How/Where do I start?

STEP 1 Management

First get the support of your top management. They must demonstrate their commitment and determination to implement an ISO27001 information security management system in your organisation. No information security initiative can be successful without commitment from top management.

To demonstrate commitment to the development and implementation of an ISMS and to continuously improve its effectiveness, top management should:

1. make clear to the organisation the importance of meeting customer, legal and regulatory requirements,
2. establish the organisation's information security policy and make it known to every employee.
3. ensure that information security objectives are established at all levels and for all functions
4. ensure the availability of the resources required for the development and implementation of the ISMS
5. lead the required management review meetings.
6. encourage the involvement of all staff
7. identify and communicate the key objectives to be achieved by the ISMS, such as:
   1. protecting confidential information
   2. giving customers and stakeholders confidence in our risk management
   3. enabling the secure exchange of information
   4. ensuring compliance with legal obligations
   5. provide a competitive advantage
   6. better manage and minimise risks
   7. raising awareness of security issues.

STEP 2 Appoint the team

Top management should appoint an Information Security Management Representative (ISMR) as the project leader to plan and oversee the implementation, and a supporting team that includes representatives from all corporate functions that fall within the scope.

The 'Information Security Management Representative' must become an expert in and committed to ISO27001, have the necessary attributes and authority to lead the implementation team and, if you choose to pursue third-party certification, represent your organisation to the certifier. The ISMR should:

1. have the full backing of the CEO or equivalent.
2. have a genuine and passionate commitment to information security in general and to the implementation of an ISO 27001 ISMS in particular
3. have the ability and presence to influence staff at all levels and functions of the organisation
4. have organisational skills, a clear and logical mindset, computer skills
5. a comprehensive understanding of the processes underlying business operations
6. Good knowledge of information security methodologies in general and ISO 27001 in particular (or a quick learner, training would be a great advantage).

ISO 27001 requires that the ISMR has a clear responsibility for:

1. ensuring that the ISMS is defined, implemented, maintained and improved in accordance with the requirements of ISO 27001.
2. Reporting to senior management on how well or poorly the ISMS is performing, including identifying areas for improvement.

STEP 3 Raise awareness among employees

It is important to inform all affected employees as early as possible that you are planning to implement an ISO 27001 ISMS. You need to explain the concept of ISO 27001 and how it will affect all employees to get them to adopt and support it.

Training programmes should be structured for different categories of staff - senior managers, mid-level managers, supervisors and employees. These training programmes should cover.

1. the basic concepts of ISMS and the standard,
2. the general implications for the organisation's strategic objectives
3. the changing work processes and the likely impact of the ISMS on the work culture.

In addition, initial training on topics such as process mapping may also be required.

STEP 4 Decide on the scope of your ISMS

4.1. General

Top management needs to determine the scope of your ISMS implementation so that it matches the scope of the information the ISMS is designed to protect. It can be difficult to get the scope right for your purposes, so let's go into a little detail.

It doesn't matter how or where this information is stored, you want to protect this information no matter where, how or by whom it is accessed.

So if you have mobile devices, for example, even if they don't contain sensitive information, they fall within the scope if they can remotely access secure information stored on your network.

When you get certified, the auditor checks that all the elements of the ISMS are working well within your scope, he does not check the departments or systems that are not included in your scope.

Basically, ISO 27001 states that you must do the following when defining your scope:

1. Consider the internal and external aspects defined in section 4.1.
2. Consider all requirements defined in section 4.2
3. Consider interfaces and dependencies between what happens within the ISMS scope and the external world.

Although it is not required by the standard, it is often helpful to include a brief description of your location (you could use floor plans to describe the site) and organisational units (e.g. organisation charts) in your documented scope.

• • You can define your scope directly on the Cetbix Platform under the content Scope.

4.2. Dependencies

To best visualise this, draw your processes (all business processes, not just security or IT processes) that are included in your ISMS scope, and then outside that circle, draw the processes that are provided from outside your scope.

Once you know the dependencies, you need to identify the interfaces. Once you have identified the interfaces and their inputs/outputs, you can include them in the scope if they have an impact on information security.

