The main steps your organization needs to go through if you want to achieve ISO 27001 certification
STEP 1 : Obtain management support
You need management support to provide enough people and money to work on the project
STEP 2 : Treat it as a project
The implementation of ISMS based on ISO 27001 is a comprehensive project, involving various activities and lots of people, lasting several months (or more than a year). If you do not clearly define what is to be done, who is going to do it, and in what time frame (i.e., apply project management), you might as well never finish the job
.
STEP 3 : Define the scope
In a small company of less than 50 employees, the whole company can be in the scope but in larger organization, only one part of the organization should be in the scope to lower your project risk.
STEP 4: Write an information security policy
- This is the highest-level internal document in your ISMS
- It shouldn’t be very detailed
- It should define some basic requirements for information security in your organization
- It helps management define what it wants to achieve and how to control it.
STEP 5: Define the risk assessment methodology
- Risk assessment is the most complex task in the ISO 27001 project.
- Define the rules for identifying the risks, impacts, likelihood, and acceptable level of risk.
STEP 6: Perform the risk assessment and risk treatment
- Implement the risk assessment you defined in the previous step
- The point is to get a comprehensive picture of the internal and external dangers to your organization’s information.
- The purpose of the risk treatment process is to decrease the risks that are not acceptable. This is done by using the controls from annex A.
- The risk assessment report has to be written in this step. Document all steps taken during the risk assessment and risk treatment process.
- An approval of residual risks must be obtained – either as a separate document, or as part of the statement of applicability.
STEP 7: Write the statement of applicability (SoA)
-
- Once you have finished your risk treatment process, you will know exactly which controls from Annex A you need (there are a total of 114 controls, but you probably won’t need them all).
- The purpose of this document (SoA) is to list all controls and define which are applicable and which are not and the reasons for such a decision
- the objectives to be achieved with the controls
- a description of how they are implemented in the organization.
- The Statement of Applicability is also the most suitable document to obtain management authorization for the implementation of the ISMS.
STEP 8: Write the risk treatment plan
- This defines exactly how the controls from the SoA are to be implemented; who is going to do it, when, and with what budget. Etc.
STEP 9: Define how to measure the effectiveness of controls
- The point here is – if you can’t measure what you’ve done, how can you be sure you have fulfilled the purpose?
STEP 10: Implement the controls and mandatory procedures.
- This is where you have to implement the documents and records required by clauses 4 to 10 of the standard and the applicable controls from Annex A.
- Read about mandatory documents required by ISO 27001 and ISO 27001 Annex A controls
- This is usually the riskiest task in your project because it means enforcing new behavior in your organization.
- Often, new policies and procedures are needed (meaning that change is needed), and people usually resist change – this is why the next task (training and awareness) is crucial for avoiding that risk.
STEP 11 : Implement training and awareness programs.
- If you want your personnel to implement all of the new policies and procedures, first you have to explain to them why they are necessary, and train your people to be able to perform as expected.
- The absence of these activities in a management system is the second most common reason for ISO 27001 project failure
STEP 12: Operate the ISMS
- This is the part where ISO 27001 becomes an everyday routine in your organization.
- The crucial word here is: “records.” ISO 27001 certification auditors love records – without records, you will find it very hard to prove that some activity has really been done
- Records can help you monitor what is happening ; you will actually know with certainty whether your employees ( and suppliers) are performing their tasks as required.
STEP 13 : Monitor the ISMS
- What is happening in your ISMS?
- How many incidents do you have, and of what type?
- Are all the procedures carried out properly?
- This is where the objectives for your controls and measurement methodology come together
- you have to check whether the results you obtain are achieving what you have set in your objectives. If not, you know something is wrong – you have to perform corrective and/or preventive actions.
STEP 14 : Internal Audit
- Very often, people are not aware that they are doing something wrong (on the other hand, they sometimes are, but they don’t want anyone to find out about it. Internal audit help to fine out such things.
- This is not to initiate disciplinary actions but to take corrective and preventive actions
STEP 15 : Management review
- Management does not have to configure your firewall, but they must know what is going on in the ISMS
- if everyone performed their duties, and if the ISMS is achieving the desired results, fulfilling the defined requirements,
STEP 16: Corrective and Preventive Actions
- The purpose of the management system is to ensure that everything that is wrong (so-called “nonconformities”) is corrected, or hopefully prevented
- ISO 27001 requires that corrective and preventive actions are done systematically
- the root cause of a non-conformity must be identified and then resolved and verified.