If you’re just starting on your ISO27001 implementation and you’re thinking about where to start, this brief article gives you some hints and tips about how to approach your project to implement an information security management system, or ISMS.
Once you’ve defined your scope, probably the most important thing to have in place is management commitment, both in terms of the initial implementation, but also for the ongoing maintenance of your ISMS. To obtain the level of commitment required, you’ll need to be able to tell management a few basic items of information, such as how long will it take to create an ISMS, how much will it cost and who needs to be involved. As input to this discussion it may be useful to conduct a gap assessment to understand what’s already in place, and what still needs to be done.
The results of the gap assessment will help you to define your approach to the project and to create an initial project plan. The CertiKit toolkit provides a Microsoft Project and an equivalent Microsoft Excel version of a plan which you may use as a starting point. You may also find it useful to set out how your project will be managed within a Project Initiation Document, so that everyone has a common understanding of who’s on the team, what will be delivered and how progress will be reported, amongst other things. Planning is key to a successful ISO27001 implementation.
A common approach to implementing an ISMS is to consider it in two halves. The first is the creation of a management system and the second is to put in place the applicable reference controls from Annex A of the standard, although there will be overlap between the two areas.
The key aspects of the management system will be the definition of roles, responsibilities and authorities, setting of objectives, defining the information security policy, conducting a risk assessment and creating a treatment plan, completing your statement of applicability, performing a management review and ensuring internal audits are carried out. These are relatively non-technical tasks which are often more about understanding how ISO management systems work than information security. But you will need technical input in parts, such as the risk assessment and treatment plan.
The implementation of the Annex A controls is a somewhat more technical exercise, although some of the controls involved are administrative or procedural in nature. You’ll need to define who the best people are to look at each of the control areas such as human resources, access control, suppliers and compliance. Splitting up the controls and allocating them across appropriate teams is key to making progress in getting the Annex A controls in place.
Tracking and reporting progress may be achieved by reference to the gap assessment if you decided to carry one out. We suggest you use a certification readiness checklist to assess whether you’re ready for the certification audit and have the main building blocks of an ISMS in place.
Once you’re at this point, certification is a two stage process and, to meet your timescale objective, you may need to get an appointment in the calendar early if your chosen registered certification body gets booked up a long way in advance.
The process of planning your project is key to ensuring your ISO27001 implementation has the best chance of success. These simple steps can go a long way to building the foundations on which your future ISMS will be built.
Written by Ken Holmes CISSP, CIPP/E; CertiKit’s managing director and principal consultant. Ken is a qualified ISO/IEC 27001 Lead Auditor, an active member of ISACA and a BSI-published author on IT service management. Ken is the lead author of the CertiKit ISO 27001 toolkit.
Download our free ISO27001: 10 steps to certification guide to learn: