Open for Add

Header ADS

What are the steps to check before implementation of ISO 27001 ?



Guidance on ISO 27001 ISMS implementation process, which you should follow before implementing this, if you are thinking to go for it. What should be the steps? You can follow these nine steps before you jump to ISO 27001 implementation. These steps are simple guidance inline with ISO 27001 standard. 
Step 1: Implementation team

Need to make an implementation team, this will be the 1st step towards the implementation of ISO 27001. You have to be very serious abut team resources who will be directly responsible for the implementation. As this is ISO related implementation, the team member should well aware of information security and should have strong authority and having good leading capacity.
Team should be ready with project plan with cost, duration, etc. and details of justification to support the ISMS requirement to the higher management.
Step 2: Implementation plan,

Implementation plan has to make as a 2nd step. Implementation team has to create a detail of implementation plan as per their agreed project mandate with details of objectives they want to achieve along with plan and risk register. They also has to include the setting of high-level policies that support ISMS like, roles and responsibilities, critical environment rules, rules for awareness build up through internal and external communication.

Step 3: Start for ISMS

Once the plan is placed, now determine which CI ( Continual Improvement ) methodology can be used. As ISO 27002 does not specify any particular methodology but it advises a “process approach” of PDCA ( Plan-Do-Check-Act) strategy.
You can use any model If the requirement and process are clearly defined, implemented correctly, and reviewed timely manner and improved.
Need create an ISMS simple policy document with details outlined of implementation plan and what can be achieved and how it will be doing and the same should be approved by the top management or board.
After acceptance of top management or board a few more documents need to be ready like :
Policies on specific issues like acceptable uses and password management.
Procedure to approve the policies and requirements.
Work instructions describing how employees will follow the policies.
Records tracking the procedures and work instructions.

Step 4: Defining the ISMS scope.

For defining the scope follow the clauses 4 and 5 of the ISO 27001 standard. This step is very important for defining the rule of your ISMS and the level of spread it will have in your day-to-day operations.
It’s also very important that you should identify everything relevant to your organization so that the ISMS can meet your organization’s needs.
The most vital part of this process is the scope defining of ISMS. This includes identifying the places where information can be stored, whether that’s physical or digital files, systems, or portable devices. Defining your scope properly is an essential part of your ISMS implementation project.
If your scope is too small, then you left information uncovered, losing the security of your organization. But if your scope is largely made then, the ISMS will become too complex to manage.
Step 5: Identification security baseline 

If you want business to happen securely then, the organization’s security baseline is the minimum level of requirement which can ensure business securely. You can identify your security baseline with the information gathered while doing the ISO 27001 risk assessment. Risk assessment with help you to identify the organization's biggest risk vulnerabilities and the corresponding control to mitigate the risk described in Annex A of the ISO 27001 standard.
 Step 6: Establishing a risk management process

Risk management is very vital for ISMS. Almost every portion of your security system is based on the threats which you’ve identified and prioritized. Risk management is a core competency for any organization implementing ISO 27001. The Standard allows organizations to define their own risk management processes. Common methods focus on observing at risks,  to specific assets or risks existing in specific scenarios.
Anyway you have toe focus on the result of risk management, which defines five steps process, bellow:

  1. Establish a risk assessment framework,
  2. Identify the Risk,
  3. Analysis the Risk,
  4. Evaluate the Risk,
  5. Select the Risk management activities,
 What will be you risk acceptance criteria that you need to define, how much damage that threats will cause impact and the likelihood of reoccurring.
We often quantify risks by scoring them on as a risk matrix, higher or lower. Higher the risk score causes bigger the threat and threshold need to define, where risk must be addressed. Below approaches can be taken to address risk like, Accept the risk, Treat the risk by applying controls
Terminate the risk by avoiding it entirely, Transfer the risk as per the organisation agreed process.

ISO 27001 requires organizations to complete an SOA ( Statement of Applicability ) documents. This is the documents were to define, which Standard’s controls have been selected or omitted and related reasons.

Step 7: Implementing a risk treatment plan

The implementation of the risk treatment plan is requiring to define the process of building the security controls which will protect the organization’s information assets. You have to monitor whether the controls are effective or not, employees are able to operate the controls or not, and they are aware of the information security obligations. You need to implement the process to determine, review, and maintain the necessary competencies to achieve the ISMS objectives.  
Step 8: Process to Measure, monitor and review

Review has to conduct time to time as a confirmation the ISMS is working as per plan and process defined. Scheduling of review can by quarterly, Half-yearly, or annually. The review process involves identifying measures that reflect the objectives you placed out in the project mandate. In addition to this process, you should conduct regular internal audits of your ISMS. The Standard doesn’t specify how ( quarterly, Half early, or Annually ) you should carry out an internal audit but doing that as per your suitability will helps to avoid significant losses in productivity. The results of your internal audit form the inputs for the management review, which will be fed into the continual improvement process.
Step 9: Certification for ISMS

Once the ISMS is in place, you may choose to seek certification. You have to invite external audit for that. Certification audits are conducted in two stages.
The initial audit helps to determine whether the organization’s ISMS has been established in line with ISO 27001’s requirements or not.  If the auditor is satisfied, they’ll conduct an additional investigation on that.
You should be self-assured in your ability to certify before proceeding, because the process is time-consuming and cost involved. There are plenty of external certification bodies to choose for external audit and certification, but they should be accredited by a national certification body, which should be a member of the IAF (International Accreditation Body). Accreditation certification body, ensures that the review is actually in accord with ISO 27001. The cost of the certification audit will maybe be a primary factor when deciding which body to go for, but it shouldn’t be the only concern. An experienced reviewer should be considered. Whoever is conducting the audit must be aware of organization requirements, as an ISMS is always unique to the organization. 


Read other ISO related topics :

Read about ISO Standard

Read about ISO Compliance

Read about Information Security Policy

Read about ISO ISMS


Powered by Blogger.