Before embarking on a project to achieve compliance (and possibly certification) to the ISO/IEC 27001 standard it is very important to secure the commitment of top management to the idea. This is probably the single most significant factor in whether such a project (and the ongoing operation of the ISMS afterwards) will be successful. Indeed, “Leadership” has its own section within the standard and without it there is a danger that the ISMS will not be taken seriously by the rest of the organization and the resources necessary to make it work may not be available.
The first questions top management are likely to ask about a proposal to become certified to the ISO/IEC 27001 standard are probably:
In order to help answer these questions the CertiKit ISO/IEC 27001 Toolkit provides a number of resources.
The Gap Assessment and Conformity Action Plan is an Excel workbook that breaks down the entire contents of the ISO/IEC 27001 standard into individual requirements and provides a way of indicating whether your organization currently meets them, one by one. By performing this gap assessment you will gain a better appreciation of how much work may be involved in getting to a point where a certification audit is possible.
The key to making this gap assessment as accurate as possible is to get the right people involved so that you have a full understanding of what is already in place. The Gap Assessment and Conformity Action Plan will provide hard figures on how compliant you currently are by area of the standard and will even show you the position on bar charts to share with top management.
It’s a good idea to repeat the exercise on a regular basis during your project in order to assess your level of progress from the original starting point. The accompanying workbook ISO27001 Assessment Evidence shows you how the various documents in the Toolkit map onto the requirements and what other evidence may be appropriate to show compliance. This may help when deciding whether a requirement is met or not.
Having gained an accurate view of where you are against the standard at the moment, you are then armed with the relevant information to assess how much effort and time will be required to achieve certification. This may be used as part of a presentation to top management about the proposal and a template ISO/IEC 27001 Benefits Presentation is provided in the Toolkit for this purpose. Note that budgetary proposals should include the costs of running the ISMS on an ongoing basis as well as the costs of putting it in place.
As part of your business case you may also need to obtain costs from one or more external auditing bodies for a Stage One and Stage Two review and ongoing surveillance audits.
Having secured top management commitment, you will now need to plan the implementation of your ISMS. Even if you’re not using a formal project management method such as PRINCE2® we would still recommend that you do the bare essentials of defining, planning and tracking the implementation effort as a specific project.
We have provided a template Project Initiation Document (or PID) which prompts you to define what you’re trying to achieve, who is involved, timescales, budget, progress reporting etc. so that everyone is clear from the outset about the scope and management of the project. This is also useful towards the end of the project when you come to review whether the project was a success.
Having written the PID, try to ensure it is formally signed off by top management and that copies of it are made available to everyone involved in the project so that a common understanding exists in all areas.
It’s fair to say that in general if you implement your ISMS in the order of the ISO/IEC 27001 standard from section 4 to section 10 you won’t go far wrong. This isn’t necessarily true of some of the other management system standards we have mentioned such as ISO/IEC 20000 but for ISO/IEC 27001, because it includes much of the information security content within a separate Annex A, it actually flows quite well.
There are some steps along the way to certification that need to be done in a certain order otherwise the right information won’t be available in later stages. An example is that you need to complete your risk assessment before completing your Statement of Applicability because otherwise you won’t have enough information to assess whether each control applies to your organization.
The approach shown opposite effectively steps through the standard in order although it starts with the foundation for the project (and for the ongoing ISMS) which is obtaining management commitment.
Once a project manager has been appointed, the project has been planned and started, it’s a good idea to keep an eye on the gap assessment you carried out earlier and update it as you continue your journey towards certification. This updated measurement of your closeness to complete conformity with the standard can be included as part of your regular progress/highlight reports and the CertiKit ISO/IEC 27001 Toolkit includes a template for such reports.
The timing of when to go for certification really depends upon your degree of urgency (for example you may need evidence of certification for a commercial bid or tender) and how ready you believe the organization to be. Certainly you will need to be able to show that all areas of the ISMS have been subject to internal audit before asking your external auditing body to carry out the stage two (certification) assessment. But you don’t need to wait until you’re “perfect”, particularly as the certification audit will almost certainly throw up things you hadn’t thought of or hadn’t previously regarded as important.