How/Where do I start?

STEP 1 Management

First get support from your top management. They must demonstrate their commitment and determination to implement an ISO27001 Information Security Management System in your organisation. Without top management commitment, no information security initiative can succeed.

To provide evidence of commitment to the development and implementation of an ISMS and continually improve its effectiveness, top management should:

1. make clear to the organisation the importance of meeting customer, statutory and regulatory requirements,
2. define the organisation's information security policy and making this known to every member of staff
3. ensure that information security objectives are established at all levels and for all functions
4. ensure the availability of those resources required for the development and implementation of the ISMS
5. lead the required management review meetings
6. encourage the involvement of all staff
7. identify and communicate the key objectives to be achieved through the ISMS, such as:
8. keeping confidential information secure
9. providing customers and stakeholders with confidence in how we manage risk
10. allowing the secure exchange of information
11. ensuring that legal obligations are met
12. providing a competitive advantage
13. better managing and minimising risk exposure
14. raising awareness of security issues

STEP 2 Appointing the team

Top management should appoint an Information Security Management Representative (ISMR), as its project manager to plan and oversee implementation, and a supportive team, including representatives of all organisational functions who fall within the scope.

The "Information Security Management Representative" will have to (and be keen to) become expert in and champion ISO27001, have the necessary attributes and authority to lead the implementation team and, should you go for third party certification, to represent your organisation to the certifier. The ISMR should:

1. have the total backing of the CEO or equivalent
2. have a genuine and passionate commitment to Information Security in general and the implementation of an ISO 27001 ISMS in particular
3. have the ability and presence to influence staff at all levels and functions of the organisation
4. be organised, a clear and logical thinker, computer literate
5. have a wide understanding of the processes that underlie business operations
6. have a good knowledge of Information Security methods in general and ISO 27001 in particular (or a quick learner, training would be highly advantageous)

ISO 27001 requires that the ISMR has clear responsibility for:

1. ensuring that ISMS defined, implemented, maintained and improved in conformance with the requirements of ISO 27001
2. reporting to top management on how well, or poorly, the ISMS is performing, including identifying any needs for improvement

STEP 3 Staff Awareness Training

It is important to inform all relevant staff, as early as possible, that you plan to adopt an ISO 27001 ISMS. You will need to explain the concept of ISO 27001 and how it will affect all staff so as to gain buy‐in and support.

Training programs should be structured for different categories of staff ‐ senior managers, middle‐level managers, supervisors and operatives. This training should cover:

1. the basic concepts of ISMSs and the standard,
2. the overall impact on the company's strategic goals
3. the changed work processes, and the likely work culture implications of the ISMS

In addition, initial training may also be necessary on such issues as process mapping.

STEP 4 Decide on the scope of your ISMS

4.1. General

Top management must define the scope of your ISMS implementation to match the scope of the information that the ISMS is aiming to protect. Getting the scope right for your purposes can be tricky, so we will go into a little detail.

It doesn't matter how or where this information is stored, you are setting out to protect this information no matter where, how, and by whom this information is accessed.

So, for example, if you have mobile devices, then even if they contain no sensitive information, they would fall within the scope if they can remotely access secure information stored on your network.

If you go for certification, the auditor will check if all the elements of the ISMS work well within your scope, he won't check the departments or systems that are not included in your scope.

Basically, ISO 27001 says you have to do the following when defining the scope:

1. take into account internal and external issues defined in clause 4.1
2. take into account all the requirements defined in clause 4.2
3. consider interfaces and dependencies between what is happening within the ISMS scope and the outside world

Although it is not required by the standard, it is often helpful to include a short description of your location (you could use floor plans to describe the perimeter) and organisational units (e.g., org charts) in your documented scope.

• • You can define your scope directly on the Cetbix platform under the content Scope.

4.2. Dependencies

To best visualise this, draw your processes (all business processes, not just security or IT processes) that are included in your ISMS scope, and then outside of this circle draw the processes that are provided from outside of your scope.

Once you know the dependencies, you have to identify the interfaces. Once you have identified the interfaces and their inputs/outputs you can include them in the scope if they impact on information security.

4.3. 27001 Example Scopes

1. The Information Security Management System (ISMS) applies to the control of our entire business, premises and resources within the UK. Premises and resources outside of the UK are excluded from the ISMS scope.
2. The ISMS is scoped to include all business processes conducted by the IT department at XYS motors. All other business units are excluded from scope.
3. The ISMS will protect the confidentiality, integrity and availability of XYS motors customer data at all times while in UK offices. This includes IT department, call centres and XYS office locations.

STEP 5 Perform a Gap Assessment

The first major task of the ISMR is to conduct a comparison of your existing ISMS with the requirements of the ISO27001 standard. This is often referred to as "gap assessment" and should determine:

1. what existing company policies and procedures already meet ISO 27001 requirements
2. what existing policies and procedures need to be modified to meet ISO 27001 requirements
3. what additional policies and procedures need to be created to meet ISO 27001 requirements

This can be done using the Cetbix ISO27005 questionnaires or the BSI questionnaires on your ISMS dashboard under "Situational"..

