We all know implementation of the ISMS Information security management system can be challenging. But after reading this blog the implementation of the ISO will be smoother and easier. Here is the ISO 27001 implementation roadmap and this will help you.
Step 1: Hire an Implementation team
In this step you need to hire or appoint the project head who will oversee the implementation work of the ISMS. The appointed person has enough knowledge of information security and has the authority to lead a team and is free to give orders to managers of different departments which they require to review. The project head requires a group of people who will help the head in handling the implementation process. Senior management can select the efficient team and the team can choose their own leader who will lead the project. Once the implementation team is hired then they will create or finalise the project mandate like
- What are we hoping to achieve?
- How long will it take?
- How much will it cost?
- Does the project have management support?
Step 2: Planning or How the Implementation Goes?
In the next step we must start planning the implementation process. Now the implementation team will use or follow the project mandate and they will create a more detailed mandate of their information security objectives, plans and risk register. This step includes the high-level policies for the ISMS
- Roles and responsibilities.
- Rules for its continual improvement.
- Awareness plan related to the project
Step3: Begin with ISMS
In this step we will decide which plan to place and what sort of improvement methodology to use. ISO 27001 does not have any specific method, but it has a process approach. For that PDCA strategy is essential. In this standard you can use any model which is specified or provided by the requirements and processes. So that you can implement correctly and review and improve regularly. Also, one must create an ISMS policy. The policy does not need to be detailed but you can simply outline, so that your implementation team achieve what they want to and according to their plan.
After outline the policies one must be approved by the board. After the approval one must develop the rest of the document structure. For that one can use a four-tier strategy. Like policies of the top, issues etc. also one must define the work instructions how employees should meet with the policies and the Record tracking.
Step 4: Scope of ISMS
Now in this step one must gain a broader sense of the ISMS framework. Clause 4 and 5 will be processed. This step is crucial in defining the scale of ISMS and the level of reach will be up in day-to-day operations. Before you must recognize everything, which is relevant to the organisation so that the ISMS can meet with your organisation needs. But the difficult part of the process is to define the scope of your ISMS. This process involves identifying the location where the information is stored. Correctly defining the scope is an essential part of ISMS implementation. If the scope is not properly defined or it is too small, then you will leave some information exposed and if the scope is too big then ISMS will be too complex to manage.
Step 5: Identify your Security Baseline
You can identify your business security baseline with the information gathered in ISO 27001 risk assessment. This will help you to identify the organisation security vulnerabilities and the corresponding ISO 27001 control to mitigate the risk.
Step 6: Set up Risk Management Process
Risk management is the heart of the ISMS. Every aspect of the security system is based on the threats you identified and prioritised and making a risk management core competency for any organisation after implementing the ISO 27001. This standard allows organisations to define their own risk management processes. There are certain common methods through which you can focus on risks to specific assets. Whatever process you choose, your decision must result in a risk assessment.
Five-step process are:
- Establish a risk assessment framework
- Identify risks
- Analyse risks
- Evaluate risks
- Select risk management options
After establishing the risk acceptance criteria then managers qualify risks by scoring them on a risk matrix. The higher the score, the bigger the threat. Then one must select the threshold for the point from where risk must be addressed.
There are four different approaches which you can take while addressing the risk:
- Tolerate the risk
- Treat the risk by applying controls
- Terminate the risk by avoiding it entirely
- Transfer the risk
At last, ISO 27001 requires organisations to complete an Statement of Applicability documenting which of the standard’s controls you have selected and omitted.
Step7: Implementation of Risk Treatment Plan
Implementation of the risk treatment plan is the process of building the security control which will protect your organisation information assets. This will ensure that the controls are more effective, and you will need to check the staff that operate with the controls and who will know their information security obligations. You all need to develop a process which will determine, review, and maintain the competencies which are necessary to achieve your ISMS objectives. This process requires analysis and defining of the desired level of competence.
Step 8: Measure, Monitor and Review
Without reviewing you will not tell us that your ISMS is not working. For that you need annually to keep a close eye on the evolving risk landscape. This reviewing process involves identification criteria which will reflect the objective which laid you out in the project mandate. It is a common metric in quantitative analysis which assigns you a number to whatever you are measuring. This will help you while using the things which involve financial costs or time. If you don’t want to apply qualitative analysis, then you can measure based on judgement.
Apart from that you can conduct regular internal audits of your ISMS. There will be no specific way to carry out an ISO 27001 audit i.e., conduct the assessment of the department one at a time. This will help in preventing productivity losses and it will ensure your team efforts will not spread here and there. Your aim should be to complete the process as quickly as possible. So that you will get the results, and you will review them and accordingly you can plan for the yearly audit. The result of the internal audit form and inputs from the management review will help you in the continual improvement process.
Step 9: Certify your ISMS
Once the ISMS is implemented then you can choose the ISO 27001 certification in that case you need to prepare for an external audit. This certification audits will be done in two stages. In the internal audit decide whether the organisation ISMSs is developing according to the ISO 27001. If the auditor is satisfied, then they will go through the investigation. If you are confident about your ability before the certify proceeding, then the process will be time-consuming, and you are charged if you fail. Now the question arises which certification body to choose.
Nowadays there are plenty of choices, but you must make sure that the certification body is accredited by a national certification body and that will be a member of the IAF. This will give surety that the review is done according to the ISO 27001. If the certification body is uncertified which will promise to provide ISO 27001certification but that will give you an organisation compliance posture. While taking this certification the cost of the audit will probably be a primary factor while deciding which body to go for, but this will be only your concern. While choosing the reviewer, one must consider whether the reviewer has experience in your industry or not. Main reason is that ISMS is unique for every organisation which creates it and the auditor must be aware of all the requirements.