4.3. 27001 Example Scopes

1. The Information Security Management System (ISMS) applies to the control of all our operations, premises and resources within the UK. Sites and resources outside the UK are excluded from the scope of the ISMS.
2. The ISMS covers all business processes carried out by the IT department at XYS motors. All other business units are excluded from the scope.
3. The ISMS will protect the confidentiality, integrity and availability of XYS motors' customer data at all times in the UK offices. This includes the IT department, call centres and XYS office locations.

STEP 5 Perform a Gap Assessment

The first major task of the ISMR is to conduct a comparison of your existing ISMS with the requirements of the ISO27001 standard. This is often referred to as "gap assessment" and should determine:

1. what existing company policies and procedures already meet ISO 27001 requirements
2. what existing policies and procedures need to be modified to meet ISO 27001 requirements
3. what additional policies and procedures need to be created to meet ISO 27001 requirements

This can be done using the Cetbix ISO27005 questionnaires or the BSI questionnaires on your ISMS dashboard under "Situational"..

   ISO/IEC 27005 deals exclusively with information security risk management. It describes the procedures for conducting an information                security risk assessment in accordance with ISO 27001. The ISO 27005 guidelines are a subset of a broader set of best practices for preventing data breaches in your organisation. The specification provides guidance for formally identifying, assessing, evaluating and addressing information security vulnerabilities - procedures that are central to an ISO27k Information Security Management System (ISMS). Its aim is to ensure that organisations rationally plan, execute, administer, monitor and manage their information security controls and other arrangements related to their information security risks. Like the other standards in the series, ISO 27005 does not set out a clear path to compliance. It merely recommends best practices that can be incorporated into any standard ISMS. The other alternative to the ISO27005 risk assessment is the BSI questionnaire.

Self Assessment

Cetbix ISO ISMS also offers the option for organisations to enter their own questionnaires into the platform without using ISO27005. This option can be achieved by activating "Self Assessment" under "User Dashboard".

STEP 6 Initial asset review and data collection

At this phase, you need to start determining your assets. While this step isn't absolutely necessary, it is often useful, in that you will better understand the task ahead and better able to predict timescales, to do an initial scan of assets and their associated risks before drawing up a detailed implementation plan.

6.1 Asset identification

Guided by the included Appendix A Controls 'Asset Management Controls' document, carry out an initial fist scan of information assets:

Firstly, list out those information processing facilities that are used by more than one department, such as:

1. the company website
2. the front office (visitor log, employee attendance, material check-in and check-out, security checks, etc.)
3. Local Area Network (server computer, server operating system software, routers, client computers, etc.)
4. ERP software
5. client database
6. access control system, etc.

All these assets can be inventoried using the Cetbix Asset Inventory on your dashboard.

Then look at information assets within each department (both electronic and hardcopy), such as:

1. CRM software
2. customer supplied specifications and other proprietary items
3. email / hardcopy communication with customers, etc.
4. marketing department database and systems
5. R&D data of the design department
6. testing software and test reports
7. designs and specifications
8. databases

All these assets can be inventoried using the Cetbix Asset Inventory on your dashboard.

6.2 Initial information security risk assessment

ISO 27001 sets out the process you should adopt to identify, analyse, evaluate and treat the risks to your information assets: Guided by the Control of Risks and Opportunities Procedure, conduct an initial risk assessment for each functional area to:

1. identify the risks and risk owners
2. identify the affected information assets and their owners
3. quantify the risk
4. prioritise risks for treatment

If the same risk applies to more than one area, you may put them together when treating the risk.

In addition to the simple risk assessment approach that we have included, there are plenty of mature, risk management frameworks, such as : ISO/IEC 27005, ISO 31000, NIST SP800-37 (RMF)

Risks arise from your existing assets, so consider;

1. What information do we have?
2. Who are responsible for them?
3. Which of those should we protect?
4. In what priority should we protect them?
5. What costs are we willing to treat these risks?

All this is assessed on the Cetbix asset inventory on your dashboard - when you click on an asset, you are taken to the "audit page"

In your considerations:

1. use the ISMS defined context
2. define risk appetite and tolerance: how much is too much risk?

