Consulting & training & development & implementation & certification support
Consulting & training & development & implementation & certification support
ISO/IEC 27001 formally specifies an Information Security Management System, a governance arrangement comprising a structured suite of activities with which to manage information risks (called ‘information security risks’ in the standard).
The standard covers all types of organizations (e.g. commercial enterprises, government agencies, non-profits) of all sizes (from micro-businesses to huge multinationals) in all industries (e.g. retail, banking, defense, healthcare, education and government). This is clearly a very wide brief.
There are seven areas that companies need to manage, to achieve ISO 27001 compliance.
Context of an organisation
ISO 27001 does not take place in isolation. Start with internal considerations: your organisation’s mission, values, products/services, sector, financial and human resources. Think about stakeholders, internal capabilities, culture, contracts, and then consider how external conditions, trends and customers could impact what you hope to achieve when designed an information security system.
Organisation’s need to show they are committed to an ISO 27001 from the top-down. Policies need to be established and become an integral part of how IT is managed, with a security policy communicated to the whole team. This needs to support security objectives, with clear management responsibility for these policies.
Planning an ISO 27001 involves assessing risks and opportunities that could impact IT security, both internally and externally. Risk assessments should be conducted: identifying, analysing, evaluating and prioritising the threats to an organisation. Once risks have been identified, a treatment process is required; to ensure you can handle threats if/when they strike.
ISO 27001 need resources for successful implementation. Budgets need to be allocated and staff fully trained and competent when it comes to delivering within the framework of the security objectives and policies. These should always be in line with the threats facing an organisation. Small businesses don’t have the same risk matrix as large government departments: design your security policies according to your internal and external threats.
Operational planning & processes
Successful implementation of ISO 27001 involves embedding operational processes within an organisation. This involves risk assessments, treatment plans and documenting the results of security policies.
Effective information security involves constant monitoring, measuring, analysing and evaluating the impact of IT policies. To achieve ISO certification, this should include audits and reviews at planned intervals.
Even companies with ISO certification will encounter situations where they fail to meet standards. When this happens, they need to assess what went wrong and how to take corrective actions. This may mean going back to the policies, resources and monitoring systems to ensure corrective action isn’t needed in the future
As an ISO 27001 Consulting firm , our Quality Management System Consultants are here to support your organization. Please contact us for our free evaluation and competitive quote.
It might seem odd to list this as the first benefit, but it often shows the quickest “return on investment” – if an organization must comply to various regulations regarding data protection, privacy and IT governance (particularly if it is a financial, health or government organization), then ISO 27001 can bring in the methodology which enables to do it in the most efficient way
In a market which is more and more competitive, it is sometimes very difficult to find something that will differentiate you in the eyes of your customers. ISO 27001 could be indeed a unique selling point, especially if you handle clients’ sensitive information.
Information security is usually considered as a cost with no obvious financial gain. However, there is financial gain if you lower your expenses caused by incidents. You probably do have interruption in service, or occasional data leakage, or disgruntled employees. Or disgruntled former employees.
The truth is, there is still no methodology and/or technology to calculate how much money you could save if you prevented such incidents. But it always sounds good if you bring such cases to management’s attention.
This one is probably the most underrated – if you are a company which has been growing sharply for the last few years, you might experience problems like – who has to decide what, who is responsible for certain information assets, who has to authorize access to information systems etc.
ISO 27001 is particularly good in sorting these things out – it will force you to define very precisely both the responsibilities and duties, and therefore strengthen your internal organization.
This one may seem rather obvious, and it is usually not taken seriously enough. But in my experience, this is the main reason why ISO 27001 certification projects fail – management is either not providing enough people to work on the project, or not enough money.
As I already said, the implementation of an Information Security Management System (ISMS) based on ISO 27001 is a complex issue involving various activities and lots of people, lasting several months (or more than a year). If you do not clearly define what is to be done, who is going to do it, and in what time frame (i.e., apply project management), you might as well never finish the job
If you are a larger organization, it probably makes sense to implement ISO 27001 only in one part of your organization, thus significantly lowering your project risk; however, if your company is smaller than 50 employees, it will be probably easier for you to include your whole company in the scope.
The Information Security Policy (or ISMS Policy) is the highest-level internal document in your ISMS – it shouldn’t be very detailed, but it should define some basic requirements for information security in your organization. But what is its purpose if it is not detailed? The purpose is for management to define what it wants to achieve, and how to control it.
Risk assessment is the most complex task in the ISO 27001 project – the point is to define the rules for identifying the risks, impacts, and likelihood, and to define the acceptable level of risk. If those rules were not clearly defined, you might find yourself in a situation where you get unusable results.
Here you have to implement the risk assessment you defined in the previous step – it might take several months for larger organizations, so you should coordinate such an effort with great care. The point is to get a comprehensive picture of the internal and external dangers to your organization’s information.
The purpose of the risk treatment process is to decrease the risks that are not acceptable – this is usually done by planning to use the controls from Annex A .
In this step, a Risk Assessment Report has to be written, which documents all the steps taken during the risk assessment and risk treatment process. Also, an approval of residual risks must be obtained – either as a separate document, or as part of the Statement of Applicability.
Once you have finished your risk treatment process, you will know exactly which controls from Annex A you need (there are a total of 114 controls, but you probably won’t need them all). The purpose of this document (frequently referred to as the SoA) is to list all controls and to define which are applicable and which are not, and the reasons for such a decision; the objectives to be achieved with the controls; and a description of how they are implemented in the organization.
The Statement of Applicability is also the most suitable document to obtain management authorization for the implementation of the ISMS
Just when you thought you had resolved all of the risk-related documents, here comes another one – the purpose of the Risk Treatment Plan is to define exactly how the controls from the SoA are to be implemented – who is going to do it, when, with what budget, etc. This document is actually an implementation plan focused on your controls, without which you wouldn’t be able to coordinate further steps in the project.
This is another task that is usually underestimated in a management system. The point here is – if you can’t measure what you’ve done, how can you be sure you have fulfilled the purpose? Therefore, be sure to define how you are going to measure the fulfillment of objectives you have set both for the whole ISMS, and for security processes and/or controls.
This might be easier said than done. This is where you have to implement the documents and records required by clauses 4 to 10 of the standard, and the applicable controls from Annex A
This is usually the riskiest task in your project because it means enforcing new behaviour in your organization. Often, new policies and procedures are needed (meaning that change is needed), and people usually resist change – this is why the next task (training and awareness) is crucial for avoiding that risk.
If you want your personnel to implement all of the new policies and procedures, first you have to explain to them why they are necessary, and train your people to be able to perform as expected. The absence of these activities in a management system is the second most common reason for ISO 27001 project failure
What is happening in your ISMS? How many incidents do you have, and of what type? Are all the procedures carried out properly?
This is where the objectives for your controls and measurement methodology come together – you have to check whether the results you obtain are achieving what you have set in your objectives. If not, you know something is wrong – you have to perform corrective and/or preventive actions.
Copyright © 2022 Management System Group - All Rights Reserved.