Anyone needing guidance should take a look at our nine-step guide to implementing ISO 27001.
1. Assemble an ISO 27001 implementation team
Your first task is to appoint a project leader to oversee the implementation of the ISMS. They should have a well-rounded knowledge of information security (which includes, but isn’t limited to, IT) and have the authority to lead a team and give orders to managers, whose departments they will need to review.
The team leader will require a group of people to help them. Senior management can select the team themselves or allow the team leader to choose their own staff.
Once the team is assembled, they should create a project mandate. This is essentially a set of answers to the following questions:
- What are we hoping to achieve?
- How long will it take?
- How much will it cost?
- Does the project have management support?
2. Develop the ISO 27001 implementation plan
Now it’s time to start planning for implementation. The team will use their project mandate to create a more detailed outline of their information security objectives, plan and risk register.
This includes setting out high-level policies for the ISMS that establish:
- Roles and responsibilities;
- Rules for its continual improvement; and
- How to raise awareness of the project through internal and external communication.
3. ISMS initiation
With the plan in place, it’s time to determine which continual improvement methodology to use. ISO 27001 doesn’t specify a particular method, instead recommending a “process approach”.
This is essentially a Plan-Do-Check-Act strategy, in which you can use any model as long as the requirements and processes are clearly defined, implemented correctly, and reviewed and improved on a regular basis.
You also need to create an ISMS policy. This doesn’t need to be detailed; it simply needs to outline what your implementation team wants to achieve and how they plan to do it. Once it’s completed, it should be approved by the board.
At this point, you can develop the rest of your document structure. We recommend using a four-tier strategy:
4. Management framework
The next step is to gain a broader sense of ISMS’s framework. The process for doing this is outlined in clauses 4 and 5 of the ISO 27001 standard.
This step is crucial in defining the scale of your ISMS and the level of reach it will have in your day-to-day operations. As such, it’s obviously important that you recognize everything that’s relevant to your organization so that the ISMS can meet your organization’s needs.
The most important part of this process is defining the scope of your ISMS. This involves identifying the locations where information is stored, whether that’s physical or digital files, systems or portable devices.
Defining your scope correctly is an essential part of your ISMS implementation project. If your scope is too small, then you leave information exposed, jeopardizing the security of your organization, but if it’s too large, your ISMS will become too complex to manage.
5. Baseline security controls
An organization’s security baseline is the minimum level of activity required to conduct business securely.
You can identify your security baseline with the information gathered in your ISO 27001 risk assessment, which helps you identify your organization’s biggest security vulnerabilities and the corresponding controls to mitigate the risk (outlined in Annex A of the Standard).
6. Risk management
Risk management is at the heart of an ISMS. Almost every aspect of your security system is based around the threats you’ve identified and prioritized, making risk management a core competency for any organization implementing ISO 27001.
The Standard allows organizations to define their own risk management processes. Common methods focus on looking at risks to specific assets or risks presented in specific scenarios.
Whatever process you opt for, your decisions must be the result of a risk assessment. This is a five-step process:
- Establish a risk assessment framework
- Identify risks
- Analyze risks
- Evaluate risks
- Select risk management options
You then need to establish your risk acceptance criteria, i.e. the damage that threats will cause and the likelihood of them occurring.
Managers often quantify risks by scoring them on a risk matrix; the higher the score, the bigger the threat. They’ll then select a threshold for the point at which risk must be addressed.
There are four approaches you can take when addressing a risk:
- Tolerate the risk
- Treat the risk by applying controls
- Terminate the risk by avoiding it entirely
- Transfer the risk (with an insurance policy or via an agreement with other parties).
Lastly, ISO 27001 requires organizations to complete an SoA (Statement of Applicability) documenting which of the Standard’s controls you’ve selected and omitted and why you made those choices.
We call this the ‘implementation’ phase, but we’re referring specifically the implementation of the risk treatment plan, which is the process of building the security controls that will protect your organization’s information assets.
To ensure these controls are effective, you’ll need to check that staff is able to operate or interact with the controls and that they are aware of their information security obligations.
You’ll also need to develop a process to determine, review and maintain the competencies necessary to achieve your ISMS objectives. This involves conducting a needs analysis and defining a desired level of competence.
8. Measure, monitor and review
You won’t be able to tell if your ISMS is working or not unless you review it. We recommend doing this at least annually so that you can keep a close eye on the evolving risk landscape
The review process involves identifying criteria that reflect the objectives you laid out in the project mandate. A common metric is a quantitative analysis, in which you assign a number to whatever you are measuring. This is helpful when using things that involve financial costs or time.
The alternative is a qualitative analysis, in which measurements are based on judgment. You would use qualitative analysis when the assessment is best suited to categorization, such as ‘high’, ‘medium’ and ‘low’.
In addition to this process, you should conduct regular internal audits of your ISMS. The Standard doesn’t specify how you should carry out an internal audit, meaning it’s possible to conduct the assessment for one department at a time. This helps prevent significant losses in productivity and ensures your team’s efforts aren’t spread too thinly across various tasks.
However, you should obviously aim to complete the process as quickly as possible, because you need to get the results, review them and plan for the following year’s audit.
The results of your internal audit form the inputs for the management review, which will be fed into the continual improvement process.
Once the ISMS is in place, you may choose to seek certification, in which case you need to prepare for an external audit.
Certification audits are conducted in two stages. The initial audit determines whether the organization’s ISMS has been developed in line with ISO 27001’s requirements. If the auditor is satisfied, they’ll conduct a more thorough investigation.
You should be confident in your ability to certify before proceeding because the process is time-consuming and you’ll still be charged if you fail immediately.
Another thing you should bear in mind is which certification body to go for. There are plenty to choose from, but you absolutely must make sure they are accredited by a national certification body, which should be a member of the IAF (International Accreditation Body).
This ensures that the review is actually in accordance with ISO 27001, as opposed to uncertified bodies, which often promise to provide certification regardless of the organization’s compliance posture.
The cost of the certification audit will probably be a primary factor when deciding which body to go for, but it shouldn’t be your only concern. You should also consider whether the reviewer has experience in your industry. After all, an ISMS is always unique to the organization that creates it, and whoever is conducting the audit must be aware of your requirements.