Is your organisation only just getting started with the implementation of the international information security standard known as ISO 27001?
If so, you will likely appreciate a convenient, ‘cut out and keep’ guide to the process of putting in place an information security management system (ISMS) that is compliant with ISO 27001.
But before that, we’ll set out some of the basics you need to know about this popular standard.
What is ISO 27001, and why is it important to a business or organisation?
ISO 27001 is an international standard designed to help organisations with the management of their information security. It outlines the requirements for an ISMS, so that the organisation implementing such a system can be more confident of keeping its information assets secure.
In the words of the International Organization for Standardization (ISO), which – along with the International Electrotechnical Commission (IEC) – was the body responsible for originally publishing the standard in 2005, the revised 2013 version of ISO 27001 “specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization.”
There are many reasons why a given business or organisation may wish to achieve ISO 27001 compliance and indeed, certification. Every organisation, of course, should be doing everything possible to help keep its sensitive information secure. The security landscape doesn’t stay still, and would-be hackers are constantly learning new techniques and embracing new technologies that might heighten the risk of them breaching your systems and accessing sensitive data.
Achieve ISO 27001 certification for your organisation, and you will also be strongly placed to assure potential customers and partners that their sensitive data will be safe and well-looked-after. That, in turn, could give your business a crucial competitive edge against its rivals.
What are the basic requirements for achieving ISO 27001 certification?
In order to achieve ISO 27001 certification, your organisation will first need to achieve compliance with the standard. This process is based on the implementation of information security controls, although it is important to acknowledge that none of those controls are mandatory for every single organisation to put in place if it wishes to become ISO 27001 compliant.
This is due to the standard’s recognition that every organisation’s requirements will be different when it comes to the development of an ISMS. Some controls may be appropriate for your business to adopt, while others might be less suitable.
So, the focus is instead on organisations undertaking activities that will inform their decisions as to which controls to put in place.
When your organisation is looking to implement ISO 27001, there will be two especially crucial activities: (a) scoping your ISMS, which will be the stage at which you define what information your organisation needs to protect; and (b) conducting a risk assessment and defining a risk treatment methodology. The latter of those stages will be the one at which you identify threats to your organisation’s information.
Beyond this, there are various other clauses within the standard that are mandatory for organisations wishing to attain ISO 27001 compliance. These include in relation to such aspects as information security policy and objectives, information risk treatment process, monitoring and measurement results, the internal audit programme, and various other key components.
Step-by-step ISO 27001 checklist
Below, we have outlined nine steps to take on the route to certification for ISO 27001.
Step 1: Assemble your team
The first thing you will need to do, is appoint a project leader to oversee the implementation of your organisation’s ISMS. You should be seeking someone for this role who has a well-rounded knowledge of information security. In addition, they will need to be someone with the necessary authority to lead a team and issue orders to managers.
This project leader will require a team of people to assist them. This team will then need to create a project mandate, essentially setting out what they are hoping to achieve, the amount of time it will take, and how much it will cost.
Step 2: Develop the implementation plan
Then, it will be time to begin planning the actual implementation. Using the project mandate, your team should be able to start creating a more in-depth outline of their objectives for your organisation’s information security.
It is at this stage that high-level policies will need to be set out for the ISMS, establishing the relevant roles and responsibilities, as well as rules for the continual improvement of the system.
Step 3: Initiate the plan
Having devised the plan, you will have reached the stage of deciding on which continual improvement methodology you will be using. No specific method is recommended by ISO 27001 itself; instead, a “process approach” is advised, essentially constituting a plan-do-check-act strategy.
Any model can be used for your ISMS, provided that you clearly define the requirements and processes, implement them correctly, and review and improve them regularly.
Alongside this, it will be necessary to put together an ISMS policy. You don’t need to include a great amount of detail in this; the important thing is that it stipulates what your implementation team wishes to achieve, and how they intend to do it.
Step 4: Define the plan scope
This is the stage at which you will be gaining a broader sense of the framework for your ISMS. You can find out more information about this process by consulting clauses four and five of the ISO 27001 standard.