6.3 Prepare of tentative 'Statement of Applicability'

Considering the list of identified risks, go through the control checklist (based on Annex A of the standard) and identify the control objectives and controls that are applicable and why, and also record those that you think are not applicable and why. 'Cetbix will automatically generate your SOA report for you. To create your SOA in Cetbix, follow these steps.

1. Add assets to your inventory and click on the added asset to access that asset's profile.
2. Assign a threat (if known) to each asset under "Quantitative Risk Identification' under "Expected Threat Exposure and Cost'.
   1. Note: You can only assign threats if you add a value in the "Asset Cost & Benefit Assessment'.
   2. Now analyse the assets under "Risk Analysis & Audit Controls.
   3. Select the vulnerability for the identified threat under "Quantitative Risk Identification'.
3. Scroll down to 'ISO27001 controls list: the 14 control sets of Annex A' under 'Risk Analysis & Auditing Controls' and assign the controls accordingly.
   1. Fill in all the required information needed on this page, such as the Inherent and Residual Risk.
   2. The Inherent & Residual Risk values are generated on your USER Dashboard under Methodology.
4. After you have assigned the controls to your assets, saved all settings and set the risk, the last step should be to click 'Save & Submit'. Note: If you have the RISK ACCEPTANCE feature, you can simply print out the risk and submit it to your management or enter it digitally on the Cetbix platform.
5. Now go to the sidebar and search for 'Audit -> 'Controls Check' and make sure all settings are rechecked here.
6. Now go to the sidebar and search for "Audit' -> "Reports' and "SOA'.

6.4 Risk Treatment Plan

Review the findings of the initial risk assessment and prepare an initial risk treatment plan. Remember, only risk owners can accept risks and their treatment! Cetbix automatically generates your RTP report for you. Other reports such as Risk Register, Asset Register and other reports are generated automatically on Cetbix.

STEP 7 Implementation Planning

At this stage 7, you have been able to verify both issues in your ISO27005 assessment and your "Assets" assessment. That was your gap assessment phase. Now you should have a clear picture of how your existing ISMS compares with the ISO 27001 standard.

A detailed implementation plan should then be developed that identifies and describes the tasks required to make your ISMS fully compliant with the standard. This plan needs to be both thorough and specific, including the:

1. information security documentation to be developed
2. person or team responsible
3. training required
4. resources required
5. approvals required (if you are going for third party certification)
6. estimated completion date

Cetbix automatically generates your implementation plan for you if you have already activated that feature. You could also use your own local system to get this done.

The time required to get from a decision to implement to final certification depends on many factors. It is essential that the plan is neither rushed, nor so slow that energy and momentum are lost. You need a high-level implementation action plan, for a modest implementation.

STEP 8 Documentation Development

Congratulations - with the acquisition of the Cetbix licence, you will be provided with all documents and forms digitally and manually, which will be much easier than it would have been otherwise!

STEP 9 Implementation

9.1 Implementation and Employee Training

The newly documented ISMS is now ready to be implemented throughout your organisation. Management and staff should be trained in the new or revised work processes, procedures and record keeping as set out in the ISMS.

9.2 Train Internal Auditors & undertake internal audits

ISO 27001 requires that you periodically perform an internal audit to evaluate the effectiveness of your ISMS and check that it complies both with ISO 27001 requirements and your organisation's documented work practices.

An audit is a 'systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled'

Internal audits help with the implementation of your ISMS and a complete internal audit is also required before you can pass your certification audit.

Your internal audit program should be planned taking into consideration the status and importance of the different processes making up your operations.

At least two of your employees will need to be trained as internal auditors. Internal auditors should be able to be objective and impartial and may not audit their own work.

9.3 Management Review

Management reviews are conducted to ensure the continuing suitability, adequacy and effectiveness of your ISMS. The review should include assessing opportunities for improvement and the need for changes to the ISMS, including the information security policy and objectives. Management Reviews should consider all aspects of the performance of the ISMS, including:

1. the results of audits
2. information security management system performance
3. emergency preparedness and response
4. status of preventive and corrective actions follow‐up actions from previous management reviews
5. changes that could affect the ISMS, and recommendations for improvements

It is useful to hold management reviews fairly frequently once the ISMS becomes operative and to only lengthen the periods between each review once you are confident the ISMS is operating satisfactorily as confirmed by both internal and external audits.

