ISO 27001 : A 10 Step Implementation Guide


ISO 27001 is the most comprehensive international standard for the implementing Information Security Management System (ISMS) for any organisation.  

It helps your organization to systematically maintain confidentiality, integrity and availability (CIA). 

The key benefits are 

1. Complying with an excellent framework to protect information assets from malicious actors.

2. Increase customers, partners, suppliers, investor and other stakeholder confidence and reputation.

3. Gaining an edge over its competitors. 

The process of implementing an ISO 27001 ISMS is a challenging task.

However, it's a worthy effort  in the long run to protect your information assets.

This 10-step guide will help you complete  ISO 27001 journey successfully. 

Step 1:Establish a Project Team.

Jump start ISO 27001 by appointing a project leader with sound knowledge about your organisation, business operations and information security. 

Provide adequate authority to the project leader to oversee the implementation of the ISMS project successfully.

The project leader shall be assigned a team of experts with relevant technical, business, communication and legal expertise.

Step 2 : Create Project Mandate. 

The project team should create a project mandate identifying ISO 27001 ISMS  project objectives, estimated time, resources required and estimated cost to obtain management approval.

Step 3: Develope Dtailed Project Plan.

Develop an ISMS implementation plan  including organization's information security objectives, security policies, implementation plan and a risk register.

A Risk Register is a tool used to record and manage your risks and controls for treatments. 

There are 14 domains in ISO 27001 standard has 14 domains, 6 of them are most critical.

1 – Company security policy0

2 – Asset management

3 – Physical and environmental security

4 – Access control

5 – Incident management

6 – Regulatory compliance

The policies for ISMS should outline: 

* Roles and responsibilities of risk owners and custodians.

* Rules for continues  improvement if ISMS.

* Communication strategy for awareness and training 

Step 4: Initiate the ISMS. 

Create ISO 27001 process based on  Plan-Do-Check-Act strategy. 

The PDCA plan must give a clearly view of what you would achieve and  how you plan to do it, to obtain your board approval.

The final document will follow four-tier strategy, including 

1. Policies on  acceptable use,  password management, assest management etc.

2  Procedures to establish the policies.

3  How the employees should meet the policies.

4  Methods of recording and tracking procedures.

Step 5: Define the ISMS Scope. 

Define your project scale based on your organisation requirements and capacity.

This may be done even earlier. However it's advisable to implement section by section of the plan based on priorities.

Refer to  clauses 4 and 5 of the ISO 27001 standard to determine your scope. It includes Identification of information assets such as information stores, files, systems ans devices. 

Step 5: Identify Your Security Baseline. 

This is the minimum level of security required to conduct your business securely. 

You need to conduct a risk assessment to identify organisation’s most significant security vulnerabilities and relevant ISO 27001 controls to mitigate the risk given in  Annex A. 

This may involve interviews, business process walkthroughs involving risk owners,  observations, penitratiyon testing and regulation reviews.

Step 6: Establish a Risk Management Process. Evaluate and priorities of the risks you’ve identified, and implement the control processes. They will be either common or specific methods focused on specific assets or to address risks in given scenarios.

The risk assessment is a five-step process:

1. Establish risk assessment framework

2. Identify risks

3. Analyse risks

4. Evaluate risks

5. Select risk treatment options.

Prioritize the risks based on the risk score. Risk score is  calculated by adding or multiplying the risk impact and likely hood of occurrence. 

The four risk treatment options are : 

1. Tolerate the risk, if the cost of mitigation is higher.

2. Mitigate the risk by applying relevant controls.

3  Terminate the risk by avoiding it entirely.

4. Transfer the risk with an insurance etc.

Please note some risks create business opportunities. Be mindful od residual risks after risks are treated.

Finally create the Statement of Applicability (SoA) that states the risks and controls selected or ommited, with an explanation why you made those choices.

Step 7: Implement a risk treatment plan.

Build the security controls to help protect your organisation’s information assets. Ensure that your employees are trained to follow and interact with the controls.

Establish internal and external communications process, awareness building and training programs to make the controls are actually understood, being implemented and effective

Step 8: Maintain the controls to achieve your ISMS objectives. There must be a method of record keeping to ensure that controls are being continuesly applied in operations.  

Step 9: Measure, monitor and review. 

It's crucial to ensure that   your ISMS is working through periodic reviews   based on security landscape your business is operating. 

The ISMS review process may involve regular internal audits. The objective of the audit is to evaluate the effectiveness of your controls against organisation's security objectives laid out in the project mandate. 

You can either use quantitative approach by assigning a score to the  measurement or  qualitative approach where measurements are based on judgement such as high’, ‘medium’ and ‘low’. 

qualitative approach is helpful evaluating assets involving  financial costs or time. 

Step 9: Continues ISMS improvement.

The results of the audit, together with management review can be used in  continues improvement of ISMS processes.

Step 10: Obtaining ISO 27001 certification.

Once your ISMS is in place, you can conduct an  external audit to obtain ISO 27001 certification. 

The Certification audits are conducted in two stages.

The initial audit will determine if  the organisation’s ISMS has been developed according to ISO 27001’s  requirements. 

If the external auditor is satisfied with initial audit, a more thorough investigation is conducted for certification.

The external auditor you choose should be  accredited by a national certification body, which should be a member of the IAF (International Accreditation Body).

Niranjan Meegammana







Comments

Popular posts from this blog

The 7 Layers of Cyber Security : Attacks on OSI model

Best Practices for secure Software Development

ISO 27001 ISMS in a Nutshell