ISO 27001 : A 10 Step Implementation Guide

By


ISO 27001 is the most comprehensive international standard for the implementing Information Security Management System (ISMS) for any organisation.  

It helps your organization to systematically maintain confidentiality, integrity and availability (CIA). 

The key benefits are 

1. Complying with an excellent framework to protect information assets from malicious actors.

2. Increase customers, partners, suppliers, investor and other stakeholder confidence and reputation.

3. Gaining an edge over its competitors. 

The process of implementing an ISO 27001 ISMS is a challenging task.

However, it's a worthy effort  in the long run to protect your information assets.

This 10-step guide will help you complete  ISO 27001 journey successfully. 

Step 1:Establish a Project Team.

Jump start ISO 27001 by appointing a project leader with sound knowledge about your organisation, business operations and information security. 

Provide adequate authority to the project leader to oversee the implementation of the ISMS project successfully.

The project leader shall be assigned a team of experts with relevant technical, business, communication and legal expertise.

Step 2 : Create Project Mandate. 

The project team should create a project mandate identifying ISO 27001 ISMS  project objectives, estimated time, resources required and estimated cost to obtain management approval.

Step 3: Develope Dtailed Project Plan.

Develop an ISMS implementation plan  including organization's information security objectives, security policies, implementation plan and a risk register.

A Risk Register is a tool used to record and manage your risks and controls for treatments. 

There are 14 domains in ISO 27001 standard has 14 domains, 6 of them are most critical.

1 – Company security policy0

2 – Asset management

3 – Physical and environmental security

4 – Access control

5 – Incident management

6 – Regulatory compliance

The policies for ISMS should outline: 

* Roles and responsibilities of risk owners and custodians.

* Rules for continues  improvement if ISMS.

* Communication strategy for awareness and training 

Step 4: Initiate the ISMS. 

Create ISO 27001 process based on  Plan-Do-Check-Act strategy. 

The PDCA plan must give a clearly view of what you would achieve and  how you plan to do it, to obtain your board approval.

The final document will follow four-tier strategy, including 

1. Policies on  acceptable use,  password management, assest management etc.

2  Procedures to establish the policies.

3  How the employees should meet the policies.

4  Methods of recording and tracking procedures.

Step 5: Define the ISMS Scope. 

Define your project scale based on your organisation requirements and capacity.

This may be done even earlier. However it's advisable to implement section by section of the plan based on priorities.

Refer to  clauses 4 and 5 of the ISO 27001 standard to determine your scope. It includes Identification of information assets such as information stores, files, systems ans devices. 

Step 5: Identify Your Security Baseline. 

This is the minimum level of security required to conduct your business securely. 

You need to conduct a risk assessment to identify organisation’s most significant security vulnerabilities and relevant ISO 27001 controls to mitigate the risk given in  Annex A. 

This may involve interviews, business process walkthroughs involving risk owners,  observations, penitratiyon testing and regulation reviews.

Step 6: Establish a Risk Management Process. Evaluate and priorities of the risks you’ve identified, and implement the control processes. They will be either common or specific methods focused on specific assets or to address risks in given scenarios.

The risk assessment is a five-step process:

1. Establish risk assessment framework

2. Identify risks

3. Analyse risks

4. Evaluate risks

5. Select risk treatment options.

Prioritize the risks based on the risk score. Risk score is  calculated by adding or multiplying the risk impact and likely hood of occurrence. 

The four risk treatment options are : 

1. Tolerate the risk, if the cost of mitigation is higher.

2. Mitigate the risk by applying relevant controls.

3  Terminate the risk by avoiding it entirely.

4. Transfer the risk with an insurance etc.

Please note some risks create business opportunities. Be mindful od residual risks after risks are treated.

Finally create the Statement of Applicability (SoA) that states the risks and controls selected or ommited, with an explanation why you made those choices.

Step 7: Implement a risk treatment plan.

Build the security controls to help protect your organisation’s information assets. Ensure that your employees are trained to follow and interact with the controls.

