Implementing an ISMS (information security management system) that is ISO 27001 compliant can be difficult, but it is worthwhile. This 16-step implementation checklist is meant to assist you if you are just getting started with ISO 27001 compliance.
1. Obtain management support
This one may appear to be obvious but it is frequently ignored. However, in my experience, this is the primary reason why ISO 27001 certification projects fail: management either does not provide enough personnel to work on the project or does not provide enough funding.
2. Approach it as a project.
As previously stated, implementing an Information Security Management System (ISMS) based on ISO 27001 is a complex issue involving numerous activities and a large number of people that can take several months (or more than a year). If you don’t clearly define what needs to be done, who will do it, and when it needs to be done (i.e., use project management), you might as well never finish the job.
3. Define the scope
If your organization is large, it makes sense to start implementing ISO 27001 in one part of the business. This approach reduces project risk because you upgrade each business unit separately and then integrate them together at the end.
Note: Any organization with less than 50 employees must retain company-wide scope.
Your management team should help define the scope of the ISO 27001 framework and should participate in a risk register and identify assets (i.e. tell you which business assets to protect). The implementation of scoping includes internal and external factors, such as relationships with your human resources and marketing and communications teams, as well as with regulatory authorities, organizations certification and law enforcement agencies. Think about how your security team will work with these dependencies and document each process (be sure to indicate who is the decision maker for each activity).
Set goals, budgets, and provide estimated deadlines. If your scope is too small, you may expose information, but if your scope is too large, the ISMS will quickly become complex and increase the risk of failure. Finding balance is very important.
In your ISMS scope documentation, you should include a brief description of the location, floor plan and org chart – this is not a strict requirement by the standard, but certified auditors as they have included. ISMS scope documents are a requirement of ISO 27001, but these documents can form part of your information security policy.
4. Write an Information Security Policy
The Information Security Policy (or ISMS Policy) is the highest-level internal document in your ISMS; it should not be overly detailed, but it should define some basic information security requirements in your organization. But what good is it if it isn’t detailed? The goal is for management to define what it wants to accomplish and how to achieve it.
5. Specify the methodology for risk assessment.
The most difficult task in the ISO 27001 project is risk assessment; the objective is to define the rules for identifying risks, impacts, and likelihood, as well as the acceptable level of risk. If those rules were not clearly defined, you might end up with results that are unusable.
6. Conduct the risk assessment and risk treatment
You must now carry out the risk assessment that you defined in the previous step – this may take several months for larger organizations, so you must carefully coordinate such an effort. The goal is to gain a comprehensive understanding of the internal and external threats to your organization’s information. (To learn more, see ISO 27001 risk assessment: How to Match Assets, Threats, and Vulnerabilities.)
The aim of the risk treatment process is to reduce unacceptable risks, which is usually accomplished by planning to use Annex A controls. (For more information, see the article 4 risk mitigation options according to ISO 27001.)
In this step, a Risk Assessment Report has to be prepared, which covers all the steps taken during the risk assessment and risk treatment process. Also, an approval of residual risks must be obtained – either as a separate document, or as part of the Statement of Applicability.
7. Write the Statement of Applicability
Once you have completed your risk treatment process, you will know exactly which controls from Annex A you need (there are a total of 114 controls, but you probably won’t need them all). The purpose of this document (frequently referred to as the SOA) is to list all controls and to define which are applicable and which are not, and the reasons for such a decision; the objectives to be achieved with the controls; and a description of how they are implemented in the organization.
The Statement of Applicability is also the most suitable document to obtain management authorization for the implementation of the ISMS.
8. Create a Risk Treatment Plan.
Just when you thought you were done with risk-related documents, here comes another one – the purpose of the Risk Treatment Plan is to define exactly how the controls from the SoA are to be implemented – who will do it, when, on what budget, and so on. This document is actually an implementation plan centred on your controls, without which you would be unable to coordinate further project steps.
9. Define how to measure the effectiveness of controls
This is another task that is usually underestimated in a management system. The point here is – if you can’t measure what you’ve done, how can you be sure you have fulfilled the purpose? Therefore, be sure to define how you are going to measure the fulfillment of objectives you have set both for the whole ISMS, and for security processes and/or controls.
10: Implement Controls & Procedures
This is where you put the documents and records required by clauses 4 through 10 of the standard, as well as the applicable controls from Annex A, into action. Because it necessitates the implementation of new behaviors, this is usually one of the riskiest activities in the project. New controls, policies, and procedures are required, and people frequently resist change. As a result, the next step is critical to avoiding this risk becoming a problem.
11. Implement Training & Awareness Programmes
Now that you have new policies and procedures in place, it is time to inform your employees. Plan training sessions, webinars, and so on. Provide them with a thorough explanation of why these changes are required; this will assist them in adopting the new ways of working.
In order to comply with ISO 27001, your security awareness training programme should include the following components:
1.Roles and responsibilities for running the programme
2.Security awareness poster campaigns
3.Computer-based security awareness training
4.Simulated phishing exercises
5. Cyber security alerts and advisories
One of the most common reasons for project failure is the absence of these activities in an ISMS.
12: Operate the ISMS
Records management should become an important part of your daily routine. ISO 27001 certification auditors adore records; without them, it is extremely difficult to prove that activities occurred. Maintain clear, concise records to assist you in monitoring what is going on and ensuring that your employees and suppliers are performing their duties as expected.
Automatically created records:
Logs created within your information systems
Reports created from the information systems
Manually created records:
- Reports where additional input was needed
- Training records
- Records from drills, testing, and exercising
- Meeting minutes
- Corrective actions
- Asset inventories
- To-do lists
- Change history within documents
- Post-incident review results
- Visitor’s logbook
13. Monitor the ISMS
What is happening in your ISMS? How many incidents do you have, and of what type? Are all the procedures carried out properly?
This is where the objectives for your controls and measurement methodology come together – you have to check whether the results you obtain are achieving what you have set in your objectives. If not, you know something is wrong – you have to perform corrective and/or preventive actions.
14. Internal audit
Very often, people are not aware that they are doing something wrong (on the other hand, they sometimes are, but they don’t want anyone to find out about it). But being unaware of existing or potential problems can hurt your organization – you have to perform an internal audit in order to find out such things. The point here is not to initiate disciplinary actions, but to take corrective and/or preventive actions.
15. Management review
Management does not have to configure your firewall, but they must know what is going on in the ISMS, i.e., if everyone performed their duties, and if the ISMS is achieving the desired results, fulfilling the defined requirements, etc. Based on that, the management must make some crucial decisions.
16. Corrective and preventive actions
The management system’s goal is to ensure that everything that is wrong (so-called “non-conformities”) is corrected or, ideally, avoided. As a result, ISO 27001 requires that corrective and preventive actions be carried out in a systematic manner, which means that the root cause of a non-conformity must be identified, then resolved and verified.
Hopefully, this ISO 27001 checklist has clarified what needs to be done – while ISO 27001 is not a simple task, it is also not a difficult one. You simply need to plan each step carefully, and don’t worry – your organization will receive ISO 27001 certification.