ISO
Contents
- 1 How/Where do I start?
- 2 STEP 1 Management
- 3 STEP 2 Appointing the team
- 4 STEP 3 Staff Awareness Training
- 5 STEP 4 Decide on the scope of your ISMS
- 6 STEP 5 Perform a Gap Assessment
- 7 STEP 6 Initial asset review and data collection
- 8 STEP 7 Implementation Planning
- 9 STEP 8 Documentation Development
- 10 STEP 9 Documentation Development
How/Where do I start?
STEP 1 Management
First get support from your top management. They must demonstrate their commitment and determination to implement an ISO27001 Information Security Management System in your organisation. Without top management commitment, no information security initiative can succeed.
To provide evidence of commitment to the development and implementation of an ISMS and continually improve its effectiveness, top management should:
- make clear to the organisation the importance of meeting customer, statutory and regulatory requirements,
- define the organisation's information security policy and making this known to every member of staff
- ensure that information security objectives are established at all levels and for all functions
- ensure the availability of those resources required for the development and implementation of the ISMS
- lead the required management review meetings
- encourage the involvement of all staff
- identify and communicate the key objectives to be achieved through the ISMS, such as:
- keeping confidential information secure
- providing customers and stakeholders with confidence in how we manage risk
- allowing the secure exchange of information
- ensuring that legal obligations are met
- providing a competitive advantage
- better managing and minimising risk exposure
- raising awareness of security issues
STEP 2 Appointing the team
Top management should appoint an Information Security Management Representative (ISMR), as its project manager to plan and oversee implementation, and a supportive team, including representatives of all organisational functions who fall within the scope.
The "Information Security Management Representative" will have to (and be keen to) become expert in and champion ISO27001, have the necessary attributes and authority to lead the implementation team and, should you go for third party certification, to represent your organisation to the certifier. The ISMR should:
- have the total backing of the CEO or equivalent
- have a genuine and passionate commitment to Information Security in general and the implementation of an ISO 27001 ISMS in particular
- have the ability and presence to influence staff at all levels and functions of the organisation
- be organised, a clear and logical thinker, computer literate
- have a wide understanding of the processes that underlie business operations
- have a good knowledge of Information Security methods in general and ISO 27001 in particular (or a quick learner, training would be highly advantageous)
ISO 27001 requires that the ISMR has clear responsibility for:
- ensuring that ISMS defined, implemented, maintained and improved in conformance with the requirements of ISO 27001
- reporting to top management on how well, or poorly, the ISMS is performing, including identifying any needs for improvement
STEP 3 Staff Awareness Training
It is important to inform all relevant staff, as early as possible, that you plan to adopt an ISO 27001 ISMS. You will need to explain the concept of ISO 27001 and how it will affect all staff so as to gain buy‐in and support.
Training programs should be structured for different categories of staff ‐ senior managers, middle‐level managers, supervisors and operatives. This training should cover:
- the basic concepts of ISMSs and the standard,
- the overall impact on the company's strategic goals
- the changed work processes, and the likely work culture implications of the ISMS
In addition, initial training may also be necessary on such issues as process mapping.
STEP 4 Decide on the scope of your ISMS
4.1. General
Top management must define the scope of your ISMS implementation to match the scope of the information that the ISMS is aiming to protect. Getting the scope right for your purposes can be tricky, so we will go into a little detail.
It doesn't matter how or where this information is stored, you are setting out to protect this information no matter where, how, and by whom this information is accessed.
So, for example, if you have mobile devices, then even if they contain no sensitive information, they would fall within the scope if they can remotely access secure information stored on your network.
If you go for certification, the auditor will check if all the elements of the ISMS work well within your scope, he won't check the departments or systems that are not included in your scope.
Basically, ISO 27001 says you have to do the following when defining the scope:
- take into account internal and external issues defined in clause 4.1
- take into account all the requirements defined in clause 4.2
- consider interfaces and dependencies between what is happening within the ISMS scope and the outside world
Although it is not required by the standard, it is often helpful to include a short description of your location (you could use floor plans to describe the perimeter) and organisational units (e.g., org charts) in your documented scope.
- You can define your scope directly on the Cetbix platform under the content Scope.
4.2. Dependencies
To best visualise this, draw your processes (all business processes, not just security or IT processes) that are included in your ISMS scope, and then outside of this circle draw the processes that are provided from outside of your scope.
Once you know the dependencies, you have to identify the interfaces. Once you have identified the interfaces and their inputs/outputs you can include them in the scope if they impact on information security.
4.3. 27001 Example Scopes
- The Information Security Management System (ISMS) applies to the control of our entire business, premises and resources within the UK. Premises and resources outside of the UK are excluded from the ISMS scope.
- The ISMS is scoped to include all business processes conducted by the IT department at XYS motors. All other business units are excluded from scope.
