ISO 27001 ISMS in a Nutshell


Image : ISO

The ISO 27001 certification is the most comprehensive  information security standard recognized globally. It ensures standardizing of your organisation's information security strategies to ensure confidentiality, integrity and availability of your systems and data to conduct your business effectively. 

Gaining the certification is a journey with several milestones. It is a carefully planned systematic activity that transforms an organisation to a secure entity,  where everyone becomes a stakeholder in information security. Follow this processes to get to your goal successfully.


Step 1. Obtain Management Support.

This is the most critical requirement to achieve ISO 27001 status. Your ISMS project will definitely fail if it does not receive to management support. The management should provide, people, money and strategic direction for your ISMS to be a success story.

In the sections below you’ll find some tips on how to convince your management, and how much the implementation costs.

Step 2. Clearly Define ISMS Project Goals. 

Define what exactly you need to do and set a realistic timeframe based on your organization size.


Step 3. Define ISMS Scope.

Do you want whole of your organization or part of it to be the scope. If your organisation is very large, it is a good idea to start with highly critical business function. It will give you experience, best resource utilization and lowering your project. Defining your scope require careful analysis of external and internal issues, interfaces and stakeholders.

Step 4. Write  Information Security Policy.

This is the highest-level policy document that will define your ISMS. It should determine  fundamental  requirements for information security in your organization. It will outline how your organisation will protect critical assets, compliance with regulations, data protection, general employee and supplier policies. These policies will provide the strategic direction for your ISMS 

Step 5.  Define Your Risk Assessment Methodology.

You may approach risk assesment qualitatively, quantatively or hybrid. It depends on information asset and your resources. Which ever the method, define the rules to  identify the risks, impacts, and likelihood, including  acceptable level of risk.

Step 6A. Perform the Risk Assessment.

Conduct your risk assesment based on your methodology. Some assets may require more detailed analysis than others. Some assessments may be more complex requiring hybrid approches. Clearly identify  the internal and external threats to your systems and data. Your risk assessment may identify new opportunities which can create benefits to your organisation.

Step 6B.  Select Risk Treatment Options.

Select your risk mitigation strategy depending on your risk assessment. Carefully consider, options for risk mitigation, rusk transfer,  risk avoidance or risk acceptance. Risk ignorance  should never be an option. 

Create your Risk Assessment Report after this step. You also need to document residual risks and obtain approval.

Step 7. Develop  Your Statement of Applicability.

This is where assets and risks meet with ISO 27001 Annex A security controls.  ISO 27001 Annex A provides you 114 controls in 14 domains. The  Statement of Applicability (SoA) list all 114 controls and define which are applicable and which are not, the reasons for such a decision, and a description of how they are implemented in the organization.

The Statement of Applicability is also the central document to obtain management authorization for the implementation of the ISMS. It is the document internal and external auditors will refer to evaluate your ISMS.

Step 8. Develop Your Risk Treatment Plan.

The Risk Treatment Plan is to define exactly how the controls from the SoA are to be implemented, who is responsible, by when, and costs, etc. This is your action plan to implement physical, administrative, and technical controls for your ISMS from theory to practice. Therefore, highly critical for the success of your ISMS.


Step 9. Define Your ISMS Evaluation Criteria

ISO 27001 requires you to measure the effectiveness of your ISMS.  Define how would you monitor, measure, analyse and evaluate each control for it's effectiveness. Determine who will do it,  and when it will be done? For this purpose you need to define relevant metrics and indicators based on your information security objectives, and control. Now your theratical work is completed. 

Step 10. Implement the Security Controls.

Unlike other steps, this step place your theoratical  work into practice.

There are 14 type of security controls in ISO 27001 Annex A. They are physical, administrative and technical in nature. The SoA and Risk Treatment Plan (RTP) has determined how you will implement the security controls 

You will find that, implementing the ISMS as a really hard task. It  requires enforcing new behaviors in your organization, which means change of work practices. It requires  you to implement new policies and procedures that may face resistance from employees. 

You may need network or infrastructure modifications, buy new software, hire new people, change job roles, implement new access controls and make more changes. The top management has a big role to play in helping you with authority to implement the ISMS. 

Step 11. Conduct Awareness and Training.

The ISMS will require change of  work practices, and new behaviors in your organisation. Do not expect your staff to adopt to new ISMS by only reading compliance documents. You need to ensure that each employee understand his/her role in organisation security, based on  information security competency requirements for each job role. 

You need to make nessesary awareness and conduct training.  The success of your ISMS depends on how your staff embrace the ISMS positively. They need to understand  their responsibility, and what would be the consequences of negligence. 

Step 12. Operate Your ISMS.

