With the right preparation and a good understanding of what is required, most organizations can expect to achieve registration (also known as certification) to ISO 27001 within 6 – 12 months, depending on the size and complexity of the scope of the management system.
IT Governance offers a FastTrack™ service for companies with fewer than 20 employees, which prepares organizations for registration within three months for well under $10,000.
Get an understanding of ISO 27001:2013
The following sources of information will give you the necessary understanding of ISO 27001:
- Purchase a copy of the Standard
- You may want to attend an introductory online ISO 27001 Foundation course
- Read a white paper about the Standard
- The ISO 27001 Basics bundle contains the core ISO 27001 standards, plus two bestselling ISO 27001 implementation guidance manuals
Appoint an ISO 27001 champion
It is important to secure someone knowledgeable (either internally or externally) with solid experience of implementing an information security management system (ISMS), and who understands the requirements for achieving ISO 27001 registration. If you do not have internal expertise, you may want to enrol for the ISO 27001 Online Lead Implementer training course.
Secure senior management support
No project can be successful without the buy-in and support of the organization’s leadership. A gap analysis, which comprises comprehensive review of all existing information security arrangements against the requirements of ISO/IEC 27001:2013, presents a good starting point. A comprehensive gap analysis should ideally also include a prioritized plan of recommended actions, plus additional guidance for scoping your information security management system (ISMS). The results from the gap analysis can be provided to develop a strong business case for ISO 27001 implementation.
2. Establish the context, scope, and objectives
It is essential to pin down the project and ISMS objectives from the outset, including project costs and timeframe. You will need to consider whether you will be using external support from a consultancy, or whether you have the required expertise in-house. You might want to maintain control of the entire project while relying on the assistance of a dedicated online mentor at critical stages of the project.
Using an online mentor will help ensure your project stays on track, while saving you the associated expense of using full-time consultants for the duration of the project.
You will also need to develop the scope of the ISMS, which may extend to the entire organization, or only a specific department or geographical location. When defining the scope, you will need to consider the organizational context as well as the needs and requirements of interested parties (stakeholders, employees, government, regulators, etc.). ‘Context’ takes into account internal and external factors that could influence your organization’s information security, and includes aspects such as the organizational culture, risk acceptance criteria, existing systems, processes, etc.
This all-in ISO 27001 DIY package combines the core ISO 27001 standards and implementation guidance with key implementation tools, attendance at live, online masterclasses, and a mentor and coach consultancy service – all at a fixed price.
3. Establish a management framework
The management framework describes the set of processes an organization needs to follow to meet its ISO27001 implementation objectives. These processes include asserting accountability of the ISMS, a schedule of activities, and regular auditing to support a cycle of continuous improvement.
4. Conduct a risk assessment
While ISO 27001 does not prescribe a specific risk assessment methodology, it does require the risk assessment to be a formal process. This implies that the process must be planned, and the data, analysis, and results must be recorded. Prior to conducting a risk assessment, the baseline security criteria need to be established, which refer to the organization’s business, legal, and regulatory requirements and contractual obligations as they relate to information security.
vsRisk, the simplest and most effective risk assessment software, provides the framework and resources to conduct an ISO 27001-compliant risk assessment. These video tutorials demonstrate how to use vsRisk to conduct a risk assessment.
5. Implement controls to mitigate risks
Once the relevant risks have been identified, the organization needs to decide whether to treat, tolerate, terminate, or transfer the risks. It is crucial to document all of the decisions regarding risk responses, since the auditor will want to review these during the registration (certification) audit. The Statement of Applicability and risk treatment plan are two mandatory reports that must be produced as evidence of the risk assessment.
6. Conduct training
The Standard requires that staff awareness programs are initiated to raise awareness about information security throughout the organization. This might require that virtually all employees change the way they work at least to some extent, such as abiding by a clean desk policy and locking their computers whenever they leave their work stations. A company-wide staff awareness e-learning course is the easiest way to bring across the philosophy behind the Standard, and what employees should do to ensure compliance.
7. Review and update the required documentation
Documentation is required to support the necessary ISMS processes, policies, and procedures. Compiling policies and procedures is often quite a tedious and challenging task, however. Fortunately, documentation templates – developed by ISO 27001 experts – are available to do most of the work for you. Formatted and fully customizable, these templates contain expert guidance to help any organization meet all the documentation requirements of ISO 27001. At a minimum, the Standard requires the following documentation:
- 3 The scope of the ISMS
- 2 Information security policy
- 1.2 Information security risk assessment process
- 1.3 Information security risk treatment process
- 1.3 d) The Statement of Applicability
- 2 Information security objectives
- 2 d) Evidence of competence
- 5.1 b) Documented information determined by the organization as being necessary for the effectiveness of the ISMS
- 1 Operational planning and control
- 2 Results of the information security risk assessment
- 3 Results of the information security risk treatment
- 1 Evidence of the monitoring and measurement of results
- 2 A documented internal audit process
- 2 g) Evidence of the audit programmes and the audit results
- 3 Evidence of the results of management reviews
- 1 f) Evidence of the nature of the non-conformities and any subsequent actions taken
- 1 g) Evidence of the results of any corrective actions taken
Read this blogpost for further information about other documents that could be required.
8. Measure, monitor, and review
ISO 27001 supports a process of continual improvement. This requires that the performance of the ISMS be constantly analyzed and reviewed for effectiveness and compliance, in addition to identifying improvements to existing processes and controls.
9. Conduct an internal audit
ISO/IEC 27001:2013 requires internal audits of the ISMS at planned intervals. A practical working knowledge of the lead audit process is also crucial for the manager responsible for implementing and maintaining ISO 27001 compliance. The Online Certified ISO 27001 Lead Auditor course teaches you how to plan and execute an effective information security audit in line with ISO 27001:2013. If you have not yet selected a registrar, you may need to choose an appropriate organization for this purpose. Registration audits (to achieve accredited registration, recognized globally) may only be conducted by an independent registrar, accredited by the relevant accreditation authority in your country.
10. Registration/certification audits
During the Stage One audit, the auditor will assess whether your documentation meets the requirements of the ISO 27001 Standard and point out any areas of nonconformity and potential improvement of the management system.
Once any required changes have been made, your organization will then be ready for your Stage 2 registration audit.
During a Stage Two audit, the auditor will conduct a thorough assessment to establish whether you are complying with the ISO 27001 standard.
Contact IT Governance today for bespoke ISO 27001 consultancy, or to purchase fixed-price DIY solutions for implementing an ISMS without the associated consultancy fees. IT Governance also offer penetration tests and other IT governance and risk management products and services.