   ISO/IEC 27005 deals exclusively with information security risk management. It describes the procedures for conducting an information                security risk assessment in accordance with ISO 27001. The ISO 27005 guidelines are a subset of a broader set of best practices for preventing data breaches in your organisation. The specification provides guidance for formally identifying, assessing, evaluating and addressing information security vulnerabilities - procedures that are central to an ISO27k Information Security Management System (ISMS). Its aim is to ensure that organisations rationally plan, execute, administer, monitor and manage their information security controls and other arrangements related to their information security risks. Like the other standards in the series, ISO 27005 does not set out a clear path to compliance. It merely recommends best practices that can be incorporated into any standard ISMS. The other alternative to the ISO27005 risk assessment is the BSI questionnaire.

STEP 6 Initial asset review and data collection

At this phase, you need to start determining your assets. While this step isn't absolutely necessary, it is often useful, in that you will better understand the task ahead and better able to predict timescales, to do an initial scan of assets and their associated risks before drawing up a detailed implementation plan.

6.1 Asset identification

Guided by the included Appendix A Controls 'Asset Management Controls' document, carry out an initial fist scan of information assets:

Firstly, list out those information processing facilities that are used by more than one department, such as:

1. the company website
2. the front office (visitor log, employee attendance, material check-in and check-out, security checks, etc.)
3. Local Area Network (server computer, server operating system software, routers, client computers, etc.)
4. ERP software
5. client database
6. access control system, etc.

All these assets can be inventoried using the Cetbix Asset Inventory on your dashboard.

Then look at information assets within each department (both electronic and hardcopy), such as:

1. CRM software
2. customer supplied specifications and other proprietary items
3. email / hardcopy communication with customers, etc.
4. marketing department database and systems
5. R&D data of the design department
6. testing software and test reports
7. designs and specifications
8. databases

All these assets can be inventoried using the Cetbix Asset Inventory on your dashboard.

6.2 Initial information security risk assessment

ISO 27001 sets out the process you should adopt to identify, analyse, evaluate and treat the risks to your information assets: Guided by the Control of Risks and Opportunities Procedure, conduct an initial risk assessment for each functional area to:

1. identify the risks and risk owners
2. identify the affected information assets and their owners
3. quantify the risk
4. prioritise risks for treatment

If the same risk applies to more than one area, you may put them together when treating the risk.

In addition to the simple risk assessment approach that we have included, there are plenty of mature, risk management frameworks, such as : ISO/IEC 27005, ISO 31000, NIST SP800-37 (RMF)

Risks arise from your existing assets, so consider;

1. What information do we have?
2. Who are responsible for them?
3. Which of those should we protect?
4. In what priority should we protect them?
5. What costs are we willing to treat these risks?

All this is assessed on the Cetbix asset inventory on your dashboard - when you click on an asset, you are taken to the "audit page"

In your considerations:

1. use the ISMS defined context
2. define risk appetite and tolerance: how much is too much risk?

Consider watching this video

6.3 Prepare of tentative 'Statement of Applicability'

Bearing in mind the list of identified risks, go through the control checklist (based on Annex A of the standard) and identify those control objectives and controls which are applicable and why and also record those which you consider to not be applicable, and why. Cetbix automatically generates your SOA report for you. To generate your SOA on Cebit follow the following steps.

1. Add assets to your inventory and click on the added asset to access the profile of that asset.
2. Assign a threat (if known) to each asset under "Quantitative Risk Identification" under "Expected Threat Exposure and Cost".
   1. Note: You can only assign threats if you add a value in the "Asset Cost & Benefit Assessment".
3. Now analyse the assets under "Risk Analysis & Audit Controls".
   1. Select the vulnerability for the detected threat under "Quantitative Risk Identification".
4. Scroll down under "Risk Analysis & Auditing Controls" to "ISO27001 controls list: the 14 control sets of Annex A" and assign the controls accordingly.
5. Fill in all the required information that is needed on this page such as the Inherent & Residual Risk.
   1. The Inherent & Residual Risk values are generated on your USER Dashboard under Methodology.
6. After you have assigned the controls to your assets, saved all settings and established the risk, you should then click on "Save & Submit" as the last end. Note; if you have the RISK ACCEPTANCE feature, then you could simply print and submit the risk to your management or engage this digitally on the Cetbix platform.
7. Now go to the sidebar and search for "Audit" -> "Controls Check" and ensure all settings are rechecked here.
8. Now go to the sidebar and search for "Audit" -> "Reports" and "SOA".

6.4 Risk Treatment Plan

Review the findings of the initial risk assessment and prepare an initial risk treatment plan. Remember, only risk owners can accept risks and their treatment! Cetbix automatically generates your RTP report for you. Other reports such as Risk Register, Asset Register and other reports are generated automatically on Cetbix.

STEP 7 Implementation Planning

At this stage 7, you have been able to verify both issues in your ISO27005 assessment and your "Assets" assessment. That was your gap assessment phase. Now you should have a clear picture of how your existing ISMS compares with the ISO 27001 standard.

