ISO 27001 is one of the most popular frameworks used in the world to protect information. Many organizations are willing to implement ISO 27001 in their premises. But, most of them do not have a clear idea on how it is done. Many do not know what are the steps taken to implement ISO 27001. In this blog, we’ll clear the doubts you have.
Before you start the implementation of ISO 27001, the management should allocate needed resources to the process. Implementing ISO 27001 is not an easy task. It involves various activities and processes. So make sure you have enough resources allocated. One of the important things you should do before implementing ISO 27001 is, defining a scope. It is difficult to implement ISO 27001 to the whole company in larger organizations. So, identify and define the scope of the ISO implementation. That will make your task easy and reduce the possibility of failing the implementation. Now we’ll come to the steps.
1. Develop a policy for the Information Security Management System (ISMS)
This is one of the major tasks in the implementation of ISO 27001. The ISMS policy is the main document, which used in ISO 27001. It’s a high-level document, which briefs the main information security related problems in your organization. The main purpose of the ISMS policy is to identify what needs to be achieved and how it is going to be achieved.
2. Develop risk assessment methodology and perform risk assessment
Performing a risk assessment is one of the most difficult tasks in the implementation of ISO 27001. An organization should clearly identify the risks, threats, vulnerabilities and likelihoods to do a proper risk assessment. A risk treatment and acceptance criteria should be defined to treat the risks. So, you should develop a risk assessment methodology and perform the risk assessment in the defined scope. The risk assessment should be done considering the information asset inventory and the internal processes.
3. Develop the Statement of Applicability (SoA)
Once you have completed the risk assessment, you should start developing the SoA. What is a SoA? It is the document, which specifies which controls from “Annexure A” is applicable and which are not. The risk assessment will aid in developing the SoA. Controls of the risks identified in the risk assessment are mostly applicable to your organization. This process will aid us to move to the next step.
4. Develop the risk treatment plan
With the help of risk assessment, we developed the SoA. Now, with the help of the SoA, we are going to develop the risk treatment plan. The risk treatment plan is developed to define how the applicable risks will be treated. In other words, how the controls from your SoA will be implemented. Here, you should identify who will be implementing, and what budget will be allocated. With the help of this document, you will be treating and implementing the ISMS.
5. Develop the mandatory procedures
The next step is one of the most important steps of ISMS. There are several mandatory procedures needed for the fulfillment of ISO 27001. According to the scope and Annexure A, we should develop the relevant procedures for the ISMS. This may include some policies and procedures depending on the scope of your organization. This task actually takes some time.
6. Training and awareness
Even tough we have developed all the policies and procedures; there is a problem. The employees of our organization should start practicing it. Before practice, they should know about the ISMS. For your employees to follow the procedures you should teach them why this is needed and how it should be followed. Lack of awareness about the ISMS is one of the main reasons for an organization to fail in ISO.
7. Operate and monitor
Now that we have identified the risks, implemented the treatments, developed procedures, and trained the staff, we should be practicing the ISMS. Everyone under the scope should follow the ISMS in their daily activities. The procedures should be followed, records should be filled, etc. while following the ISMS, you should monitor whether the objectives of the ISO implementation is achieved or not. You can identify where the faults happen.
8. Internal audit
Internal audit is one of the main tasks in an ISO implementation. Now that you are practicing the ISMS, and identified few loopholes, you should be doing an audit against your ISMS. A qualified auditor should conduct an internal audit and find where the problems exist. An internal audit will help you in identifying more problems than you found on your monitoring phase.
9. Management review
Once the internal audit findings are available, the management may need to take some critical decision in addressing the findings. The management should discuss the problems existing and order the employees to rectify them. Meeting minutes of the management review should be recorded.
10. Corrective and preventive actions
According to the internal audit findings and the management review meeting, the root cause of the problems should be identified. Then actions should be taken to fix the problems and preventive actions should be taken to make sure the problem would not occur again.
Once all these things are done, you are ready to go for a certification audit. You can invite a certification body to audit your scope and certify your organization as an ISO 27001 certified premises.
Does it look hard to do the implementation steps by yourself? No need to worry! 😟
EncryptAsia is one of the pioneers in consulting organizations in implementing ISO 27001. Our specially crafted methodologies aid companies to achieve the task easily. Feel free to contact us for any assistance regarding ISO 27001. We are more than happy to help you 🙂
Hope this blog was informative. If you have any suggestions, questions or critics, leave them as comments in the below box. Have a nice day! 🙂