Difference between revisions of "ISO"
Line 2: | Line 2: | ||
<!--T:3--> | <!--T:3--> | ||
− | == STEP 1 == | + | == STEP 1 Management == |
First get support from your top management. They must demonstrate their commitment and determination to implement an ISO27001 Information Security Management System in your organisation. Without top management commitment, no information security initiative can succeed. | First get support from your top management. They must demonstrate their commitment and determination to implement an ISO27001 Information Security Management System in your organisation. Without top management commitment, no information security initiative can succeed. | ||
Line 22: | Line 22: | ||
<!--T:3--> | <!--T:3--> | ||
− | == STEP 2 == | + | == STEP 2 Appointing the team == |
Top management should appoint an Information Security Management Representative (ISMR), as its project manager to plan and oversee implementation, and a supportive team, including representatives of all organisational functions who fall within the scope. | Top management should appoint an Information Security Management Representative (ISMR), as its project manager to plan and oversee implementation, and a supportive team, including representatives of all organisational functions who fall within the scope. | ||
Line 38: | Line 38: | ||
#ensuring that ISMS defined, implemented, maintained and improved in conformance with the requirements of ISO 27001 | #ensuring that ISMS defined, implemented, maintained and improved in conformance with the requirements of ISO 27001 | ||
#reporting to top management on how well, or poorly, the ISMS is performing, including identifying any needs for improvement | #reporting to top management on how well, or poorly, the ISMS is performing, including identifying any needs for improvement | ||
+ | |||
+ | <!--T:3--> | ||
+ | == STEP 3 Staff Awareness Training == | ||
+ | It is important to inform all relevant staff, as early as possible, that you plan to adopt an ISO 27001 ISMS. You will need to explain the concept of ISO 27001 and how it will affect all staff so as to gain buy‐in and support. | ||
+ | |||
+ | Training programs should be structured for different categories of staff ‐ senior managers, middle‐level managers, supervisors and operatives. This training should cover: | ||
+ | #the basic concepts of ISMSs and the standard, | ||
+ | #the overall impact on the company's strategic goals | ||
+ | #the changed work processes, and the likely work culture implications of the ISMS | ||
+ | |||
+ | In addition, initial training may also be necessary on such issues as process mapping. | ||
+ | |||
+ | <!--T:3--> | ||
+ | == STEP 4 Decide on the scope of your ISMS == | ||
+ | |||
+ | ===== 4.1. General ===== | ||
+ | Top management must define the scope of your ISMS implementation to match the scope of the information that the ISMS is aiming to protect. Getting the scope right for your purposes can be tricky, so we will go into a little detail. | ||
+ | |||
+ | It doesn't matter how or where this information is stored, you are setting out to protect this information no matter where, how, and by whom this information is accessed. | ||
+ | |||
+ | So, for example, if you have mobile devices, then even if they contain no sensitive information, they would fall within the scope if they can remotely access secure information stored on your network. | ||
+ | |||
+ | If you go for certification, the auditor will check if all the elements of the ISMS work well within your scope, he won't check the departments or systems that are not included in your scope. | ||
+ | |||
+ | Basically, ISO 27001 says you have to do the following when defining the scope: | ||
+ | |||
+ | #take into account internal and external issues defined in clause 4.1 | ||
+ | #take into account all the requirements defined in clause 4.2 | ||
+ | #consider interfaces and dependencies between what is happening within the ISMS scope and the outside world | ||
+ | |||
+ | Although it is not required by the standard, it is often helpful to include a short description of your location (you could use floor plans to describe the perimeter) and organisational units (e.g., org charts) in your documented scope. | ||
+ | |||
+ | **You can define your scope directly on the '''Cetbix platform''' under the content '''Scope'''. | ||
+ | |||
+ | ===== 4.2. Dependencies ===== | ||
+ | To best visualise this, draw your processes (all business processes, not just security or IT processes) that are included in your ISMS scope, and then outside of this circle draw the processes that are provided from outside of your scope. | ||
+ | |||
+ | Once you know the dependencies, you have to identify the interfaces. Once you have identified the interfaces and their inputs/outputs you can include them in the scope if they impact on information security. | ||
+ | |||
+ | ===== 4.3. 27001 Example Scopes ===== | ||
+ | #The Information Security Management System (ISMS) applies to the control of our entire business, premises and resources within the UK. Premises and resources outside of the UK are excluded from the ISMS scope. | ||
+ | #The ISMS is scoped to include all business processes conducted by the IT department at XYS motors. All other business units are excluded from scope. | ||
+ | #The ISMS will protect the confidentiality, integrity and availability of XYS motors customer data at all times while in UK offices. This includes IT department, call centres and XYS office locations. | ||
+ | |||
===Why is there no score or graph?=== <!--T:4--> | ===Why is there no score or graph?=== <!--T:4--> |
Revision as of 00:38, 10 December 2021
Contents
How/Where do I start?
