Implementing Isms
Implementing Isms
Implementing Isms
June 2017
will feed into the information security policy ISO 27000 (the overview for the ISO
and really start to shape how the ISMS is information security management
applied. Because these are ‘policy-level’ standards) recognises that a “process
objectives, they should include a time- approach” to continual improvement is the
bound statement about whether the most effective model for managing
organisation is seeking certification or just information security. That is, each process
compliance with the Standard. has a set of inputs and outputs, and the
outputs may become inputs for further
The project team should represent the
processes. In a broad sense, this can be
interests of every part of the organisation,
cyclical, as in continual improvement
and be composed of people at various
methodologies such as PDCA (Plan-Do-
levels of seniority. You should also draw up
Check-Act), COBIT® 5’s continual
a RACI matrix at this point, identifying who
improvement life cycle and ITIL®’s
is responsible, accountable, consulted and
Continual Service Improvement.
informed regarding the key decisions
relating to the project. ISO 27001 does not specify a particular
continual improvement methodology,
A key role is that of the information security
preferring instead to allow organisations to
manager. In addition to having a central
use whatever method they choose, or to
role in the implementation project, they will
use a model they already have in place. If
also eventually be responsible for the day-
your organisation does not yet have a
to-day functioning of the ISMS.
preferred methodology, Nine Steps to
The ‘project team’ should also develop Success discusses the merits of each of the
other essential teams, such as a steering most popular models.
group, which is essential to drive the
You will also need to establish your
project forward.
documentation structure.
The project plan is part of the process of
We recommend a four-tier documentation
gradually drilling down into what will
structure:
actually be done in implementing ISO
27001, and should include critical project Policies at the very top, defining the
data such as review dates. organisation’s position and
requirements.
Additional resources and information may
Procedures to enact the policies’
be necessary to make sure that the plan is
requirements.
comprehensive, suitably detailed, and
Work instructions describing the
accounts for the organisation’s unique
detail for the employees who enact
position and structure.
elements of the procedures.
The risk register should account for risks to Records tracking the procedures and
the project itself. These might be budgetary work instructions, providing
(will the organisation continue to fund the evidence that they have been
project?), cultural (will staff resist the followed correctly and consistently.
change?), lack of management commitment
This structure is simple enough for anyone
(will senior management openly support the
to grasp quickly, while also providing an
project?), legal (are there specific legal
effective way of ensuring policies are
obligations that might be at risk?), and so
implemented at each level of the
on. Each risk included in the register should
organisation.
have an assigned owner and a mitigation
plan. Crucially, the risk register and A great deal can be said about
mitigation plans should be reviewed documentation, but there are two key
regularly throughout the project. points to make:
1. Documentation should be controlled
to ensure the latest versions are
3. ISMS initiation
approved and identifiable.
discussed in Nine Steps to Success, and the red area should be terminated. You
some organisations will be considerably might choose to transfer some risks on a
more suited to one method than the other. case-by-case basis.
There are five important steps in an ISO The key outputs of an ISO 27001 risk
27001 risk assessment: assessment are the Statement of
Applicability (SoA) and the risk treatment
1. Establish a risk assessment
plan.
framework
2. Identify risks The SoA is a document that contains the
3. Analyse risks “necessary controls” you have selected,
4. Evaluate risks justifications for their inclusion, whether or
5. Select risk management options not they have been implemented, and
justification for excluding any controls from
The risk assessment framework is a critical
Annex A of ISO 27001. It essentially proves
part of the process, and will involve
that you’ve done due diligence by
designating the person(s) responsible for
considering all of the reference controls,
the risk assessment. Without someone who
and is especially important if you are
is capable of performing the assessment,
seeking to certify your ISMS.
the whole exercise will fail.
The risk treatment plan, meanwhile, shows
You will also need to define your risk
the results of the risk assessment – that is,
acceptance criteria, which involves
for each identified risk, what the
understanding how risks affect the
organisation intends to do. This should
organisation and how likely they are to
include other essential information such as
actually occur. By determining the impact
responsibility for the risk and deadlines for
and the likelihood of a given risk, you can
completion.
determine how severe a risk it really is.
Risk managers often present this in a
simple matrix:
7. Implementation
While we call this the ‘implementation’
phase, what we really refer to is the
implementation of the risk treatment plan.
Impact
The actual certification audit will determine to answer the auditor’s questions. This
whether the ISMS is worthy of certification. should include ensuring appropriate staff
In order to maximise the likelihood of have a thorough knowledge of the areas of
passing certification at the first attempt, information security they are responsible
there are several things you can do. for.
Ensure your documentation is complete, Management should be fully involved in the
comprehensive and available for the certification audit. It may be useful to
auditors to inspect. This should be in place rehearse with them the sorts of questions
before the actual certification audit, as the they may be asked, and to review the
auditors will want to review your formal, management-level policies and
documentation ahead of the visit. declarations.
Ensure that you have records of internal For many organisations, this is going to be
audits and testing. These provide evidence seen as one of the most critical stages:
that your ISMS is an active management proving that the implementation
system rather than just a set of documents, programme was effective and being able to
and may also demonstrate your corrective show that to partners, customers and other
actions and continual improvement in stakeholders. To maximise the chances of
action. getting to this stage, read Nine Steps to
Success.
Make sure your staff are open and honest
with the auditors, and that they know how
Standards
ISO 27001 ISMS Requirements
ISO/IEC 27001:2013, usually referred to just as ISO 27001, is the best-practice
specification that helps businesses and organisations throughout the world to
develop an ISMS.
Books
Nine Steps to Success – An ISO 27001:2013 Implementation Overview
Now in its third edition, this must-have guide has been completely updated to align
with IT Governance’s implementation methodology, used by our consultants in
hundreds of successful ISMS implementations around the world.
Toolkits
ISO 27001 ISMS Documentation Toolkit
Fulfil your ISO 27001 documentation obligations with customisable templates and
implementation guidance from ISO 27001 auditors. Ensure total coverage of your
project with this complete set of mandatory and supporting documentation.
Take a free trial >>
Training
ISO 27001 Certified ISMS Lead Implementer Masterclass
If you are involved in information security management, writing information security
policies or implementing ISO 27001 – either as a Lead Implementer, or as part of the
planning/implementation team – this masterclass covers all the key steps in preparing
for and achieving ISMS certification first time. Also available as a Live Online course.
Software
vsRisk™ – the definitive ISO 27001 risk assessment tool
Fully aligned with ISO 27001, vsRisk streamlines the risk assessment process and
helps you produce robust risk assessments. The software tool saves 80% of your time
and significantly cuts the consultancy costs that are typically associated with tackling a
risk assessment.