ISO 27001 Consulting and Implementation support

It might seem odd to list this as the first benefit, but it often shows the quickest “return on investment” – if an organization must comply to various regulations regarding data protection, privacy and IT governance (particularly if it is a financial, health or government organization), then ISO 27001 can bring in the methodology which enables to do it in the most efficient way

 In a market which is more and more competitive, it is sometimes very difficult to find something that will differentiate you in the eyes of your customers. ISO 27001 could be indeed a unique selling point, especially if you handle clients’ sensitive information. 

Information security is usually considered as a cost with no obvious financial gain. However, there is financial gain if you lower your expenses caused by incidents. You probably do have interruption in service, or occasional data leakage, or disgruntled employees. Or disgruntled former employees.

The truth is, there is still no methodology and/or technology to calculate how much money you could save if you prevented such incidents. But it always sounds good if you bring such cases to management’s attention.

This one is probably the most underrated – if you are a company which has been growing sharply for the last few years, you might experience problems like – who has to decide what, who is responsible for certain information assets, who has to authorize access to information systems etc.

ISO 27001 is particularly good in sorting these things out – it will force you to define very precisely both the responsibilities and duties, and therefore strengthen your internal organization.

 This one may seem rather obvious, and it is usually not taken seriously enough. But in my experience, this is the main reason why ISO 27001 certification projects fail – management is either not providing enough people to work on the project, or not enough money.  

As I already said, the implementation of an Information Security Management System (ISMS) based on ISO 27001 is a complex issue involving various activities and lots of people, lasting several months (or more than a year). If you do not clearly define what is to be done, who is going to do it, and in what time frame (i.e., apply project management), you might as well never finish the job

If you are a larger organization, it probably makes sense to implement ISO 27001 only in one part of your organization, thus significantly lowering your project risk; however, if your company is smaller than 50 employees, it will be probably easier for you to include your whole company in the scope.

The Information Security Policy (or ISMS Policy) is the highest-level internal document in your ISMS – it shouldn’t be very detailed, but it should define some basic requirements for information security in your organization. But what is its purpose if it is not detailed? The purpose is for management to define what it wants to achieve, and how to control it. 

Risk assessment is the most complex task in the ISO 27001 project – the point is to define the rules for identifying the risks, impacts, and likelihood, and to define the acceptable level of risk. If those rules were not clearly defined, you might find yourself in a situation where you get unusable results.

Here you have to implement the risk assessment you defined in the previous step – it might take several months for larger organizations, so you should coordinate such an effort with great care. The point is to get a comprehensive picture of the internal and external dangers to your organization’s information. 

The purpose of the risk treatment process is to decrease the risks that are not acceptable – this is usually done by planning to use the controls from Annex A .

In this step, a Risk Assessment Report has to be written, which documents all the steps taken during the risk assessment and risk treatment process. Also, an approval of residual risks must be obtained – either as a separate document, or as part of the Statement of Applicability.

Once you have finished your risk treatment process, you will know exactly which controls from Annex A you need (there are a total of 114 controls, but you probably won’t need them all). The purpose of this document (frequently referred to as the SoA) is to list all controls and to define which are applicable and which are not, and the reasons for such a decision; the objectives to be achieved with the controls; and a description of how they are implemented in the organization.

The Statement of Applicability is also the most suitable document to obtain management authorization for the implementation of the ISMS

Just when you thought you had resolved all of the risk-related documents, here comes another one – the purpose of the Risk Treatment Plan is to define exactly how the controls from the SoA are to be implemented – who is going to do it, when, with what budget, etc. This document is actually an implementation plan focused on your controls, without which you wouldn’t be able to coordinate further steps in the project.

 This is another task that is usually underestimated in a management system. The point here is – if you can’t measure what you’ve done, how can you be sure you have fulfilled the purpose? Therefore, be sure to define how you are going to measure the fulfillment of objectives you have set both for the whole ISMS, and for security processes and/or controls. 

 This might be easier said than done. This is where you have to implement the documents and records required by clauses 4 to 10 of the standard, and the applicable controls from Annex A

This is usually the riskiest task in your project because it means enforcing new behaviour in your organization. Often, new policies and procedures are needed (meaning that change is needed), and people usually resist change – this is why the next task (training and awareness) is crucial for avoiding that risk.

If you want your personnel to implement all of the new policies and procedures, first you have to explain to them why they are necessary, and train your people to be able to perform as expected. The absence of these activities in a management system is the second most common reason for ISO 27001 project failure

What is happening in your ISMS? How many incidents do you have, and of what type? Are all the procedures carried out properly?

This is where the objectives for your controls and measurement methodology come together – you have to check whether the results you obtain are achieving what you have set in your objectives. If not, you know something is wrong – you have to perform corrective and/or preventive actions.