| Top 10 Steps to Information Security with ISO 27001
1. Study 27001
Familiarise your organization with the standard and its purpose. It is not uncommon for organisations to introduce an information security management system before they have a full understanding of what the standard is about and its requirements. This way it is easy to use the standard as a checklist of requirements that must be ticked off. With this strategy you can easily spend time preparing documentation that ISO 27001 does not require. In addition, you risk to only partly meet the requirements of the standard and that the work. becomes unsystematic. Preparations are essential to obtain a successful certification.
2. Ensure that management is involved and has approved the project
Success requires that management be involved and committed. Management must commit to plan, implement, monitor, review, maintain and continually improve the management system. Management should also ensure that resources are available to work with the information security management system and that the employees responsible for developing, implementing and maintaining the system have the necessary competence and receive appropriate training. With ParkinsonHowe will put these prerequisites in place, and assist you to:
- Develop an information security policy
- Determine objectives and plans relating to information security
- Define and allocate roles and responsibilities within information security
When management is involved and committed, work with the information security management system can start. In this step the company determines the scope of the information security management system. You need to define:
- A policy for information security
- Objectives for information security
- Clear roles/responsibilities with respect to information security
4. Choose a method for risk assessment
A risk assessment will help you identify potential information security risks, how they can affect your sensitive information and the probability for these security risks to become a reality. The choice of risk assessment model is one of the most. important elements when implementing an information security management system. The standard does not specify which risk. assessment model that should be used. Instead, the standard requires that the chosen model works to:
- Assess risks related to confidentiality, integrity and availability
- Set goals to keep risks at an acceptable level
- Establish criteria that defines when a risk is acceptable
- Assess risks
When the risks have been identified they need to be analysed and assessed.
- Evaluate how the organization would be damaged if the identified security risks become a reality. Evaluate what the consequences would be if the confidentiality, integrity or availability of your assets (information resources) would be compromised or damaged.
- Complete an estimate of the different risk levels.
- Determine whether the risks are acceptable or require action by following previously defined criteria for acceptability.
- Accept the risk. For example, if the actions are too costly or if it is not possible for the organization to act (i.e., in the event of natural disasters or political revolutions).
- Transfer the responsibility for the risk to someone else. For example, an external provider or an insurance company.
- Enable control mechanisms to keep risk at an acceptable, low level.
To meet the requirements identified during the risk assessment process, objectives and actions must be identified and implemented. This identification needs to consider the criteria for acceptable and unacceptable risks as well as legal, regulatory and contractual obligations.
7. Final implementation of ISO 27001
Implement a plan that includes:
- A description of the risk management where management actions, resources, responsibilities and the order of priority for actions with respect to information security is provided.
- A risk management plan to reach the objectives. This includes both funding and allocation of roles and responsibilities.
- The measures necessary to meet the objectives.
- Implementation of the management system and resources.
Sufficient resources (staff, time and money) must be assigned to implement an information security management system and associated safety measures properly. It is also important that. employees that work with the information security management system (for example with system maintenance, documentation and security) receive correct training.
9. Internal audits, management review and improvements
To ensure that the information security management system is and remains effective, the standards include the following requirements:
- Execute internal audits
- Management must execute regular evaluations of the information security management system to ensure that the system remains complete and to facilitate finding. improvements in the information security management system procedures.
The certification process can take a few months, from the request for quote until the certification audit is completed.
It is common that much energy is devoted to perfecting things that already work well, while other, essential elements do not get the attention they need. Plan an external pre-assessment a few. months before the certification audit even if your management system is not finished. Identifying areas of nonconformance at an early stage will allow you to correct these. before you move on to the certification audit.
Keep in mind that the management system does not have to be perfect for the first audit - it is enough that all elements are compliant with the requirements of the standard.
ParkinsonHowe will provide ISO 27001 assistance in any of the 10 steps order for a company to move forward in a controlled manner