As the pre-eminent global information security management system standard, ISO27001 offers countless business benefits to businesses willing to engage with the standard, and even more to those willing to undertake accreditation. So what does that involve?
To help you understand what’s involved, this article aims to give a concise overview of the process and outlines some of the key requirements of ISO27001.
For clarity, we’ll divide the process for achieving ISO27001 into 2 main phases: implementation and certification. Let’s start by considering how to implement an information security management system (ISMS) to ISO27001 standards.
Implementation – Plan, Do, Check, Act
When establishing an ISMS, it can be helpful to follow something called the PDCA cycle. Meaning ‘plan, do, check, act, this cycle is a management method designed to encourage continuous improvements to a business’s products and processes, and is particularly useful when implementing management systems.
Outlined below are some of the key steps required to implement an ISO27001-certified ISMS, with reference given to where each step is located within the PDCA cycle. Repeating the PDCA process is recommended ahead of the certification phase in order to iron out bugs in the system prior to the external audit.
Plan – Define the Scope
Start by outlining the information, assets, systems, processes, business departments, people and locations the ISMS is to apply to. The scope should also detail the regulatory constraints that have implications for information security, such as the GDPR and PCI DSS.
While it may seem laborious, defining the scope is crucial to ensuring the overall success of the ISMS.
Plan – Identify Risks
Now that the information that is to fall under the scope of the ISMS has been identified, it’s time to identify the risks this information may be subject to. Carry out a thorough risk assessment that considers each risk in terms of its likelihood, potential impact operationally and the severity of harm that could result.
Plan – Create a Risk Mitigation Strategy
Devise a plan to minimise the risks identified, taking into account factors such as the nature of information at risk, and the severity of impact information compromise may cause.
Plan – Develop information security policies
Establish information security policies outlining the responsibilities data handlers and processors have in maintaining high standards of information security. Policy documents should individually pertain to information types, systems, infrastructure, locations, processes, business departments and third party access. Each document should contain best practice guidance in addition to mandated actions designed to preserve the confidentiality, integrity and availability of information stored across all formats.
Do – Implement Security Controls
Set in motion the risk mitigation measures that have been planned. The latest iteration of ISO27001 identifies 4 categories of security control that organisations should consider when pursuing their information security management objectives: organizational controls, people controls, physical controls and technological controls.
93 separate controls are listed across these categories, ranging from technological controls like web filtering and antivirus software to physical security measures like CCTV and building access controls.
Do – Train Employees
Ensuring employees understand their information security responsibilities is key to the overall success of the ISMS, and is vital to achieving ISO27001 certification. Employees should familiarise themselves with the information security policies relevant to them and ensure they understand the controls required and any duties they have in applying these controls.
Check – Perform Internal audits
Clause 9 of ISO27001 requires organisations to have processes in place to monitor, measure, analyse and evaluate the performance of the information security management system. Key performance indicators should be regularly reviewed by management to ensure the ongoing maintenance of security standards, and regular internal audits should be conducted to verify that the ISMS is operating in accordance with ISO27001 requirements.
Act – Carry out improvement actions
Clause 10 of ISO27001 requires organisations to correct non-conformities and take action to improve deficiencies identified in periodic audits and performance evaluations. Once improvement actions have been carried out their effects should be closely evaluated to ensure efficacy.
The concept of continuous improvement is fundamental to the spirit of ISO27001, and ongoing commitment to corrective enhancements of the ISMS is something the external auditors will look for evidence of in the certification process.
Certification – A two stage process
In the UK, ISO27001 certification is achieved by means of a 2-stage external audit process undertaken by an UKAS-accredited certification body.
Stage 1 examines the information security management system’s supporting documentation. Often carried out remotely, this exercise is designed to determine whether an organisation comprehends the core principles of ISO27001. If successful, a recommendation for a stage 2 audit will be made. If aspects of the ISMS fail to meet the requirements of the standard however, improvement actions will be stipulated before any further progress can take place.
Stage 2 is where the auditors ascertain that the documented processes, measures and controls are actually being actioned. The auditor checks that the documented scope of the ISMS aligns with reality, staff may be interviewed, and checks will be made to ensure the controls in place measure up to ISO27001 standards. The outcome of this rigorous process is simply a ‘pass’ or a ‘fail,’ with failure requiring the correction of non-compliant elements before a new audit can be scheduled.
Applicable across all sectors and to businesses of all sizes, ISO27001 sets out a framework for the creation of a robust information security management system that will inspire confidence in your business’s commitment to information security.
Interested in ISO27001?
Here at Defence Logic, we help businesses like yours tackle information governance and security challenges head on. With our tried and tested framework, we can help you develop an ISO27001-compliant information security management system quickly and efficiently, with minimal impact on your business’s operations. Get in touch today to find out more about our services.