A detailed implementation plan should then be developed that identifies and describes the tasks required to make your ISMS fully compliant with the standard. This plan needs to be both thorough and specific, including the:

1. information security documentation to be developed
2. person or team responsible
3. training required
4. resources required
5. approvals required (if you are going for third party certification)
6. estimated completion date

Cetbix automatically generates your implementation plan for you if you have already activated that feature. You could also use your own local system to get this done.

The time required to get from a decision to implement to final certification depends on many factors. It is essential that the plan is neither rushed, nor so slow that energy and momentum are lost. You need a high-level implementation action plan, for a modest implementation.

STEP 8 Documentation Development

Congratulations - having purchased Cetbix license, you are provided with all documentations and forms digitally and manually which is going to be a lot easier that it might otherwise have been!

STEP 9 Implementation

9.1 Implementation and Employee Training

The newly documented ISMS is now ready to be implemented throughout your organisation. Management and staff should be trained in the new or revised work processes, procedures and record keeping as set out in the ISMS.

9.2 Train Internal Auditors & undertake internal audits

ISO 27001 requires that you periodically perform an internal audit to evaluate the effectiveness of your ISMS and check that it complies both with ISO 27001 requirements and your organisation's documented work practices.

An audit is a 'systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled'

Internal audits help with the implementation of your ISMS and a complete internal audit is also required before you can pass your certification audit.

Your internal audit program should be planned taking into consideration the status and importance of the different processes making up your operations.

At least two of your employees will need to be trained as internal auditors. Internal auditors should be able to be objective and impartial and may not audit their own work.

9.3 Management Review

Management reviews are conducted to ensure the continuing suitability, adequacy and effectiveness of your ISMS. The review should include assessing opportunities for improvement and the need for changes to the ISMS, including the information security policy and objectives. Management Reviews should consider all aspects of the performance of the ISMS, including:

1. the results of audits
2. information security management system performance
3. emergency preparedness and response
4. status of preventive and corrective actions follow‐up actions from previous management reviews
5. changes that could affect the ISMS, and recommendations for improvements

It is useful to hold management reviews fairly frequently once the ISMS becomes operative and to only lengthen the periods between each review once you are confident the ISMS is operating satisfactorily as confirmed by both internal and external audits.

9.4 Choosing an ISMS Certifier

A certification body is an independent organisation that is officially accredited to issue ISMS certifications. If you intend going for certification, It is advisable to select a certification body that is suited to your organisation relatively early in your implementation program. The certifier will audit your company's ISMS and, if the audit is successful, issue a certificate confirming that your ISMS meets the requirements of ISO 27001:2013.

When choosing a certification body to carry out your ISO 27001 certification audit, consider the following:

1. is the certification body accredited and, if so, by whom?

• • Accreditation means that the certification body has been officially approved, by a national accreditation body, as competent to carry out certification**.

1. is the certification body recognised by your company's customers?
2. do the certification body's auditor(s) have experience in your organisation's business sector?

can they provide reference sites?

STEP 10 Practical advice on complying with ISO 27001

ISMS motto: 'the less you {own, do, manage, keep...}, the easier to comply!'

1. outsource non-essential services, leverage cloud services: email, antivirus, server monitoring, infrastructure and backups
2. do not keep data that is not necessary (data = burden)
3. automate, automate, automate - don't do things that the computer can do for you
4. don't get carried away, align with realistic and current security demands to ensure a minimal attack surface

KISS

1. simple policies can be understoo
2. simple procedures can be followed
3. small is beautiful in documenting ISMS

Statement of Applicability (SoA)

1. most controls apply to the full scope
2. tailor at the operational / functional levels (teams)
3. use the self-assessment checklists

STEP 11 Assessment and Certification

11.1 Pre-Assessment Audit

When your ISMS has been in operation for a few months and has stabilised, you can schedule an initial 'Pre-Assessment' certification audit to be undertaken by your selected certification body.

Your selected certification body will first carry out an audit of your documentation and then, if your documents meet the requirements of the standard, the certifier will visit your facility and perform a pre-assessment audit to ensure all applicable ISO 27001 requirements have been met.

11.2 Corrective Actions

Following your pre-assessment audit, you need to review the results and take any necessary corrective actions to correct any non-conformances (activities that are not in compliance with the requirements of the standard and/or your own documented work practices) flagged by the certification auditors during the pre-assessment audit.

11.3 Certification Audit

One you are satisfied that all non-conformances flagged during your pre-assessment have been addressed, ask your selected certifier to perform a full certification audit to ensure all applicable ISO 27001 requirements have been met.

Following the successful completion of a full certification audit you will be awarded an ISO 27001 Certificate, generally for a period of three years. During this three‐year period, your certification body will carry out periodic surveillance audits to ensure that the system is continuing to operate satisfactorily.

11.4 Continual Improvement

Certification to ISO 27001 is not the end of the story. As required by the standard, you should continually seek to improve the effectiveness and suitability of your ISMS through the use of your:

1. Information Security policy
2. Information Security objectives
3. audit results
4. analysis of data
5. corrective and preventive actions
6. management review