Workflows, Processes, Policies & Continuous Improvement
We have already covered the first two steps of ISO 27001 certification in previous blog posts (Risk Assessment and Business Continuity Management). Now it’s time to close the trilogy by introducing the third step in the process by introducing the implementation of workflows, processes, policies and continual improvement.
he ISO/IEC 27001standard introduces a process approach for integrating structures that maintain and improve an organization’s ISMS. This approach covers the adoption and implementation of systems of processes within your organization, with identification and interactions of the processes, and their management.
1. Establish an ISMS
The first task, within the process approach, is to define and document the information security policy and objectives. The information security policy (here you can see Stiki's Security Policy) is usually written by upper management and is the foundation of an ISMS. The policy helps employees realize their responsibilities, with regards to information security, as well as listing unacceptable activities, the use of company resources, and other similar items. In addition to an information security policy, other supporting policies need to be developed, for example, access policy, an encryption policy, clean desk policy and data exchange policy.
2. Implement and operate
The next task is the implementation and operation of the policy, controls, processes and procedures used to manage and reduce overall business risk. On one hand, controls, processes and procedures are defined by the security standards ISO 27001and ISO 27002. The ISO 27001 standard is meant for establishing an Information Security Management System and putting the controls in place. Further, there may also be specific processes and standard operating procedures of the business or institution in question. These operating procedures need to be defined and implemented as they are generally specific to the organization. This is done through effective meetings, third party consulting and putting in place a control tracking mechanism
3. Monitor and review
The third task is the monitoring and reviewing of the organizations ISMS. This includes action items such as internal audits and control measurement. By doing this effectively, organizations can reassure themselves that their ISMS is in fact serving its objectives.
4. Maintain and improve
The fourth task is ensuring continuous improvement. Based on the results from task three, corrective and preventive actions should be taken to continually improve the information security management system. This includes monitoring the effectiveness and maturity of controls, addressing incidents, as well as ensuring that the policies in place are in fact improving the overall operations of the organization. Further, the levels and presents of residual risk should be assessed, and controls or measures implemented as needed.
When all the tasks have been completed, organizations should go back to the first step, establishing ISMS, and start the circle again. This ensures continuous improvement of the ISMS system and keeps organizations aware of its position of effectiveness with regards to information security.
This concludes our guide towards ISO 27001 certification, but it should be noted that these three articles are only meant as guidelines and are in no way comprehensive. There are multiples of other factors that need to take place in order to qualify for ISO 27001 certification. It is our goal that these blogs serve as a launching pad for your organization to move towards ISO 27001 certification.
RM Studio, Simplifying Risk Management
Comments
BRC Global Standard || ISO 27001 Certification || Six Sigma
RSS feed for comments to this post