9.4 Choosing an ISMS Certifier

A certification body is an independent organisation that is officially accredited to issue ISMS certifications. If you intend going for certification, It is advisable to select a certification body that is suited to your organisation relatively early in your implementation program. The certifier will audit your company's ISMS and, if the audit is successful, issue a certificate confirming that your ISMS meets the requirements of ISO 27001:2013.

When choosing a certification body to carry out your ISO 27001 certification audit, consider the following:

1. is the certification body accredited and, if so, by whom?

• • Accreditation means that the certification body has been officially approved, by a national accreditation body, as competent to carry out certification**.

1. is the certification body recognised by your company's customers?
2. do the certification body's auditor(s) have experience in your organisation's business sector?

can they provide reference sites?

STEP 10 Practical advice on complying with ISO 27001

ISMS motto: 'the less you {own, do, manage, keep...}, the easier to comply!'

1. outsource non-essential services, leverage cloud services: email, antivirus, server monitoring, infrastructure and backups
2. do not keep data that is not necessary (data = burden)
3. automate, automate, automate - don't do things that the computer can do for you
4. don't get carried away, align with realistic and current security demands to ensure a minimal attack surface

KISS

1. simple policies can be understoo
2. simple procedures can be followed
3. small is beautiful in documenting ISMS

Statement of Applicability (SoA)

1. most controls apply to the full scope
2. tailor at the operational / functional levels (teams)
3. use the self-assessment checklists

STEP 11 Assessment and Certification

11.1 Pre-Assessment Audit

When your ISMS has been in operation for a few months and has stabilised, you can schedule an initial 'Pre-Assessment' certification audit to be undertaken by your selected certification body.

Your selected certification body will first carry out an audit of your documentation and then, if your documents meet the requirements of the standard, the certifier will visit your facility and perform a pre-assessment audit to ensure all applicable ISO 27001 requirements have been met.

11.2 Corrective Actions

Following your pre-assessment audit, you need to review the results and take any necessary corrective actions to correct any non-conformances (activities that are not in compliance with the requirements of the standard and/or your own documented work practices) flagged by the certification auditors during the pre-assessment audit.

11.3 Certification Audit

One you are satisfied that all non-conformances flagged during your pre-assessment have been addressed, ask your selected certifier to perform a full certification audit to ensure all applicable ISO 27001 requirements have been met.

Following the successful completion of a full certification audit you will be awarded an ISO 27001 Certificate, generally for a period of three years. During this three‐year period, your certification body will carry out periodic surveillance audits to ensure that the system is continuing to operate satisfactorily.

11.4 Continual Improvement

Certification to ISO 27001 is not the end of the story. As required by the standard, you should continually seek to improve the effectiveness and suitability of your ISMS through the use of your:

1. Information Security policy
2. Information Security objectives
3. audit results
4. analysis of data
5. corrective and preventive actions
6. management review

12 Paperless Documentation

Cetbix helps you to create and maintain the accompanying reports and records to demonstrate your compliance with the standard. Your certification body will probably need to see each report:

   #Scope of the ISMS (4.3)
   #Information security policy (5.2 e)
   #Information security risk assessment process (6.1.2)
   #Information security risk treatment process (6.1.3)
   #Statement of Applicability (SoA) (6.1.3 d)
   #Information security objectives (6.2)
   #Evidence of competence (7.2)
   #Documentation necessary for the effectiveness of the ISMS (7.5.1 b)
   #Documentation necessary to have confidence that the processes required for operational planning and control have been carried out as planned (8.1)
   #Results of information security risk assessments (8.2)
   #Results of information security risk treatments (8.3)
   #Evidence of the information security performance monitoring and measurement results (9.1)
   #Internal audit programme(s) and audit results (9.2 g)
   #Evidence of the results of management reviews (9.3)
   #Evidence of nonconformities and any subsequent actions taken, and the results of any corrective actions (10.1)

Cetbix also automatically generates the following documents for you: scope, information security policy (section 5.2 of ISO 27001), risk assessment process according to section 6.1.2 and the SoA (Statement of Applicability).

13 Policies, Forms, Process Documentation

Cetbix has all the documentation you need for your ISO27001 certification and other compliance issues.