We’ve summarized some of the most common elements of an ISMS project (in no particular order):
|
|
|
Conduct a gap analysis
A gap analysis determines the shortfall between your current information security processes and the Standard’s requirements. It also identifies the resources and capabilities you need in order to close the gap.
|
|
|
Scope the ISMS
Scoping requires a decision about which information assets are going to be protected. In larger organizations, this can be a tough, complicated process. Incorrectly scoping the project can leave your organization vulnerable to risks that were not considered.
Determining the context of your organization requires a review of aspects such as its risk appetite and culture. This is to ensure the ISMS is designed to suit your business.
|
|
|
Develop your information security policy
The policy should reflect the organization’s view on information security and be agreed by the board.
|
|
|
Conduct a risk assessment
Risk assessment is at the core of any ISMS. A risk assessor will identify the risks the organization faces and conduct a risk estimation and evaluation of those risks. This often takes the form of an asset-based risk assessment. The risk assessment helps to identify whether controls are necessary and cost-effective for the organization.
|
|
|
Select your controls
Controls should be applied to manage or reduce the risks identified by the risk assessment. ISO 27001 requires you to compare the controls you select against its own list of best-practice controls contained in Annex A.
|
|
|
Create a Statement of Applicability (SoA)
The SoA should set out a list of all controls you have selected, together with a justification for their inclusion, a statement of whether or not they have been implemented, and justification for the exclusion of any controls from Annex A of ISO/IEC 27001:2013.
|
|
|
Set up a risk treatment plan (RTP)
The RTP describes the steps to be taken to deal with each risk identified in the risk assessment.
|
|
|
Create your documentation
Documentation needs to be developed to support every planned control and every component of the ISMS. This is to establish a point of reference to ensure consistent application and continual improvement. Creating documentation is the most time-consuming part of implementing an ISMS.
|
|
|
Roll out a staff awareness program
All staff should regularly receive training to increase their awareness of information security issues and the purpose of the ISMS.
|
|
|
Conduct regular testing
ISO 27001 requires internal audits of the ISMS at planned intervals to determine whether the controls work as they should. Regular testing should also be conducted to ensure that your incident response plans function effectively.
|
|
|
Management review
Top management should review the performance of the ISMS at least annually.
|
|
|
Choose your certification body
It is important to ensure that the certification body you use is properly accredited by a recognized national accreditation body that is a member of the IAF, such as American National Standards Institute (ANSI).
Read more about the importance of accredited certification.
|
|
|
Gain accredited certification
The certification body will review your management system documentation and check that you have implemented appropriate controls, followed by a site audit to test the procedures in practice.
|
|
|
Manage and review your ISMS
ISO 27001 specifies the requirements for maintaining and continually improving the ISMS.
|