How to implement ISO 27001?
It is fair to say that it is not easy to implement ISO 27001. Following a structured planning process is the easiest way to implement ISO 27001, such as the one outlined below:
- Gain management support – This first step is essential with many ISO 27001 implementation projects falling to the wayside because management has not allocated the necessary resources. These resources can include people and money.
- Set project parameters – Many complex issues are tackled through the implementation process and these can involve several different people over several months or even a year. You should set parameters such as a time frame and who is to complete each action.
- Define the scope of the information security management system – For larger organisations, it is a good idea to only implement ISO 27001 in just one part of your company. This will lower the risk of the project.
- Write an information security management system policy – This highest-level document should include the basic issues of information security in your business. The purpose of this document is to let management set out what is to be achieved and how it will control it.
- Define the methodology for the risk assessment – This is the task with the most complexity within the ISO 27001 framework. This stage of the project is for setting out the rules for identifying vulnerabilities, threats, assets, likelihood, and impacts. You should also set out the level of acceptable risk.
- Conduct risk assessment and treatment – This is the implementation stage for putting into action the processes that will litigate the risks identified in step 5. This may take several months for large companies and will reduce the risks that were found to be unacceptable. Risk treatment is usually completed by using the controls set out in Annex A.
- Create a Statement of Applicability (SoA) – Upon completing the risk assessment process, the exact controls needed from Annex A will be known. There are more than 100 controls in Annex, but it is unlikely that all will be needed. The SoA should be created to contain all of the controls and to highlight which are appropriate and which are not. The document should also contain the reasons for appropriateness and a description as to how each is implemented.
- Create a Risk Treatment Plan – This document should set out how the controls in the SoA will be put into action. It should detail who is going to put the controls in place and with what budget.
- Set out how to measure the effectiveness of controls – This step should lay out how the controls that are being put in place will be tested and measured. It should cover measuring the individual controls and the ISMS as a whole.
- Implement controls and mandatory procedures – New technology and new behaviours need to be implemented here. This step may include putting in place new policies and procedures.
- Conduct awareness and training programs – In order to implement the new policies and procedures you will need to make your employees aware of why the changes are necessary. You will need to train your employees on how to perform these new tasks.
- Run the ISMS – The ISMS now needs to be run as an everyday routine. You should record what happens to know for certaintity that your suppliers and employees are performing the new tasks set out in your policies and procedures.
- Monitor the ISMS – In this step, your company should be able to see the number of incidents and the types of incidents that occur. The objective is to know if your controls are obtaining the desired results and if not, what has gone wrong, and what preventative or corrective measures are needed.
ISO 27001 sets out detailed specifications for documentation, preventative actions, management responsibilities, internal audits, corrective actions, and continual improvement. It also outlines a checklist of information security controls that should be considered, in the ISO 27002 code of practice.
Third-Party accredited certification for ISO 27001 conformance is highly recommended.
What is ISO 27001 certification process?
The ISO 27001 certification process is made up of four steps, including a stage one audit, stage two audit, management review, and corrective and preventive actions:
- Stage one audit – This phase is also known as the documentation review, where the auditor checks the documentation of your company to check that it is compliant with ISO 27001
- Stage two audit – This phase is also known as the main audit, where the auditor checks if your activities are compliant with your documentation and ISO 27001
- Management review – This is a formal step for management to consider all relevant facts on information security, to consider appropriate decisions
- Corrective and preventive actions – This is when your company will resolve the problems that were detected during the internal audit stage
What is ISO 27002?
ISO 27002 outlines best-practice recommendations for information security controls. It applies to anyone who is responsible for implementing, initiating, or maintaining information security management systems.
ISO 27002 is intended to be used by any company that intends to select controls during the process of implementing an ISMS, based on ISO 27001. Companies are able to adopt commonly accepted information security controls and create their own security management guidelines.
The sections within ISO 27002 standards include:
- Operations security
- Access control
- Communications security
- Asset management
- Human resources security
- Physical and environmental security
- Systems acquisitions, development, and maintenance
- Information security policies
- Organisation of information security
- Information security aspects of business continuity management
- Information security incident management
- Supplier relationships
ISO 27000 family
ISO/IEC 27000:2018 is an overview of ISMS and the terms and definitions that are used within the ISO 27000 family. ISO 27000 gives an understanding of how each of the standards fit together, as well as the functions, roles, and relationships with each other.
There are more than a dozen standards within the 27000 family and these include:
- 27003 – implementation guidance
- 27004 – ISMS standards that suggest metrics to improve the effectiveness of an ISMS
- 27005 – an ISMS risk management standard
- 27006 – a certification and registration guide of processes for accredited ISMS registration and certification bodies
- 27007 – information security management system auditing guideline
ISO 27001 benefits
As an information security standard, ISO 27001 is one of the most popular in the world. Your organization can gain independent certification from an accredited certification body, through an audit process. Globally, ISO 27001 is recognised as a benchmark for excellent security practice.
Why ISO 27001 is important:
- Your business can significantly improve its protection against cyber attacks
- Your business will be able to adapt quickly to evolving threats and risks, inside and outside of your organisation’s environment
- It will help your staff embrace security in their daily working practices
- It will set out who is responsible within your organisation for various information security risks
- It will protect and improve your reputation
ISO 27001 for startups
Startups are recognising the pros of introducing ISO 27001 at the early stages of their journey. Previously paper-heavy and costly, ISO 27001 has changed since its introduction. The benefits to new startups for adopting an internationally recognised standard to security, are many. Benefits include giving valuable assurances to investors, staff, and customers, through protecting against business disruption and the reputational damage caused by data breaches.
ISO 27001 vs PCI DSS
ISO 27001 focuses on broader information security, while PCI DSS (Payment Card Industry Dara Security Standard) focuses on the security surrounding online payments. PCI DSS is governed by a consortium of credit card companies and they ensure that online transactions are protected.
ISO 27001 for GDPR
ISO 27001 is an excellent starting for point for companies that need to achieve the EU’s GDPR (General Data Protection Regulation) compliance. GDPR states that companies must adopt appropriate procedures, policies, and processes to protect the personal data that they hold.
The framework of ISO 27001 will get a company half-way to complying with GDPR. ISO 27001 does this through the company achieving the necessary operational and technical requirements to reduce the risk of security breaches.
An audit is a vital step to becoming ISO 27001 certified, testing your ISMS to highlight any areas that need attention, to improve the processes within your company
The certification supports compliance with other laws such as the Network and Information Systems Regulations (NIS) and the EU’s General Data Protection Regulation (GDPR).
The SoA is a mandatory document that needs to be created as part of the risk assessment of ISO 27001. The Statement of Applicability is vital for obtaining a ISO 27001 Risk Assessment and ISMS certificate.
Annex A is a series of controls that can be used to tackle the security threats identified as part of the ISO 27001 process. There is a total of 114 controls split into control sets. The control sets tackle information security policies, organisation of information security, human resource security, asset management, access control, and cryptography. The control sets also tackle physical and environment security, operations security, communications security, system acquisition, development and maintenance, supplier relationships, information security incident management, information security aspects of business continuity management, and compliance.
An ISO 27001 accreditation is a signal to other business that information security is being taken seriously. It also demonstrates that the accredited business is committed to continuously upholding those standards into the future.
The cost of attaining your ISO 27001 certification is relatively inexpensive, compared to the cost of a data breach. However, the cost for attaining ISO 27001 certification depends upon the size and complexity of your organisation.
All companies that have attained the standard will have an ISO 27001 certificate. Any company that has achieved certification will be happy to supply a copy of their certification.