ISO 27001 is the International standard for the quality management for information security management systems (ISMS). The standard is a benchmark for organisations to demonstrate that they follow best practice on information security.
The benefits of gaining the ISO 27001 accreditation ensures that you have considered all aspects of your information security and that you are adopting best practice guidelines in a consistent and cost-effective manner.
Organisations that wish to implement an ISMS (information security management system) based on ISO 27001 need to be aware of the key steps involved in gaining accreditation.
It requires a dedicated team to lead the implementation. Small businesses with 19 employees or fewer can achieve ISO 27001 in just three months, but for a larger organisation this can take up to a year depending on the company’s circumstances.
- Undertake a gap analysis
Identify if there are any weaknesses in your organisation’s cyber security and what the gaps are between your operations and ISO 27001’s requirements. Allocate a budget and the technical and operational support to implement the project.
- Identify the scope of the project
Decide what should be included and what should be excluded. It can take time to identify all the processes involved and areas of weakness or risk that need to be built into the project implementation.
- Develop your information security policy
If your organisation does not have an information security policy, you’ll need to develop one, which will need to be approved by senior management. If you already have one, identify whether it needs to be updated.
- Undertake a risk assessment
Identify any risks and estimate the perceived level of risk. This will help you determine whether the levels of risk are acceptable and what controls can be implemented to mitigate risk and any costs involved.
- Select your controls and produce a Statement of Applicability
Implement controls to mitigate identified risks. ISO 27001 contains an annex of controls for managing information security risk. Document whether all the applicable controls have been implemented or not, and justify the inclusion or exclusion of controls from ISO 27001.
- Create a risk treatment plan
Document how the risks identified within the risk assessment are being mitigated.
- Develop control documentation
Produce documentation that will support a consistent approach to implemented controls and help enhance the ISMS.
- Conduct staff awareness training
Introduce a staff awareness programme that explains the procedures and benefits of the ISMS to staff, as well as how to handle information security issues.
- Conduct internal audits
Conduct regular tests of the ISMS to ensure that the controls are working effectively. Incident response plans should be tested on a regular basis to ensure they achieve the desired result.
- Undertake management reviews
Senior management should undertake an annual performance review of the ISMS to ensure its effective operation.
- Select your certification organisation
Identify a certification body that has been accredited by a recognised national accreditation body, which should be a member of the International Accreditation Forum.
- Apply for accreditation
Arrange for your chosen certification body to check your company’s documentation and ensure that you have implemented appropriate controls. Your certification body will conduct an on-site audit to confirm that you are in compliance with ISO 27001.
- Implement continual reviews
Upon achieving ISO 27001 accreditation, organisations need to implement continual improvement plans to maintain and develop the ISMS.
- Need support with implementing ISO 27001?
IT Governance is a global expert in implementing ISO 27001. We’ve supported more than 400 organisations in achieving accreditation to the Standard, and are committed to helping organisations throughout the GCC countries, whatever their size or budget.
If you’re interested in obtaining ISO 27001 certification but don’t know where to start, talk to one of our experts. Or you can download our free green paper Implementing an ISMS – The nine-step approach for a quick introduction.