- The ISMS will protect the confidentiality, integrity and availability of XYS motors customer data at all times while in UK offices. This includes IT department, call centres and XYS office locations.
STEP 5 Perform a Gap Assessment
The first major task of the ISMR is to conduct a comparison of your existing ISMS with the requirements of the ISO27001 standard. This is often referred to as "gap assessment" and should determine:
- what existing company policies and procedures already meet ISO 27001 requirements
- what existing policies and procedures need to be modified to meet ISO 27001 requirements
- what additional policies and procedures need to be created to meet ISO 27001 requirements
This can be done using the Cetbix ISO27005 questionnaires or the BSI questionnaires on your ISMS dashboard..
STEP 6 Initial asset review and data collection
At this phase, you need to start determining your assets. While this step isn't absolutely necessary, it is often useful, in that you will better understand the task ahead and better able to predict timescales, to do an initial scan of assets and their associated risks before drawing up a detailed implementation plan.
6.1 Asset identification
Guided by the included Appendix A Controls 'Asset Management Controls' document, carry out an initial fist scan of information assets:
Firstly, list out those information processing facilities that are used by more than one department, such as:
- the company website
- the front office (visitor log, employee attendance, material check-in and check-out, security checks, etc.)
- Local Area Network (server computer, server operating system software, routers, client computers, etc.)
- ERP software
- client database
- access control system, etc.
All these assets can be inventoried using the Cetbix Asset Inventory on your dashboard.
Then look at information assets within each department (both electronic and hardcopy), such as:
- CRM software
- customer supplied specifications and other proprietary items
- email / hardcopy communication with customers, etc.
- marketing department database and systems
- R&D data of the design department
- testing software and test reports
- designs and specifications
- databases
All these assets can be inventoried using the Cetbix Asset Inventory on your dashboard.
6.2 Initial information security risk assessment
ISO 27001 sets out the process you should adopt to identify, analyse, evaluate and treat the risks to your information assets: Guided by the Control of Risks and Opportunities Procedure, conduct an initial risk assessment for each functional area to:
- identify the risks and risk owners
- identify the affected information assets and their owners
- quantify the risk
- prioritise risks for treatment
If the same risk applies to more than one area, you may put them together when treating the risk.
In addition to the simple risk assessment approach that we have included, there are plenty of mature, risk management frameworks, such as : ISO/IEC 27005, ISO 31000, NIST SP800-37 (RMF)
Risks arise from your existing assets, so consider;
- What information do we have?
- Who are responsible for them?
- Which of those should we protect?
- In what priority should we protect them?
- What costs are we willing to treat these risks?
All this is assessed on the Cetbix asset inventory on your dashboard - when you click on an asset, you are taken to the "audit page"
In your considerations:
- use the ISMS defined context
- define risk appetite and tolerance: how much is too much risk?
Consider watching this video
6.3 Prepare of tentative 'Statement of Applicability'
Bearing in mind the list of identified risks, go through the control checklist (based on Annex A of the standard) and identify those control objectives and controls which are applicable and why and also record those which you consider to not be applicable, and why. Cetbix automatically generates your SOA report for you.
6.4 Risk Treatment Plan
Review the findings of the initial risk assessment and prepare an initial risk treatment plan. Remember, only risk owners can accept risks and their treatment! Cetbix automatically generates your RTP report for you. Other reports such as Risk Register, Asset Register and other reports are generated automatically on Cetbix.
STEP 7 Implementation Planning
At this stage 7, you have been able to verify both issues in your ISO27005 assessment and your "Assets" assessment. That was your gap assessment phase. Now you should have a clear picture of how your existing ISMS compares with the ISO 27001 standard.
A detailed implementation plan should then be developed that identifies and describes the tasks required to make your ISMS fully compliant with the standard. This plan needs to be both thorough and specific, including the:
- information security documentation to be developed
- person or team responsible
- training required
- resources required
- approvals required (if you are going for third party certification)
- estimated completion date
Cetbix automatically generates your implementation plan for you if you have already activated that feature. You could also use your own local system to get this done.
The time required to get from a decision to implement to final certification depends on many factors. It is essential that the plan is neither rushed, nor so slow that energy and momentum are lost. You need a high-level implementation action plan, for a modest implementation.
STEP 8 Documentation Development
Congratulations - having purchased Cetbix license, you are provided with all documentations and forms digitally and manually which is going to be a lot easier that it might otherwise have been!
STEP 9 Documentation Development
Congratulations - having purchased Cetbix license, you are provided with all documentations and forms digitally and manually which is going to be a lot easier that it might otherwise have been!
Why is there no score or graph?
The Cetbix ISMS concept is that risk is zero if there are no threats or vulnerabilities, which means that nothing is shown on the graph.