In order to define the scope of your organisation’s ISMS, you will need to pinpoint the locations where information is stored, whether this takes the form of physical or digital files, systems or portable devices.
Defining the scope of the ISMS is a crucial part of the all-round process of achieving ISO 27001 compliance. While an overly small scope could risk you leaving your organisation’s crucial information exposed, an overly broad scope could render your ISMS overwhelming and complicated to manage.
Step 5: Identify your baseline
What is the minimum level of activity that your organisation will require in order to conduct business securely? Your answer to this question will constitute your business’s security baseline.
Your organisation’s ISO 27001 risk assessment will enable you to gather the information needed if you are to identify your security baseline with confidence. It will help make you more aware of your business’s greatest security vulnerabilities, and the corresponding ISO 27001 controls that could put you in the strongest position to minimise these risks.
Step 6: Establish a risk management process
Risk management is of central importance when it comes to implementing an ISMS. ISO 27001 allows organisations to define risk management processes of their own, instead of setting out universal stipulations for which ones should be followed.
Whatever risk management process you do ultimately commit to, a risk assessment will need to be undertaken to inform your decisions in this area. That risk assessment, in turn, will be five-pronged, consisting of the steps of establishing a risk assessment framework, identifying, analysing, and evaluating risks, and finally, selecting risk management options.
Step 7: Implement a risk treatment plan
This stage is about building the security controls that will be crucial to the protection of your organisation’s information assets.
You will need to know, however, that these controls will have the impact you desire; this will necessitate checking that your staff are capable of operating or interacting with the controls, as well as that they are well-informed on their obligations with regard to information security.
It will also be vital at this stage to develop a process by which the competencies that will be necessary for the achievement of your ISMS objectives can be determined, reviewed, and maintained.
Step 8: Measure, monitor and review
How can you be sure that your ISMS is working? The short answer is that you can’t, unless you take the time to review it. It is recommended that you do so at least annually, so that your organisation is in the best possible position to keep up with – and adapt to – the ever-changing risk landscape.
As well as elements of both quantitative and qualitative analysis – the former involving number measurements, and the latter being based on a judgement – it is important that your company’s arrangements include regular internal audits of your ISMS.
There isn’t a single approved way to carry out an internal audit of an ISMS, so your organisation will need to make that decision. Regardless of how your internal audit is specifically structured, however, it should be completed as quickly as possible, and the results should be fed into your process for the continual improvement of your ISMS.
Step 9: Certification
It’s one thing to achieve compliance with ISO 27001, and quite another thing to attain certification. If you aspire to the latter for your organisation, you will need to subject your oragnisation’s ISMS to an external auditing process. There are multiple auditing bodies from which you can choose for this.
The certification audit process will, in effect, be split into two stages. The initial audit will aim to ascertain whether the organisation’s ISMS has been developed in accordance with the requirements of ISO 27001. If the auditor judges that this is indeed the case, a more extensive investigation will be arranged.
One of the most crucial elements of this process will be choosing a certification body. You are advised to ensure your choice of certification body is accredited by a national certification body, which should be a member of the International Accreditation Forum (IAF).
This step will enable you to ensure the review is genuinely in accordance with ISO 27001, which – after all – will be central to the whole exercise of attempting to secure ISO 27001 certification.
Using software to manage the ISO 27001 audit process
We mentioned the internal auditing process above, and its importance if your organisation is to achieve its objective of ISO 27001 compliance and certification. But what difference could the right software platform make to your organisation’s audits?
In short: a big one. As part of our own Vision Pro solution, audit management software can be provided that gives you a single place to host your company’s auditing templates or question sets. What is more, it is online-based software that is highly accessible to anyone in your organisation who might need to refer to or use it – while also, naturally, being extremely secure, so it cannot be accessed by those who have not been granted the relevant permission.
To find out more about the power of Vision Pro and its audit management capabilities, please don’t hesitate to call our team now; when you do, we will also be able to arrange a demo, so that you can experience the software’s potential for yourself.