ISO 27001 Implementation

Checklist

Before you can reap the many benefits of ISO 27001, you first need to familiarize yourself with the Standard and its core requirements.

The ISO/IEC 27001:2013, ISO/IEC 27002:2013 and ISO/IEC 27000:2018 standards will serve as your principal points of reference.

Solutions

• ​IT Governance - An International Guide to Data Security and ISO 27001/ ISO 27002 
• Nine Steps to Success – An ISO 27001 Implementation Overvie, North American edition  
• ISO/IEC 27001:2013
• ISO/IEC 27002:2013
• ISO/IEC 27000:2018

Checklist

You will first need to appoint a project leader to manage the project (if it will be someone other than yourself).

Second, you will need to embark on an information-gathering exercise to review senior-level objectives and set information security goals.

Third, you should develop a project plan and project risk register.

Solutions

• ISO 27001 Cybersecurity Toolkit

​The ISO 27001 Toolkit includes a range of project tools that will help you tackle the ISMS.

• Certified ISO 27001 ISMS Lead Implementer Training Course​

The Lead Implementer course teaches you how to implement an ISMS from beginning to end, including how to overcome common pitfalls and challenges.

Checklist

A gap analysis provides a high-level overview of what needs to be done to achieve certification and enables you to assess and compare your organization’s existing information security arrangements against the requirements of ISO 27001.

Find out more about the gap anlaysis process >>

Solutions

• ISO 27001 Cybersecurity Toolkit

This toolkit includes an ISO 27001:2013 and ISO 27002:2013 gap analysis tool that will help you assess yourself against the Standard’s requirements. 

• ISO 27001 Gap Analysis Service

A specialist, in-person review of your current information security posture against the requirements of ISO/IEC 27001:2013. 

• ISO 27001 Gap Analysis Tool

This tool has been designed to help prioritize work areas and list all the requirements from ISO 27001:2013 against which you can assess your current state of compliance.

Checklist

Scoping requires you to decide which information assets to ring-fence and protect. Doing this correctly is essential, because a scope that’s too big will escalate the time and cost of the project, and a scope that’s too small will leave your organization vulnerable to risks that weren’t considered. 

Solutions

• Certified ISO 27001 ISMS Lead Implementer Training Course​

Find out how to scope the ISMS effectively by attending the definitive ISO 27001 Lead Implementer course.

Checklist

You should set out high-level policies for the ISMS that establish roles and responsibilities and define rules for its continual improvement. Additionally, you need to consider how to raise ISMS project awareness through both internal and external communication.

Solutions

• ISO 27001 Cybersecurity Toolkit

The documentation toolkit will save you weeks of work trying to develop all the required policies and procedures.

Checklist

Risk assessments are the core of any ISMS and involve five important aspects:

1. Establishing a risk management framework
2. Identifying potential risks
3. Analyzing risks
4. Evaluating risks
5. Selecting risk treatment options

The risk assessment also helps identify whether your organization’s controls are necessary and cost-effective. 

Learn more about ISO 27001 risk assesments >>

Solutions

• Download our free Risk assessment and ISO 27001 green paper

This green paper will explain and unravel some of the issues surrounding therisk assessment process.

• vsRisk Cloud​

vsRisk Cloud is an online tool for conducting an information security risk assessment aligned with ISO 27001. It is designed to streamline the process and produce accurate, auditable and hassle-free risk assessments year after year.

Checklist

Controls should be applied to manage or reduce risks identified in the risk assessment.

ISO 27001 requires organizations to compare any controls against its own list of best practices, which are contained in Annex A. Creating documentation is the most time-consuming part of implementing an ISMS.

Get an overeiw of the 14 control sets of Annex A with our quick and easy inforgraphic >>

Solutions

• ISO 27001 Cybersecurity Toolkit 

The documentation toolkit provides a full set of the required policies and procedures, mapped against the controls of ISO 27001, ready for you to customise and implement.

• vsRisk Cloud​

vsRisk Cloud includes a full set of controls from Annex A of ISO 27001 in addition to controls from other leading frameworks.

Checklist

The risk treatment plan (RTP) and Statement of Applicability (SoA) are key documents required for an ISO 27001 compliance project. 

The SoA lists all the controls identified in ISO 27001, details whether each control has been applied and explains why it was included or excluded. The RTP describes the steps to be taken to deal with each risk identified in the risk assessment. 

Solutions

• vsRisk Cloud​

vsRisk Cloud can generate two audit-ready reports, the SoA (Statement of Applicability), and a risk treatment plan. 

Checklist

Human error has been widely demonstrated as the weakest link in cybersecurity. Therefore, all employees should receive regular training to increase their awareness of information security issues and the purpose of the ISMS.

Solutions

• ISO 27001 e-learning training course 

E-learning courses are a cost-effective solution for improving general staff awareness about information security and the ISMS. 

Checklist

ISO 27001 requires regular audits and testing to be carried out. This is to ensure that the controls are working as they should be and that the incident response plans are functioning effectively. Additionally, top management should review the performance of the ISMS at least annually.

Solutions

• Certified ISO 27001 ISMS Lead Auditor Training Course​

Our Lead Auditor courses give you the skills to successfully undertake or lead an ISMS audit project. 

Checklist

If you opt for certification, the certification body you use should be properly accredited by a recognized national accreditation body and a member of the International Accreditation Forum. 

Your chosen certification body will review your management system documentation, check that you have implemented appropriate controls and conduct a site audit to test the procedures in practice. 

Solutions

• List of US accredited certification bodies for ISO 27001​ 

It is vital to ensure that the certification body you use is properly accredited by a recognized national accreditation body. Read our blog above to view a full list of accredited certificaiton bodies.