Exploring how we plan an implementation of ISO 27001
Contents
A Note from The Author
Before we start, let's acknowledge that there are many routes to success.
There’s no definitively 'right' way to implement ISO 27001 - so long as you adhere to the standard - but there are 'wrong' ways. I know; I've been there.
I also know that whatever you do, an auditor will find something to mark up for improvement – they have to; it's their job to find something to report back on. Sometimes, the trick is allowing them to find something minor (but I never said that).
I've documented my essential advice separately, but I strongly suggest having a robust plan with multiple engaged stakeholders and getting something out there that might not be perfect on day one but can evolve, just like the standard suggests.
Going it alone without solid support around you can result in two things;
1) Pushback from others: Failure to get senior support and stakeholder involvement will likely mean resistance to change, and with ISO 27001, that can be project-killing. For example, if you don't get stakeholders to contribute to your policies, they will likely tear them down if the first time they see them is when they are published.
2) Dependency upon an individual: Without a robust framework and support, the whole ISO standard and ISMS will fall apart when you leave the organisation.
There are many other reasons, but these are my top two.
On another note, I won't tell people how to manage projects in detail. That's all documented elsewhere on my website!
Let's get on then……
An Overview of the Implementation Process Stages
The first year of implementation is broadly in 5 key stages;
Establish a project framework and resources and define your scope.
| |
Conduct a risk assessment of your ISMS and determine treatment options.
| |
Creating the policies, procedures and controls that support your risk assessments.
| |
Checking that your actions have a positive impact
| |
Review outcomes and plan how to improve the performance of the ISMS. |
STEP 1: INITIATION
Overview of the Initiation Phase
The Initiation phase of ISO 27001 implementation focuses on establishing a solid foundation for the Information Security Management System (ISMS).
This phase ensures that all necessary preparatory steps are taken to set up the ISMS effectively, including understanding the organisation's context, defining the scope, and ensuring leadership commitment.
I've suggested setting up the Steering Group early because you'll need somewhere to take your scope and (in the next step) risk assessments and treatments for approval. A group can act as a review body and issue direction from the outset. Otherwise, you'll likely find yourself rudderless or acting like a dictator.
The major inputs to this phase include the organisational context, internal and external issues, statutory and regulatory requirements, and interested parties' expectations.
The main outputs are establishing a project plan, steering group, ISMS scope, and the initial information security policies and objectives.
Summary of Steps
Establish a Project Plan
Create an outline plan for the implementation, summarising the approach, key resources, timelines, and milestones required for the journey.
Assemble a Steering Group
Form a group with defined terms of reference to oversee the implementation process, ensuring that all necessary expertise and leadership are represented.
Define the ISMS
Identify and document an asset inventory and understand statutory, regulatory, and contractual requirements to establish the boundaries and applicability of the ISMS.
Develop an Information Security Policy
Draft an initial information security policy that aligns with the organisation's objectives and regulatory requirements, setting the groundwork for security practices.
Define ISMS Roles and Responsibilities (R&Rs)
Clearly define and document roles and responsibilities related to information security to ensure accountability and effective implementation.
Set ISMS Objectives
Establish specific, measurable, attainable, relevant, and time-bound (SMART) objectives for the ISMS to guide the subsequent implementation phases and provide clear goals for security improvements.
STEP 2: PLANNING
Overview of the Planning Phase
The Planning phase in the ISO 27001 implementation process is crucial for identifying, assessing, and treating risks to ensure effective information security management within the defined ISMS scope.
This phase establishes a structured approach to managing information security risks by defining methodologies, documenting risks, and determining appropriate treatments.
The major inputs include the ISMS scope and the initial Statement of Applicability (SoA).
The main outputs are documented risk management methodologies, risk logs, risk treatment plans, and an updated SoA.
Summary of Steps
Define Risk Methodology
Establish and document the risk assessment and treatment methodology used throughout the ISMS. This includes criteria for assessing and prioritising risks.
Identify Risks
Conduct a thorough assessment to identify potential information security risks within the ISMS scope. Document these risks in a risk log for further analysis.
Analyse & Evaluate Risks
Analyse the identified risks to assess their potential impact and likelihood. Evaluate these risks against the defined risk criteria to prioritise them for treatment.
Determine Risk Treatment Options
Based on the risk evaluation, determine and document appropriate risk treatment options. Develop detailed risk treatment plans that outline how each risk will be managed.