Your ISMS should become an everyday routine in the  organization after the implementation step. Each security control must be monitored by the risk owners and the process need to produce records of evidence for auditing.o

Your access controls should be logged, physical access should be booked, and data sharing should be authorized and recorded. Hiring and terminating of staff must follow security procedures. The Acceptable Use Policy (AUP) must be adhered and monitored. Without evidence, it may not be possible to prove that an activity has really been done. Therefore you must record everything. Records will help you monitor the ISMS effectiveness. You will also know if your employees really perform their tasks as required by the ISMS, and to deside on training needs 

Step 13. Monitor and Measure the ISMS.

Regular monitoring, measuring, and  analysing is the only way you can evaluate the effectiveness of your ISMS. Use the definitions you made for ISMS monitoring system in Step 9 for this purpose. You should be able to make insights of your ISMS from key  performance indicators (KPI) you defined. Are the procedures followed as defined in ISMS ? How many incidents occurred and what are their types. Is any control not working as expected? These answers will help you make do corrective and/or preventive actions. Remember that an ISMS is not static system, it has to adopt dynamically to changing security and business environment. Make sure to update ISMS documentation and get approval,  when you make any changes to the ISMS controls.

Step 14. Conduct Internal Audit.

Auditing is an important element of your ISMS to varify it's performance expected in the documentation. The internal auditors will use  Statement of Applicability (SoA) for this purpose. They study the ISMS documentation and create a plan defining how each control shoukd be audited, what would be the indicators of compliance and records they will check. This does not mean checking each an every record. Depending of the type of control, the auditors will select random or systematic sample from records to audit.

Auditing is aimed to evaluate the compliance and reccommend requirement for taking corrective actions, on non-conformities, so that such problems do not happen again. It is not a disciplinary action process.  

The internal audit report is the basis for review of your ISMS by top management. The internal audit must be conducted at least once a year, or more frequently depending on the complexity of your ISMS environment.

Step 15. Conduct Management Review.

The top management of your organisation must know what's happening in the ISMS. The objective of the management review is to find, if everyone performed their duties? Does the ISMS is achieving the desired results? Is it  fulfilling the defined requirements. These questions need answers for determining further actions.

The top management must asses the ISMS for suitability, adequteness,  results and overall effectiveness using the internal auditor's report. This review will lead them to make important decisions for approving the security budget, aligning security with business strategy, hiring new staff, outsourcing and additional staff training. 

Step 16. Perform  Corrective and Preventive Actions.

The internal audit will find  non-conformities in the ISMS, which means either controls not implemented as specified requirements of ISMS or they are implemented wrongly. They also will point problems occuring due to certain causes in busuness processes. When non-conformities are identifies, it requires performing corrective or preventive actions. This process need to follow a systematic process to identify root cause and implementing permanent remedial action. Once a non-conformity is found, a temporary action must to performed to contain the problem, untill a permanent solution is implemented.   

Step 17. Conduct Certification Audit.

You can select an accredited certification body to do a certification audit, once you are confident that your  ISMS is performing by complying to ISO 27001 requirements. An ISO 27001 certification is valid for 3 years. The certification audit is done is three stages.

Stage 1. 

The external auditor from an accredited  certification body will audit your ISMS documentation to varify if your documents comply to ISO 27001 requirements.

Stage 2. 

The external auditor will visit your organisation to audit your controls to evaluate your ISMS. They will recommend corrective actions, If they find any minor non-conformities. Upon satisfactory evaluation, the auditors will recommend your organisation for ISO 27001 certification. 

Stage 3. 

Upon certification with ISO 27001, the external auditor will conduct yearly compliance audits to evaluate your ISMS updates and corrective actions reccomended. This audit will be brief compared to certification audit stage 2.

ISO 27001 certification gives an organisation many benefits. It ensures you, your employees, customers , partners, shareholders and other stakeholders a internationally recognised secured organization. 

It protects the reputation of your business from cyber security risks.

You will be able to avoid penalties for violations of the regulations such as personal data protection laws. 

You are able to streamline your organisation business functions , activities adding cyber security measures 

It provides you a marketing edge over your competitors. Your customers will be more comfortable providing their personal data to your organisation, which guarantees their security by complying to international standards 

You will have an edge collaborating or providing services to international entities who require higher security standards , related to data sharing.

An ISO 270001 accredited ISMS provides you esse of mind and end to end visibility of security across your organisation including  departments, processes, locations, divisions etc.

You are able to adopt to dynamically changing security challenges by making systematic changes, and stay ahead of emerging cyber security threats.


Niranjan Meegammana


Comments

Post a Comment

Popular posts from this blog

The 7 Layers of Cyber Security : Attacks on OSI model

Best Practices for secure Software Development