The ISO/IEC 27001:2013 Standard introduces a process approach for integrating structures that strengthen an organization’s ISMS reducing the risks to the information assets. This approach covers the adoption and implementation of systems of processes within your organization, with identification and interactions of the processes, and their management.
The third phase of the Strategy for ISO/IEC 27001:2013 Certification is the implementation, operation, and monitoring of the policies and procedures used to reduce business risk, as defined by the security standard ISO 27001. There may also be specific procedures, standards, and policies unique to your organization in addition to the ISO 27001. Be certain to clearly define and justify the purposes of the implementation, as they are generally specific to the organization and the auditor will need to understand why.
11. Cultivating a Risk-aware Culture
The International Standards framework is very clear on the expectations of an organization‘s risk-aware culture and in order to pass the certification process for ISO 27001, the organization must establish a visible environment and culture that cultivates risk awareness.
We define it as a foundation of values, knowledge, beliefs, understanding and communication of the risks associated to the organization‘s objectives and assets necessary to achieving the objectives. We believe that you and your team should plan your strategy for implementation with staff in mind. Eliminating any resistance at the beginning and providing a clear vision will increase your efficiency and effectiveness for ISMS implementation.
Risk awareness may also be defined as a capability of the organization to recognize risks before they threaten, mitigate them when they arise, and recover from the damages they may cause. Creating a risk aware culture suggests that the capability is present throughout the organization and it is woven into the normal routines, rituals, and behaviors of all those involved.
Every step that follows and all the work that has been completed up to this point will be wasted if training and awareness programs aren’t established to support the implementation and ultimately the risk-aware culture. All levels of the organization have to be involved. Every employee needs to understand their individual expectations, as well as commit to the success of implementation.
Three key points to keep in mind when cultivating a risk aware culture in your organization:
12. Implement the controls and procedures
Your task here is to apply all of the knowledge you have gained about your organization’s ISMS risk management. The controls and procedures you need to implement are both the mandatory compliance requirements from the ISO 27001 standard as well as all the other mitigating controls you have chosen to implement based on the Risk Treatment. You may encounter resistance from all levels of the organization, as the implementation of new controls and new procedures may result in behavior changes for many employees. The better prepared you have made everyone through the training and awareness stage, the higher the success rate will be for the implementation.
We have outlined a few of the necessary policies and procedures you will need to comply with the ISO 27001:
13. Make the ISMS routine
The basic principle of the ISO 27001 implementation is to make the changes and adjustments a streamlined part of the everyday routines. All of the implemented controls and procedures need to be operating seamlessly within the business. If your employees are hindered or interrupted by the new protocols, then the business will be affected negatively. Recording the everyday activities through audit logs and incidents tracking and similar will provide you with the burden of proof that the employees are routinely executing the required procedures. The auditors will also expect the burden of proof for implemented controls to validate the implementation for the ISO 27001 certification.
14. Monitor and review
Monitoring and reviewing of the organizations ISMS includes action items such as internal audits and control measurement. By doing this effectively, organizations can reassure themselves that their ISMS is in fact serving its objectives.
You have to be able to assess and measure each control as they are implemented and operated on a daily basis. Understanding the baseline before the implementation and routinely analyzing the success or failure is the only way to know how your organization is progressing.
How do I do that?
By monitoring the effectiveness and maturity of controls, addressing incidents, as well as ensuring that the policies in place are in fact improving the overall operations of the organization. Further, the presence of residual risk should be assessed, and controls or measures implemented as needed.
We use a Control Maturity and Effectiveness Assessment (CMEA) in RM Studio that makes this process simple and productive. The CMEA improves the quality of the internal audit process as well as the overall impact of each control implemented. By combining the CMEA with the Risk Treatment, RM Studio provides you with a centralized collection of numerous aspects of data and allows you to design corrective and preventative actions accordingly.
15. Internal auditing – Maintain and improve
Internal auditing is the follow up to the previous tasks and will provide a clear understanding of the continuous improvement required. This may present as a nuisance or intrusion to the employees being audited, but this critical step is necessary to discover if someone is unaware of or deliberately doing something incorrectly. These actions are described as non-conformities by the ISO 27001 standard and the standard requires corrective and preventive actions be taken to continuously improve the ISMS based on the findings. The corrective and preventative actions to execute will most likely be the management team’s decisions.
16. Management review
In order to make the most informed decision, the management team will need to review the data collected over the months of the project. Presenting the findings form the Risk Assessment and effectiveness of the control implementations will need to be informative and easily digestible.
Impact and progress reports highlighting the discoveries that need more attention or resources will be beneficial. RM Studio uses a number of reports that dissect and collate the data into easy to follow descriptions of the findings. The reports provide the management team the ability to confidently make the decisions about the corrective and preventative actions necessary.
When you reach this stage of the implementation, periodically return to the first step to and repeat the process. This ensures continuous improvement of the ISMS and keeps organizations aware of its position of effectiveness with regards to information security.
The last article of our four part series will follow this article next week. We will also be performing a live 30 minute webcast to continue to explain this strategy. Visit our website for more details.