Update Statement of Applicability (SoA)
Update the SoA to reflect the controls that have been determined necessary as part of the risk treatment process. This document should justify the inclusion or exclusion of each control based on the risk assessment and treatment findings.
STEP 3: IMPLEMENTATION
Overview of the Implementation Phase
The Implementation phase of ISO 27001 is where the planning comes to fruition by putting in place the necessary controls and measures to manage information security risks effectively.
This phase is focused on developing and implementing policies, procedures, and controls, conducting awareness campaigns, and providing training to ensure the ISMS is operational.
The major inputs include the Statement of Applicability (SoA), risk treatment plans, and ISMS objectives.
The main outputs are a comprehensive resource plan, documented policies and procedures, implemented controls, and trained staff.
Summary of Steps
Create Resource Plan
Develop a detailed plan outlining the resources required to implement the ISMS, including personnel, technology, and financial resources.
Document Policies & Procedures
Formulate and document all necessary policies and procedures to support the ISMS. This includes IT standard operating procedures (SOPs), incident management SOPs, supplier security policy, business continuity procedures, access control policy, secure system design principles, document control procedures, and controls for record management. Please recognise these are suggested minimums, and there may be many others you need to create.
Implement Controls
Implement the information security controls as defined in the risk treatment plans. This includes updating the risk assessment and treatment plans to reflect the implemented controls.
Conduct Awareness Campaign
Develop and execute a communication plan to raise awareness about the ISMS and its importance among all employees. This ensures that everyone understands their roles and responsibilities in maintaining information security.
Provide Training
Identify training needs and develop a plan to ensure all relevant staff are adequately trained on the ISMS policies, procedures, and controls. Maintain records of all training conducted to demonstrate compliance.
STEP 4: MONITORING & REVIEW
Overview of the Monitoring & Review Phase
The Monitoring and Review phase of ISO 27001 implementation focuses on continuously evaluating the ISMS to ensure its effectiveness and alignment with organisational objectives.
This phase involves regular monitoring, measurement, and auditing activities to identify areas for improvement and ensure compliance with the established policies and controls.
The key inputs include scope changes and ISMS objectives.
The main outputs are ISMS performance reports, management review minutes, and audit plans and findings.
Summary of Steps
Monitor & Measure ISMS Performance
Monitor and measure the ISMS's performance regularly against the defined objectives and metrics. Document these findings in an ISMS performance report to track progress and identify areas needing attention.
Management Review
Conduct periodic management reviews to assess the ISMS's overall performance. This includes evaluating the results from monitoring activities, considering scope changes, and reviewing ISMS objectives. Document the minutes of these reviews to ensure transparency and record decisions made.
Internal Audits
Plan and conduct internal audits to evaluate the ISMS's compliance with ISO 27001 requirements and organisational policies. Develop an audit plan and document the findings of these audits to identify non-conformities and areas for improvement.
STEP 5: CONTINUOUS IMPROVEMENT
Overview of the Continuous Improvement Phase
The Continuous Improvement phase in ISO 27001 focuses on maintaining and enhancing the effectiveness of the ISMS by systematically addressing non-conformities and implementing improvements.
This phase ensures the ISMS evolves with the organisation's changing needs and continuously improves its information security posture.
The major inputs include ISMS performance reports, management review minutes, and audit findings.
The main output is the improvement plan, which addresses identified non-conformities and outlines steps for continuous enhancement.
Summary of Steps
Create Improvement Plan
Develop a comprehensive improvement plan based on inputs from ISMS performance reports, management review minutes, and audit findings. This plan should address all identified non-conformities and propose actions to enhance the ISMS.
Management Review Minutes
Utilise the documented minutes from management reviews to identify improvement areas. These reviews provide insights into the effectiveness of the ISMS and highlight strategic areas for enhancement.
Audit Findings
Leverage findings from internal and external audits to pinpoint specific weaknesses or non-conformities within the ISMS. Address these findings systematically in the improvement plan to ensure compliance and effectiveness.
Non-Conformities Log
Maintain a log of all identified non-conformities, tracking and managing them. Use this log to prioritise improvement plan actions and demonstrate accountability and progress.
Important Notice
This document is provided for personal use only. Commercial or consultative use requires a licence. For detailed terms of use, please visit https://www.iseoblue.com/terms.
Comments