The ISO 27001 standard is an internationally accepted framework for effective information security management, setting out the policies, procedures and risk controls needed to protect your organisation. No matter your size or sector, any organisation can implement ISO 27001, but with implementation taking between 6 to 18 months depending on the size of your business, is it really worth the effort?
In short, yes.
As an internationally recognised certification, ISO 27001 allows your brand to build credibility while gaining the sort of global recognition that can transform your business.
The popularity of ISO 27001 is largely thanks to its sheer comprehensiveness in terms of information security management standards (ISMS): covering physical security, along with processes and technology, ISO 27001 can achieve credible security improvements while allowing you to meet legal and regulatory obligations. It also acts as a sure sign that your company works to the highest possible security standards – which does wonders for your reputation.
Eleven Steps to ISO 27001 Implementation
1. Approach ISO 27001 as a project
Implementing an ISO 27001 Information Security Management System (ISMS) requires a great deal of input, from a great many people, so you really need to treat it as a project in its own right. That involves obtaining management support, clearly defining what needs to be done, specifying who will be responsible for what, and outlining when everything needs to be done.
Securing management buy-in is particularly important as, without that, you’re unlikely to receive the level of resource you need to ensure effective implementation.
2. Create an implementation team
You’ll need an experienced project leader at the helm to oversee implementation. Broad knowledge of information security is essential here, along with the gravitas to head up a team of managers. Once you have your team, you’ll need a project mandate covering what you want to achieve, how long it should take, and what it should cost.
3. Detail the implementation plan
Ready to get started? Great. But first up, you need a plan.
The project mandate that your implementation team created should be used to develop a more detailed scope for implementation – covering security objectives and risks, along with policies around roles and responsibilities, methodology for making continuous improvements, and plans for raising awareness of the project through all available comms channels.
ISO 27001 allows your brand to build credibility while gaining the sort of global recognition that can transform your business.
4. Choose a risk assessment methodology
You’ll need to decide on a methodology for continual improvement. You can follow any model with clearly defined processes – implemented correctly, reviewed regularly, and improved continuously. It’s also important to create an ISMS policy that outlines what your team is setting out to achieve, and how.
Once finished, this policy should gain board approval.
5. Define the scope
In clauses 4 and 5 of the ISO 27001 standard, you’ll find the process for defining the scope of the ISMS’s framework. Getting this right is a crucial step in the implementation project, as the ISMS can’t meet the needs of your business without a clearly defined scope. There’s also a risk that information could be exposed if your scope is too small, but that the ISMS will be difficult to manage if your scope is too broad.
Bear in mind that your scope needs to be defined to suit the needs of your customers. A scope that omits key services will not meet customer requirements, where customer requirement is a driving factor for implementation.
6. Define your information assets
ISO 27001 is all about managing risks associated with your information Assets, in order to do this you need to understand what information assets are part of your Scope.
An information asset is not just capital assets, found in financial registers and IT asset register, it includes anything that protects, holds, obtains, requires, uses or stores information, as well as the information itself. This can include, facilities and environmental systems, people, software and applications, critical suppliers and cloud infrastructure. Information itself includes both digital and hard copy information.
All Assets then need to be allocated to an asset owner who will be ultimately responsible for the security of that asset.
7. Perform a risk assessment
Using your chosen Risk Methodology you now need to establish what risks affect the information assets that you have identified. These risks must be evaluated in terms of risk to Confidentiality, Integrity and Availability of Data.
Before you can carry out ISO 27001 implementation, you’ll need a comprehensive understanding of the risks, both internal and external, to your company’s data – allowing you to reduce those risks deemed unacceptable. For this, you’ll need to document a Risk Register or Report that has clearly determined the level of risk to your information assets.
8. Write a risk treatment plan
A Risk Treatment Plan must consider the ISO 27001 control objectives listed in Annex A of the standard. The implementation of the Risk Treatment Plan and the associated Annex A controls will form the bulk of your implementation project.
It is however essential that all relevant employees are able to effectively use these controls, and you must make sure they have a clear understanding of their security obligations.
9. Document a Statement of Applicability (SoA)
Identification of the applicable ISO 27001 Control Objectives is documented in a Statement of Applicability. This document must demonstrate that you have established legitimate grounds for the inclusion of your selected controls and that you have a valid reason why any ISO 27001 Control Objectives have been excluded.
Before you can carry out ISO 27001 implementation, you’ll need a comprehensive understanding of the risks, both internal and external, to your company’s data.
10. Continually evaluate
As part of the evaluation process, you’ll need to regularly review your ISMS to make sure it’s working effectively. ISO 27001 mandates a number of performance and improvement mechanisms that you must have in place to achieve certification. These include monitoring and measurement of your Information Security Management System, an internal audit program, Management Reviews, a framework for managing security objectives and a process for managing non-conformances and corrective actions.
11. Achieve ISO 27001 certification
When you’ve successfully implemented your ISMS, you can apply for an ISO 27001 certification; for this, you’ll be subject to an internal audit. As the process is a lengthy one, and you’ll be charged even if you fail, you should be confident that your company will certify before proceeding.
When choosing a certification body, you must make sure they’re accredited by a national accreditation body, a member of the International Accreditation Body (for example UKAS in the UK).
Ensuring that your certification body is properly accredited will ensure that your certification carries the level of credibility demanded by your customers. Certification by unaccredited certification bodies, while cheaper, often results in a poorer level of audit and the award of a certificate that provides little, if any, assurance of your ISO 27001 compliance to you or your customers.
Supporting you through ISO 27001 and beyond
Even with all the advice in the world, implementing ISO 27701 can be a real challenge. That’s why it pays to have a knowledgeable partner.
Through PRISM, our own bespoke software platform, you can manage Cyber Essentials, Information Security ISO 27001 and Data Protection ISO 27701 compliance all in one place. It’s intuitive, self-guided, and helps to provide organisations like yours with a pathway through compliance.