Establish internal and external communications process, awareness building and training programs to make the controls are actually understood, being implemented and effective

Step 8: Maintain the controls to achieve your ISMS objectives. There must be a method of record keeping to ensure that controls are being continuesly applied in operations.  

Step 9: Measure, monitor and review. 

It's crucial to ensure that   your ISMS is working through periodic reviews   based on security landscape your business is operating. 

The ISMS review process may involve regular internal audits. The objective of the audit is to evaluate the effectiveness of your controls against organisation's security objectives laid out in the project mandate. 

You can either use quantitative approach by assigning a score to the  measurement or  qualitative approach where measurements are based on judgement such as high’, ‘medium’ and ‘low’. 

qualitative approach is helpful evaluating assets involving  financial costs or time. 

Step 9: Continues ISMS improvement.

The results of the audit, together with management review can be used in  continues improvement of ISMS processes.

Step 10: Obtaining ISO 27001 certification.

Once your ISMS is in place, you can conduct an  external audit to obtain ISO 27001 certification. 

The Certification audits are conducted in two stages.

The initial audit will determine if  the organisation’s ISMS has been developed according to ISO 27001’s  requirements. 

If the external auditor is satisfied with initial audit, a more thorough investigation is conducted for certification.

The external auditor you choose should be  accredited by a national certification body, which should be a member of the IAF (International Accreditation Body).

Niranjan Meegammana







Comments

Post a Comment

Popular posts from this blog

ISO 27001 ISMS in a Nutshell

By
Image
Image : ISO The ISO 27001 certification is the most comprehensive  information security standard recognized globally. It ensures standardizing of your organisation's information security strategies to ensure confidentiality, integrity and availability of your systems and data to conduct your business effectively.  Gaining the certification is a journey with several milestones. It is a carefully planned systematic activity that transforms an organisation to a secure entity,  where everyone becomes a stakeholder in information security. Follow this processes to get to your goal successfully. Step 1. Obtain Management Support . This is the most critical requirement to achieve ISO 27001 status. Your ISMS project will definitely fail if it does not receive to management support. The management should provide, people, money and strategic direction for your ISMS to be a success story. In the sections below you’ll find some tips on how to convince your management, and how much the implemen
Read more

Best Practices for secure Software Development

By
Image
image : OpenSense Labs Are you aware of the  Solarwinds attack in 2020? The hackers exploited software vulnerabilities of Orion IT monitoring and management software used by thousands of enterprises and government agencies. This hack triggered a larger scale supply chain incident which affected thousands of organizations, including the U.S. government. The attackers infliltrated the Solarwinds network, and infected the software used for Network monitoring before it shipped to customers.This insident and many more warn us on the importance of building secure software.  Secure software development is a methodology used for creating robust software by incorporating security practices into every stage of the software development life cycle (SDLC). It begins at planning stage before a single line of code is written, and continue through the life cycle. A bug fixing at implementation stage cost six times than fixing it during design stage. Every new feature added, may carry series of vulnera
Read more

How easily the data breaches occur? 5 ways to be aware of.

By
Image
Data breaches can occur at any unexpected moment. Unless you do not detect it fast, cybercriminals will have more time to exfiltrate information and cause bigger damage. On average it takes up to 30 days and costs $1 million to address a data breach incident stated 2021 Cost of a Data Breach Study. However, it could be more if you wait longer. Unfortunately, some took 6 months to respond.      Better safe than be sorry! Be prepared against data breaches.  There are 5 ways for your organization to avoid data breaches. Here is how. 1. Weak and stolen credentials  The most simplest way hackers use for data breaches is stealing passwords. Many people use predictable passwords like ‘Password1’ and ‘123456’. With them, cybercriminals don't even need to hack into a system to steal your sensitive data.  There are many tools that can help a cybercriminal to crack passwords. They run millions of popular credentials to break into your system. This requires you to have a strong password policy
Read more