When looking at information security the emphasis is usually on risk assessment and the maintenance of controls to protect against risk. And it’s right that this should be the main focus; it is, after all, the main deliverable of the whole information security idea.
In a perfect world we would just assess our risks, based on our perfect knowledge of the business and the threats to it and nothing would ever change. The controls would be appropriate and effective at all times, never need improving and everyone would know how to use them.
But we live in a far from perfect world where things can and do change on a regular basis, we don’t know everything about the business, risks change, people come and go from the organization and our definition of what’s important moves all the time.
So the ISO/IEC 27001 standard proposes that we don’t just need a plan; we need an Information Security Management System or ISMS. The function of the ISMS is to wrap itself around the risk assessment and controls and ensure (among other things) that:
The CertiKit ISO/IEC 27001 Toolkit (referred to here simply as the “Toolkit”) provides not only the plan, but also a large part of the ISMS that supports it. So within your Toolkit you will have an array of useful documents which provide a starting point for all of the different areas of the standard. The documents are in Microsoft Office 2010® format and consist of Word documents, Excel workbooks, PowerPoint presentations, Visio diagrams and Project plans.
Each document is located within a folder structure that maps onto the various sections of the standard and is placed under the section that is most relevant to its content. Some documents are relevant to multiple sections of the standard and are placed in the one of greatest relevance.
A document reference naming convention is used throughout the Toolkit which is described in ISMS07003 Information Security Management System Documentation Log. This includes a reference to the section number of the ISO/IEC 27001 standard in which the document is stored. The standard doesn’t require that you use this specific naming convention so feel free to change it if you need to.
The documents themselves have a common layout and look and feel and adopt the same conventions for attributes such as page widths, fonts, headings, version information, headers and footers. Custom fields are used for the common items of information that need to be tailored such as [Organization Name] and these need to be changed in each document.
Every document starts with an “Implementation Guidance” section which describes its purpose, the specific areas of the ISO/IEC 27001 standard it is relevant to, general guidance about completing and reviewing it and some legal wording about licensing etc. Once read, this section may be removed from the final version of the document.
The layout and headings of each document have been designed to guide you towards meeting the requirements of the standard and example content has been provided to illustrate the type of information that should be given in the relevant place. This content is based upon an understanding of what a “typical” organization might want to say but it is very likely that your organization will vary from this profile in many ways so you will need to think carefully about what content to keep and what to change.
The key to using the Toolkit successfully is to review and update each document in the context of your specific organization. Don’t accept the contents without reading them and thinking about whether they meet your needs – does the document say what you want it to say, or do you need to change various aspects to make it match the way you do things? This is particularly relevant for policies and processes where there is no “right” answer.
The function of the document content is help you to assess what’s right for you so use due care when considering it. Where the content is very likely to need to be amended we have highlighted these sections but be aware that other non-highlighted sections may also need to be updated for your organization.
Having created an ISMS and got it working for you, it’s then a short step to achieving certification for your organization, large or small. Advice for the audit is covered in some of our other blogs but with a little effort you’ll be holding your new ISO27001 certificate before you know it.