STEP 1 Management
First get support from your top management. They must demonstrate their commitment and determination to implement an ISO27001 Information Security Management System in your organisation. Without top management commitment, no information security initiative can succeed.
To provide evidence of commitment to the development and implementation of an ISMS and continually improve its effectiveness, top management should:
- make clear to the organisation the importance of meeting customer, statutory and regulatory requirements,
- define the organisation's information security policy and making this known to every member of staff
- ensure that information security objectives are established at all levels and for all functions
- ensure the availability of those resources required for the development and implementation of the ISMS
- lead the required management review meetings
- encourage the involvement of all staff
- identify and communicate the key objectives to be achieved through the ISMS, such as:
- keeping confidential information secure
- providing customers and stakeholders with confidence in how we manage risk
- allowing the secure exchange of information
- ensuring that legal obligations are met
- providing a competitive advantage
- better managing and minimising risk exposure
- raising awareness of security issues
STEP 2 Appointing the team
Top management should appoint an Information Security Management Representative (ISMR), as its project manager to plan and oversee implementation, and a supportive team, including representatives of all organisational functions who fall within the scope.
The "Information Security Management Representative" will have to (and be keen to) become expert in and champion ISO27001, have the necessary attributes and authority to lead the implementation team and, should you go for third party certification, to represent your organisation to the certifier. The ISMR should:
- have the total backing of the CEO or equivalent
- have a genuine and passionate commitment to Information Security in general and the implementation of an ISO 27001 ISMS in particular
- have the ability and presence to influence staff at all levels and functions of the organisation
- be organised, a clear and logical thinker, computer literate
- have a wide understanding of the processes that underlie business operations
- have a good knowledge of Information Security methods in general and ISO 27001 in particular (or a quick learner, training would be highly advantageous)
ISO 27001 requires that the ISMR has clear responsibility for:
- ensuring that ISMS defined, implemented, maintained and improved in conformance with the requirements of ISO 27001
- reporting to top management on how well, or poorly, the ISMS is performing, including identifying any needs for improvement
STEP 3 Staff Awareness Training
It is important to inform all relevant staff, as early as possible, that you plan to adopt an ISO 27001 ISMS. You will need to explain the concept of ISO 27001 and how it will affect all staff so as to gain buy‐in and support.
Training programs should be structured for different categories of staff ‐ senior managers, middle‐level managers, supervisors and operatives. This training should cover:
- the basic concepts of ISMSs and the standard,
- the overall impact on the company's strategic goals
- the changed work processes, and the likely work culture implications of the ISMS
In addition, initial training may also be necessary on such issues as process mapping.
STEP 4 Decide on the scope of your ISMS
4.1. General
Top management must define the scope of your ISMS implementation to match the scope of the information that the ISMS is aiming to protect. Getting the scope right for your purposes can be tricky, so we will go into a little detail.
It doesn't matter how or where this information is stored, you are setting out to protect this information no matter where, how, and by whom this information is accessed.
So, for example, if you have mobile devices, then even if they contain no sensitive information, they would fall within the scope if they can remotely access secure information stored on your network.
If you go for certification, the auditor will check if all the elements of the ISMS work well within your scope, he won't check the departments or systems that are not included in your scope.
Basically, ISO 27001 says you have to do the following when defining the scope:
- take into account internal and external issues defined in clause 4.1
- take into account all the requirements defined in clause 4.2
- consider interfaces and dependencies between what is happening within the ISMS scope and the outside world
Although it is not required by the standard, it is often helpful to include a short description of your location (you could use floor plans to describe the perimeter) and organisational units (e.g., org charts) in your documented scope.
- You can define your scope directly on the Cetbix platform under the content Scope.
4.2. Dependencies
To best visualise this, draw your processes (all business processes, not just security or IT processes) that are included in your ISMS scope, and then outside of this circle draw the processes that are provided from outside of your scope.
Once you know the dependencies, you have to identify the interfaces. Once you have identified the interfaces and their inputs/outputs you can include them in the scope if they impact on information security.
4.3. 27001 Example Scopes
- The Information Security Management System (ISMS) applies to the control of our entire business, premises and resources within the UK. Premises and resources outside of the UK are excluded from the ISMS scope.
- The ISMS is scoped to include all business processes conducted by the IT department at XYS motors. All other business units are excluded from scope.
- The ISMS will protect the confidentiality, integrity and availability of XYS motors customer data at all times while in UK offices. This includes IT department, call centres and XYS office locations.
Why is there no score or graph?
The Cetbix ISMS concept is that risk is zero if there are no threats or vulnerabilities, which means that nothing is shown on the graph.