Strategy for ISO 27001 Certification

Your organization has decided or more than likely has become obligated to certify your ISMS to the ISO/IEC 27001:2013 Standard in order to comply or satisfy a regulation in your industry. Without the certification your organization will start to lose business opportunities.

First you need to understand what is the ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — International Standard and what do you need to accomplish along the journey to certification.

The ISO/IEC 27001:2013 (referred to as ISO 27001 for the purposes of this article series) is an international standard for launching, applying, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS). ISO 27001 is an appropriate management standard for all sectors of industry and commerce and is not limited to electronic information on computers. A common misconception is that ISO 27001 and information security in general is intended only to prevent hackers from gaining access to a computer or network.

On the contrary, the ISO 27001 Information Security Management System standard can be applied to any organization that deals with the security of information whatever form the information may be. For example, a law firm handles a magnitude of information, primarily confidential client information. As such, a law firm has a commitment to its clients to protect the information and ensure it remains confidential. By implementing ISO 27001 policies, procedures, and process (controls) to attaine the certification, said law firm can bolster it’s reputation and confidence through validation from an independent third-party and daily execution of the best practice techniques for the ISMS and risk management.

What is ISO 27002:2013?

The ISO 27001 standard is the mandatory requirements, such as policies, objectives, and guidelines aimed at ensuring the security of information for a certified ISMS. ISO 27002 is comprised of a collection of best practices and recommended information security controls. The ISO 27002 standard is defined as a code of practice and guidelines of which organizations can choose the controls applicable to their ISMS, as well as include additional controls not defined in the ISO 27002 standard. The ISO 27001 standard includes a summary list of the ISO 27002 referred to as Annex A.

Now that you have a better understanding of the standards how do you begin?

An intimidating factor for organizations is undergoing a major change that has direct effects on operational procedures, such as the changes when pursuing ISO 27001 certification. We want to help simplify the procedure for you with our suggested guidelines for organizing your strategy and executing a step-by-step method with optional customization.

1. Introduce the Project to the Management Team

As the person responsible for information security within your organization, whether you are the CEO, owner, CTO, or information security officer, your first step should be to organize the management team and outline the support culture that will be required.

• Explain the goals and benefits you are striving to achieve, such as structured strategy for IS management and certified governance of the ISMS to increase your brand reputation and confidence.
• Present the relevant aspects of the standard’s requirements to each member of the management team and what their roles and responsibilities may include throughout the project.
• Prepare them for the time commitment to the project, 6 months to a year or more is normal, and stress the importance of required cooperation.

2. Define the Scope of your implementation

The next critical step is to determine the scope of implementation for ISO 27001. Is your organization as a whole the objective? Or, will it be limited to a single department, branch, or even a project? The scope must include:

• the organization’s information security objectives
• a review all ISMS policies and processes currently in place and assess what needs to be revised
• an evaluation of all dependencies of the systems and processes to ensure that the scope is broad enough for the appropriate effectiveness

3. Involve your team

You can‘t do this alone. You need a support staff to effectively gather and process the risk information and the more diverse the members are the better for eliminating group-think. Additionally, initiating the first round of discussions with employees at all levels, discussing the purpose and motivation behind your decision to pursue ISO 27001 certification, is an important step to build a foundation for a risk-aware culture. Involving all management in the information communication is crucial for reinforcing the importance every employee’s understanding and execution is to the overall effectiveness and compliance. We highly recommend performing information security profiling within your organization at this time.

You will gather excellent real-life information that will assist you in drafting the new ISMS Policy.

4. Draft your ISMS Policy

Information Security Policy is a critical document and sets the tone for the management’s organizational direction and provision for information security with consideration to business objectives and requirements, laws and government regulations.

5. Design the Risk Management Strategy

You choose what the risk management strategy for your organization will include and determine if you are evaluating the Risks associated with the Assets or simply only evaluating the Risks, which is a new adoption in the ISO 27001:2013 revision. Identifying and selecting the Mitigating Controls you will be utilizing, such as the ones provided in ISO 27002 or another set of security controls your organization will use. You may want to reference the ISO 27005 standard for ISMS risk management or even the ISO 31000 standard for general risk management.

6. Perform GAP Analysis

The GAP is designed to provide a high-level overview of where your organization is at when you begin the ISO 27001 certification process. The exercise of a GAP analysis of the ISO 27001 and 27002 (if your using) standards provides the baseline. You are determining the controls that have been implemented or not, and the controls that aren’t applicable to your organization. The results of the GAP analysis of 27002 Security Controls can be combined with the Risk Assessment to build the Risk Treatment plan.

ISO 27001 addresses the security of all information, whether it is printed, written, stored electronically, spoken, presented in video or audio, or sent via traditional mail or email. ISO 27001 ensures information, no matter how it is transmitted, shared or stored, is always protected in an appropriate manner.

The second part of the series will follow this article soon. We will also be performing a live 30 minute webcast to further explain this strategy. Visit our website for more details.