ISO 27001 Framework : How to implement ISO 27001?
By Prempal Singh
At present, corporate information security is not only a complex of technical means, such as anti-viruses or firewalls, it is already an integrated approach to managing the company’s assets in general and with information – in particular. Companies have different approaches to solving these problems. Today we would like to talk about the implementation of the international standard ISO 27001 as a solution to this problem. For companies on the Russian market, the availability of such a certificate simplifies interaction with foreign customers and partners who have high requirements in this matter. ISO 27001 is widely used in the West and covers the requirements in the field of information security, which should be covered by the used technical solutions, as well as contribute to the alignment of business processes.
This certification of the Information Security Management System (hereinafter referred to as the ISMS) has gathered the best practices of the ISMS design and, importantly, provided the opportunity to select management tools to ensure the functioning of the system, requirements for technological security and even the personnel management process in the company. After all, it is necessary to understand that technical failures are only part of the problem. In matters of information security, a huge role is played by the human factor, which is much more difficult to eliminate or minimize.
There are certain steps that will help prepare the organization for international requirements for information security:
1. Get support from management.
You may consider this obvious, but in practice this point is often overlooked. Moreover, this is one of the main reasons why ISO 27001 implementation projects often fail. Without an understanding of the significance of the project to implement the standard, the manual will not provide either a sufficient amount of human resources or a sufficient budget for certification.
2. Develop a plan for preparing for certification
Preparing for ISO 27001 certification is a complex task that includes different types of work, requires the involvement of a large number of people and can last for months (or even years). Therefore, it is very important to draw up a detailed project plan: allocate resources, time and involvement of people to strictly defined tasks and monitor the observance of deadlines – otherwise you may never finish the work.
3. Determine the perimeter of certification.
If you have a large organization with diversified activities, it probably makes sense to certify only part of the company’s business to ISO 27001, which will significantly reduce the risks of your project, as well as its time and cost.
4. Develop an information security policy.
One of the most important documents is the company’s Information Security Policy. It should reflect the goals of your company in the field of information security and the basic principles of information security management, which should be followed by all employees. The purpose of this document is to determine what the company’s management wants to achieve in the field of information security and how it will be carried out and controlled.
5. Define a risk assessment methodology.
One of the most difficult tasks is to define rules for assessing risks and managing them. It is important to understand which risks a company may consider acceptable to itself, and which require immediate action to reduce them. Without these rules, the ISMS will not work.
It should be remembered about the adequacy of the developed measures taken to reduce risks. But it is not worth much to get involved in the process of optimization, because they incur for themselves, including large time or financial costs, or may simply be unfeasible. We recommend that you use the “minimum sufficiency” principle when developing risk reduction measures.
6. Manage risks according to the approved methodology.
The next stage is the consistent application of the risk management methodology, that is, their assessment and processing. This process should be carried out on a regular basis with great care. By keeping the IS risk register up to date, you will be able to efficiently allocate company resources and prevent serious incidents.
7. Plan your risk treatment
Risks that exceed the acceptable level for your company must necessarily fall into the risk treatment plan. It should record actions aimed at reducing risks, as well as those responsible for them and the timing.
8. Complete the Statement of Applicability
This is a key document that will be studied by experts from the certifying authority during the audit. It should describe what information security controls apply to your company.
9. Determine how the effectiveness of information security controls will be measured.
Any action must have a result leading to the fulfillment of the established goals. Therefore, it is important to clearly define what parameters will be used to measure achievement of goals for the entire IS management system, as well as for each selected control mechanism from the Applicability Annex.
10. Implement the information management tools
And only after the implementation of all the previous steps, you should begin to implement the applicable information management tools from the Applicability Application. The greatest difficulty here, of course, will be the introduction of a completely new way of action in many processes of your organization. People usually resist new policies and procedures, so pay attention to the next item.
11. Implement employee training programs.
All the points described above will be meaningless if your employees do not understand the importance of the project and do not act in accordance with the information security policies. If you want your staff to follow all the new rules, you first need to explain to people why they are needed, and then conduct training on the ISMS, highlighting all important policies that employees must take into account in their daily work. Lack of staff training is a common cause of project failure under ISO 27001.
12. Maintain the ISMS processes
At this stage, ISO 27001 becomes your daily routine in your organization. To confirm the implementation of IS controls in accordance with the standard, auditors will need to provide records – evidence of the actual operation of control mechanisms. But first of all, records should help you keep track of whether your employees (and suppliers) are performing their tasks in accordance with approved rules.
13. Monitor the ISMS
What is happening with your ISMS? How many incidents do you have, what kind are they? Are all procedures properly performed? With these questions, you must check whether the company is achieving information security objectives. If not, you must develop a plan to correct the situation.
14. Conduct an internal audit of the ISMS
The purpose of internal audit is to identify inconsistencies between real processes in the company and approved information security policies. For the most part, this is a test of how well your employees follow the rules. This is a very important point, because if you do not control the work of your staff, the organization may be damaged (intentionally or unintentionally). But the task here is not to find the guilty and impose disciplinary measures on them for non-compliance with the politician, but to correct the situation and prevent future problems.
15. Organize management review
The manual should not set up your firewall, but it should know what is happening in the ISMS: for example, whether they fulfill all their duties and whether the ISMS achieves target results. Based on this, management must make key decisions to improve the ISMS and internal business processes.
16. Introduce a system of corrective and preventive actions.
Like any ISO 27001 standard requires “continuous improvement”: systematic correction and prevention of inconsistencies in the information security management system. With the help of corrective and preventive actions, it is possible to correct the inconsistency and prevent its recurrence in the future.
In conclusion, I would like to say that in fact it is much more difficult to get certified than described in various sources. Confirmation is the fact that in Russia today only 78 companies have been certified for compliance. At the same time abroad is one of the most popular standards that meet the growing demands of the business in the field of information security. This demand for implementation is due not only to the growth and complexity of the types of threats, but also to legal requirements, as well as customers who need to maintain the complete confidentiality of their data.