectives
  • Agree which improvements will be implemented (funded)
  • Agree on the changes to the scope if needed
  • Agree on investing in more resources to support the security programme
  • Ensure policies and procedures are up to date

It is also a good opportunity to educate the executives on the basics of information security and compliance.

Step 16: Corrective and Improvement Tasks

The purpose of the management system is to ensure that all “non-conformities” are corrected or improved. ISO 27001 requires that corrective and improvement actions be done systematically, which means that the root cause of a non-conformity must be identified, resolved, and verified.

If you found this ISO 27001 checklist useful and would like to discuss how you can get certification for your own business, get in touch by Contacting Us today for ISO 27001 assistance and certification.

Related Posts

How To Get ISO 27001 Certification

How To Get ISO 27001 Certification

0 Comments
ISO 27001 vs SOC2

ISO 27001 vs SOC2

0 Comments
Why ISO 27001

Why ISO 27001

0 Comments
book

FREE EBOOK

Business Process Compromise:Spotting the intruder in the Sea of Noise

GET MY FREE REPORT
book

FREE EBOOK

Business Process Compromise:Spotting the intruder in the Sea of Noise

We will only send you awesome stuff!PRIVACY POLICY

ABOUT CXO SECURITY

With 18 years of experience in providing industry leading methodologies used by government departments and companies in heavily regulated industries such as finance and health, CXO Security works with your C-level executives to protect both company and customer data in a discreet, practical, and accountable way.

You can successfully implement the digital change at the core of all modern businesses by using our specialist solutions, while at the same time thoroughly minimising the security risk from cyber-attacks and upholding security standards as required by industry or government.

BLOG CATEGORIES

Contact Info

  • +61 1300 840 980
  • Level 2, 11 York St, Sydney 2000
  • Level 5, North Tower, 485 La Trobe St, Melbourne 3000
cxo security

© 2021. ABN 17 616 528 502.   Privacy Policy | Terms of Use

linkedin