ISO 27001: A Step-by-Step Guide
Before certification comes the implementation of an Information Security Management System (ISMS). In this document we'll explain a step-by-step approach to implementing ISO27001 and obtaining that coveted "Certified for ISO27001" logo to put on your website.
This step-by-step approach has been tested to work best; and if we find a better way of doing it we'll be sure to update it here as well!
No worries! This is only for your general knowledge on what ISO27001 actually entails. Tidal Control will guide you through this process, and you will probably never actually have to look up the steps below!
Step 1: Preparation and Scope
Preparation:
Before starting the certification process it's crucial to understand the basics of the ISO27001 standard, the needs and expectations of your customers, regulators and other stakeholders, and the information security and privacy risks that your organisation faces.
Scope:
You’ll need to determine exactly what kind of information you need to protect before building your ISMS. For some companies, the scope of their ISMS includes their entire organization. For others, it includes only a specific department or system.
The scope of an ISMS starts with the information that needs to be protected. People, Processes, IT Systems and even People in scope are all derived from the information that needs to be protected.
The scope is not just for printing on your certificate. During the implementation of the ISMS you will often ask yourself the question: "Will I need to implement this measure?", quickly followed by: "Well, do I need it to protect the information I said our ISMS would protect?". It's that important to get it right.
Step 2: Gap Analysis and Risk Assessment
Gap Analysis
A gap analysis compares your current information security practices with ISO27001 requirements. While not mandatory, it helps identify areas needing improvement and allows you to develop a roadmap for achieving compliance. With the roadmap in hand you're ready to plan the implementation and obtain management buy-in for the project and the resources needed to ensure success.
Risk Assessment
A formal risk assessment is a requirement for ISO 27001 compliance. Identify and evaluate risks to information assets, and define how you will respond to these risks.
You can respond to risks in the following four ways:
- Accept the risk because the cost of mitigating it is greater than the risk itself. This is the easiest solution.
- Avoid the risk and the circumstances in which it can occur entirely, e.g. by ending a contract with a vendor that doesn't uphold the same standards as you do.
- Transfer the risk to another party, e.g. by outsourcing activities or purchasing insurance.
- Reduce the risk by implementing measures (controls) that reduce the likelihood that the risk will materialise, or the impact when it does. This is the most common option and the only option that remains if the other 3 options are not viable or desirable.
Many startups don’t have a dedicated compliance team and choose to hire an ISO consultant to help with their gap analysis and remediation plan. A consultant who has experience working with companies like yours can provide expert guidance to help you meet compliance requirements.
On top of that, they can help you establish best practices that strengthen your overall security posture.
Step 3: Implementing controls
With a clear understanding of the gaps, your organisation can begin selecting and implementing the necessary controls and policies to meet ISO27001 requirements. This includes:
Selecting necessary controls
For each risk that you have committed to reduce to acceptable levels you will want to define one or more controls. Selecting controls from a control library eliminates the need to design controls from scratch.
Establishing policies and procedures (process)
Every ISMS has a list of mandatory policies and procedures to be implemented. On top of that, and depending on the selected controls, you may want to define and implement additional policies and procedures applicable to your organisation and its ISMS.
Implement technical security measures (technology)
In many cases the implementation of an ISMS leads to identifying security gaps in systems and applications. This is as good a time as any to remediate these issues.
Remember, ISO is not about demonstrating that you have all required technical measures in place. What is important is that you have a continuous process in place to identify, monitor, and resolve gaps and other issues. However, solving issues may save a lot of time down the line, as it avoids the need for documenting and then tracking all of these steps!
Training and awareness (people)
ISO 27001 requires all employees to be trained about information security. While the focus is generally on implementing security awareness training for all staff, don't forget to identify the training needs (and provide training) for staff with specific responsibilities for information security and privacy. For example technical teams, software development teams, and the security and privacy officer themselves.
Establish a PDCA cycle approach to information security (governance)
An often overlooked aspect of ISO27001 is its main requirement, and that is to demonstrate compliance with chapters 4 to 10 of the standard. In practice that means establishing and documented each of the steps in management's Plan-Do-Check-Act (PDCA) cycle approach to information security. ISO27001 requires that the organisation has completed this cycle at least once before the certification audit can commence.
Step 4: Choosing an external ISO auditor
You will want to select your external auditor when you are far enough with the implementation with your ISMS to have confidence it will be completed before the stage I audit commences. Since external auditors typically have a planning horizon of 6-8 weeks, we generally advice to contract them well in advance.
Remember to complete a full PDCA cycle before your external audit starts! This includes completing at least one Management Review and Internal Audit covering the entire ISMS
Step 5: Monitor, measure and evaluate
Management Review
A formal management review ensures that your ISMS continues to meet your organization's policies and objectives. Senior management should review any issues, control gaps, ongoing risk treatment, changes to the ISMS and more to ensure that corrective actions are taken to address any identified issues. It is a mandatory step in the ISO process.
Internal Audits
Internal audits evaluate the effectiveness of your ISMS, identifying non-conformities and areas for improvement. The main difference with the management review is that the internal audit needs to be performed by individuals that are competent and impartial to the ISMS. They need to know the standard back to front, and they cannot audit controls they’ve selected or have operational control over. Your auditors should not be members of the implementation team or have any power to make changes after the audit.
Internal Audits may be performed by internal staff and even by someone working for the same organisation that is helping you implement the ISMS, as long as the individuals involved comply with the requirements of competence and objectivity.
Step 6: Audit preparation checklist
Completing an ISO Audit preparation checklist before the certification audit helps to ensure you identify any remaining gaps or areas of non-compliance in your ISMS. This allows you to address these issues before the external audit, reducing the risk of non-conformities being found by the auditors.
Step 7: Certification Audit
The certification audit is conducted in two stages by the chosen certification body:
Stage 1 Audit (Document Review):
The auditors review your ISMS documentation to ensure it aligns with ISO27001 requirements. This includes verifying that all necessary documents are in place and that the ISMS is appropriately designed.
Stage 2 Audit (On-Site Assessment):
The auditors visit your organization to assess the implementation and effectiveness of the ISMS. This involves interviews with staff, observation of processes, and examination of records to confirm that the ISMS operates as intended.
After the audits have been completed the external auditor will draw up their report and issue the certificate. Congratulations, you are now ISO27001 certified!
Maintaining an ISMS doesn't end with certification. Regular internal audits, management reviews, and continual improvement are crucial for compliance with ISO 27001. 💼 🚀