What is ISO 27001?
ISO 27001(ISMS) is the international standard that is recognized globally for managing risks to the security of information you hold. Certification to ISO 27001 (ISMS) allows you to prove to your clients and other stakeholders that you are managing the security of your information. ISO 27001 provides a set of standardized requirements for an Information Security Management System (ISMS). The standard adopts a process-based approach for implementing, operating, monitoring, maintaining, and improving your ISMS. First, it is important to note that the full name of ISO 27001 is “ISO/IEC 27001 – Information technology — Security techniques — Information security management systems — Requirements.” It is the leading international standard (IS) focused on information security, published by the International Organization for Standardization (ISO), in partnership with the International Electrotechnical Commission (IEC). ISO-27001 is part of a family of standards developed to handle information security: the ISO/IEC 27000 series.
Securing your organization’s information is critical for the successful management and smooth operation of your organization. Achieving ISO 27001 (ISMS) will aid your organization in managing and protecting your valuable data and information assets.
By achieving certification to ISO 27001 (ISMS) your organization will be able to reap numerous and consistent benefits including:
- Keeps confidential information secure.
- Provides client and stakeholder with confidence in how you manage risk.
- Allows for the secure exchange of information.
- Helps you to comply with other regulations.
- Provide you with a competitive advantage.
- Enhanced customer satisfaction that improves client retention.
- Consistency in the delivery of your service or product.
- Manages and minimizes risk exposure.
- Builds a culture of security.
- Protects the company, assets, shareholders, and directors.
- Avoid hefty fines.
- Protect your reputation.
- Comply with business, legal, contractual and regulatory requirements.
- Improve structure and focus.
- Reduce the need for frequent audits.
Steps for Implementation of ISO 27001
If you are starting to implement ISO 27001(ISMS), you are probably looking for an easy way to implement it. Let me disappoint you: there is no easy way to do it. Here is the list of steps you have to go through if you want to achieve ISO 27001 (ISMS) certification:
1. Obtain management support
This one may seem rather obvious. And is usually not taken seriously enough. But in our experience, this is the reason why ISO 27001 projects fail – management is not providing enough people to work on the project or not enough money.
2. Treat it as a project
As already said, ISO 27001 (ISMS) implementation is a complex issue involving various activities, lots of people, lasting several months. If you do not define clearly what is to be done, who is going to do it, and in what time frame, you might as well never finish the job.
3. Define the scope
If you are a larger company, it probably makes sense to implement ISO 27001 (ISMS) only in one part of your company, thus significantly lowering your project risk.
4. Write an Information Security Policy
The Information Security Policy or ISMS Policy is the highest-level document in your ISMS – it shouldn’t be very detailed, but it should define some basic issues for information security in your organization. But what is it’s intend if it is not detailed? The intend is for management to define what it wants to achieve, and how to control it.
5. Define the Risk Assessment methodology
Risk assessment is the difficult task in the ISO 27001 (ISMS) Implementation – the point is to define the rules for identifying the assets, vulnerabilities, threats, impacts, and likelihood, and to define the acceptable level of risk. If rules were not clearly defined, you might find yourself in a situation where you get unusable results.
6. Perform the risk assessment & risk treatment
Here you have to implement the risk assessment you defined in the previous step – it might take several months for larger organizations, so you should coordinate such an effort with great care. The point is to get a comprehensive picture of the dangers of your organization’s information. The intend of the risk treatment process is to reduce the risks which are not acceptable – this is usually done by planning to use the controls. In this step, a Risk Assessment Report has to be prepared, which documents all the steps taken during the risk assessment and risk treatment process. Also, approval of residual risks must be obtained – either as a separate document or as part of the Statement of Applicability.
7. Write the Statement of Applicability
Once you completed your risk treatment process, you will know exactly which controls you need. The intend of this document is to list all controls and to define which are applicable and which are not, and the reasons for such a decision, the objectives to be achieved with the controls, and a description of how they are implemented. The Statement of Applicability is also a suitable document to obtain management authorization for the implementation of ISMS.
8. Write the Risk Treatment Plan
Just when you thought you clear up all the risk-related documents, here comes another one – the purpose of the Risk Treatment Plan is to define exactly how the controls from SoA are to be executed – who is going to do it, when, with what budget, etc. This document is actually an implementation plan concentrated on your controls, without which you wouldn’t be able to coordinate further steps in the project.
9. Define how to determine the effectiveness of controls
Another task that is usually underestimated. The point here is – if you can’t measure what you’ve done, how can you be sure you have fulfilled the purpose? Therefore, be sure to define how you are going to measure the fulfilment of objectives you have set both for the whole ISO 27001 (ISMS), and for each applicable control in the Statement of Applicability.
10. Implement the controls & mandatory procedures
Easier said than done. This is where you have to implement the mandatory procedures and the applicable controls. This is usually the riskiest task in your project. It usually means the application of new technology, but above all – implementation of new behavior in your organization. Often new policies and procedures are needed, and people usually resist change, this is why the next task is crucial for avoiding that risk.
11. Implement training and awareness programs
If you need your personnel to implement all the new policies and procedures, first you have to explain to them why they are required and train your people to be able to perform as expected. The absence of these activities is the second most common reason for ISO 27001 (ISMS) project failure.
12. Operate the ISMS
This is the part where ISO 27001 (ISMS) becomes an everyday routine in your organization. The crucial word here is: “records”. Auditors’ concerns with records – without records, you will find it very hard to prove that some activity has really been done. But records should help you in the first place using them you can monitor what is happening, you will actually know with reliability whether your employees and suppliers are performing their tasks as required.
13. Monitor the ISO 27001 (ISMS)
What is happening in your ISO 27001 (ISMS)? How many incidents do you have, of what type? Are all the procedures carried out properly? This is where the aims for your controls and measurement methodology come together – you have to check whether the results you obtain are achieving what you have set in your objectives. If not, you know something is wrong – you have to perform corrective and/or preventive actions.
14. Internal audit
Very often people are not aware they are doing something wrong (on the other hand they sometimes are, but they don’t want anyone to find out about it). But being unknowing of existing or potential problems can hurt your organization – you have to perform an internal audit in order to find out such things. The point here is not to initiate disciplinary actions, but to take corrective and/or preventive actions.
15. Management review
Management does not have to configure your firewall, but it must understand what is going on in the ISO 27001(ISMS), i.e. if everyone performed his or her duties, if the ISO 27001 (ISMS) is achieving desired results, etc. Based on that, the management must make some major decisions.
16. Corrective and preventive actions
The purpose of the management system is to ensure that everything that is non-conformities is corrected or hopefully prevented. Therefore, ISO 27001 (ISMS) needs that corrective and preventive action is ready systematically, which means that the root cause of a non-conformity must be identified, and then sort out and verified.
Principle of ISO 27001
Principles of information protection according to ISO 27001 (ISMS) are based on three principles of information security:
- Confidentiality – which means that information is accessible only to those who are allowed (who have authorized access).
- Integrity – which means that there is accuracy and completeness of the information.
- Availability – which means that authorized users have access to information when they need it.