Implementation of ISO 27001, the international standard that describes best practice for an ISMS (information security management system), takes time and effort.
However, any ISO 27001 implementation project can be successful when it is properly managed and led. Adopting the Standard isn’t as expensive or as difficult as you might think.
ISO 27001 implementation checklist
- Get familiar with ISO 27001 and ISO 27002
August’s book of the month, Nine Steps to Success – An ISO 27001 Implementation Overview, is the essential companion guide for anyone undertaking an ISO 27001 project. Written by ISO 27001 expert Alan Calder, it will help you get to grips with the Standard’s requirements and make your project a success. Save 10% when you buy before the end of August >>
- Assemble a project team and initiate the project
You will need to determine the project objective, the project team (typically with a project board for projects scheduled to take longer than nine months), a project plan and a project risk register.
IT Governance’s range of ISO 27001 training courses teach IT professionals across the GCC (Gulf Cooperation Council) countries how to implement an ISMS from beginning to end, including how to overcome common pitfalls and challenges. Book your place on our ISO27001 Certified ISMS Lead Implementer Online training course >>
- Conduct a gap analysis
Conducting a gap analysis will help you to establish which areas of your organisation aren’t compliant with the Standard and identify what you can do to become compliant.
- Scope the ISMS
This is an essential step in your project. A scope that’s too big will escalate the time and cost of the project, and a scope that’s too small will leave your organisation vulnerable to risks that weren’t considered.
The scope must be documented in a ‘scope statement’ and identify what information needs to be protected. The ISO 27001 ISMS Documentation Toolkit contains a customisable scope statement, as well as templates for every document you need to implement an effective ISMS and comply with the Standard.
- Develop policies, procedures and other key ISO 27001 documentation
You need to set out high-level policies for the ISMS that establish roles and responsibilities and define rules for continual improvement. Mandatory documentation includes an information security policy, information security objectives and evidence of competence.
The ISO 27001 ISMS Documentation Toolkit contains customisable templates and will save you weeks of work trying to develop all the required policies and procedures.
- Carry out a risk assessment
ISO 27001 risk assessments are at the core of the ISMS and provide an accurate snapshot of the threats facing your organisation. Risk assessments help identify whether the current controls applied in your organisation are necessary and cost-effective.
Undertake error-proof risk assessments with leading tool vsRisk™, which includes a database of risks and the corresponding ISO 27001 controls, and enables you to conduct the risk assessment accurately and effectively.
- Select and apply controls
ISO 27001 requires organisations to apply controls to manage or reduce risks identified in the risk assessment. Controls should be compared against ISO 27001’s own list of best practices, which are contained in Annex A.
- Develop risk-focused documentation
ISO 27001 requires an RTP (risk treatment plan) and SoA (Statement of Applicability) to be produced. The SoA lists all identified controls from ISO 27001 and details whether each control has been applied, along with an explanation of its inclusion or exclusion.
vsRisk can generate six audit-ready reports, including the SoA, which can be exported, edited and shared across the business and with auditors.
- Conduct staff awareness training
Human error has been widely demonstrated as the weakest link in cyber security. To increase awareness of information security issues and the purpose of the ISMS, all employees should receive regular training.
Our Information Security & ISO27001 Staff Awareness e-learning Course is a cost-effective solution for improving general staff awareness about information security and the ISMS.
- Assess, review and conduct an internal audit
ISO 27001 requires regular auditing and testing to ensure controls are working as intended and incident response plans are functioning effectively. Top management should also review ISMS performance at least annually.
Our ISO27001 Certified ISMS Lead Auditor Online Masterclass equips you with all the skills to successfully undertake or lead an ISMS audit project.
- Opt for a certification audit
The certification body will provide an independent opinion about your security posture by reviewing your documentation, checking you have implemented appropriate controls and conducting a site audit to test the procedures in practice.
Need a quote or practical advice?
If you want more guidance or an obligation-free quote, we can help. Simply click below and fill in your details and we can explain the available options and important considerations for tackling an ISO 27001 implementation or certification project.