The end goal of any ISO27001, information security management systems (ISMS), implementation for a business is to firstly, going to be getting themselves certified and secondly to keep hold of the certification.
A lot of preparation, planning and the creation of an ISMS for your business happens before any preparation begins for certification.
The key thing for implementing ISO27001 is going to be “revealing and understanding what is actually required for businesses to comply”- Dave, Whitelegg.
The internal training for ISO27001 personnel in your business will need to be around this standard so it becomes easier for them to work on as a competent resource. Along with this, the staff will also need some regular refresher training on this to raise awareness.
It would be a little difficult to understand any of the requirements of ISO27001 standard and its controls without having a copy in front of you.
This is going to be an additional cost to your business but it gives you the ability to have these key documents at your fingertips.
External ISO27001 Implementation Support
As a business, you may turn towards expert external support in providing your training, recommendations, scoping and planning activities as required.
The external help will assist you to get to through the certification than if you were to do it on your own. Also, it is likely that they have worked on a few implementations before.
Internal ISO27001 Implementation Support
The personnel’s providing internal support in your business needs to be competent as per section 7.2 with some training on ISO27001.
The business is to determine the number of personnel it can allocate towards the implementation ISO27001 project and the ongoing support of the information security management systems.
If it is going to be an asset-related record that needs updating then you may need HR, I.T. or other key individuals getting the required supporting information.
The business should have ongoing updates and communications on the progress of the implementation.
The business should identify which sites, locations and services are in scope of the certification. If the business limits its scope in the certification it than cannot rely on all locations and services covered by the ISO27001 certification.
As part of planning, it allows the business to look at issues in terms of risks and address them to help them to either prevent or reduce the effect of a particular as per section 6.1 of ISO27001. The rest of the controls can then be reviewed and captured in the statement of applicability and Annex A.
This is subject to the review of the following:-
- Business needs;
- Ownership of the policies and records;
- Risk assessment;
- Risk treatment;
- Review of improvements;
Then the baseline of controls which your business needs to review either:-
- New processes;
- Cost vs risk;
Policies and Records
There are a number of policies and records which are required to demonstrate compliance with the information security management systems. These do need to be updated and reviewed regularly and approved by management.
There are also a number of tool kits which can provide templates bear in mind any additional costs associated with this. Whilst these are a good starting point, they do require customization to your business. This does require some further work.
As there are quite a few of these it would probably take some time to complete. There is some going back and forth to check that any updates are accurate.
Information Security Objectives
The information security management systems objectives in control 6.2 need to be measurable and in-line with the information security policy.
The objectives policy and record is going to be something which may have a number of objectives to monitor. One of these could be related to regular awareness of staff and management awareness along with an annual review of this.
Senior Management Commitment
For a successful implementation, the buy-in from senior management and stakeholders is crucial to help with the implementation. There will be ongoing support required for regular reviews by all.
Information Security Personnel
To coordinate the implementation or ongoing improvement support of the ISO27001 within your business you may wish to appoint a dedicated resource to progress this workstream.
Review of Your Implementation
A new implementation of the information security management system under control 18.2.1 (section 9.2 of ISO) does require an independent review of the controls. By independent meaning a trusted third-party that can validate the current implementation prior to making recommendations for certifications.
Something to Consider for the Future
ISO27701 and ISO27001
In parallel to ISO27001 another standard is the ISO27701:2019 – Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management, to assist with the review of any data protection adoption of security measures.
As the title suggests, this is an extension to ISO27001 with additional controls to audit your business. This is going to assist businesses in evaluating that adoption of GDPR and review controls in ISO27701.
Whilst the standard framework does exist it is there for a business to turn to as a standardised approach. However, this standard is not one where it is put in place once and requires very little or no input. There is continuous review and maturity once the implementation is complete. If you would like to discuss your ISO27001 requirements, feel free to contact us and we can help guide you through the process.