ISO 27001

Agenda

What is ISO 27001

The PDCA Model

Steps to achieve ISO 27001Certification

PDCA ModelThe "Plan-Do-Check-Act" (PDCA) model applies at different levels throughout the ISMS (cycles within cycles)

The diagram illustrates how an ISMS takes as input the information security requirements and expectations and through the PDCA cycle produces managed information security outcomes that satisfy those requirements and expectations

PlanCheckActDoInformation security requirementsand expectations

Managed information security

PDCA ModelPlan (establish the ISMS)Establish ISMS policy, objectives, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with an organizations overall policies and objectives

Do (implement and operate the ISMS)Implement and operate the ISMS policy, controls, processes and procedures

Check (monitor and review the ISMS)Assess and, where applicable, measure process performance against ISMS policy, objectives and practical experience and report the results to management for review

Act (maintain and improve the ISMS)Take corrective and preventive actions, based on the results of the internal ISMS audit and management review or other relevant information, to achieve continual improvement of the ISMS

10 Steps to Achieve ISO 27001Step 1: DecisionSenior management need to be behind the decision for ISO 27001 certification. There is definite value in communicating this internally,
it enforces the companys aspiration to pursue best practice

What is needed? Concise and positive briefing to senior management outlining benefits and how it provides a platform for business
growth

Step 2: ISO Management RepresentativeThe company appoints a responsible and knowledgeable manager to run the program and implementation. This person will become the companys ISO 27001 specialist, understanding the controls and milestones needed towards accreditation

What is needed? Selection of the right individual with a specific job description and knowledge of ISO and ISMS requirements

10 Steps to Achieve ISO 27001Step 3: Gap Analysis and Risk AssessmentAn assessment of risk or a gap analysis is conducted to find out what can go wrong and which threats endanger the Confidentiality, Integrity and Availability of information. This is to understand the maturity of existing controls within the business and to determine the risk profile

What is needed? The gap analysis followed by a risk assessment of all in scope people, processes and technology performed by a qualified auditor. Understanding the maturity of controls and risk profile

Step 4: Scope & Implementation PlanThe review of output from the gap analysis allows the business to validate the scope of implementation and the functional / operational boundaries. For each risk identified, appropriate controls are set to manage the risk in a systematic way. This will ensure nothing important is missed. Important milestones, time requirements, dates for any pre assessment and staged audits are set

What is needed? A step by step concise guide to explain the ISO 27001 process in sufficient detail

10 Steps to Achieve ISO 27001Step 5: Employee IntroductionIt is important to engage with employees from the beginning to ensure they buy in to the ISO 27001 certification process and respond appropriately. Also to help them to understand the individual, company and client benefits

What is needed? A short and easy-to-understand ISO 27001 and security introduction briefing that focuses on how employees are affected and their role in the successful implementation

Step 6: Documentation, documentation, documentation!ISO 27001 certification requires extensive documentation addressing all relevant millstones and individual controls. This forms the criteria the company is measured against to meet the ISO standard

What is needed? A set of policies, standards and procedures to ensure the business is adhering to all requirements in an efficient and achievable manner

10 Steps to Achieve ISO 27001Step 7: RealisationWith the gap analysis, scope and documentation ready, it is time to put new processes into business as usual throughout the company to start realising the many benefits of ISO 27001. At this stage it would be beneficial to conduct a pre assessment to ensure the company is on the right track and validate the evidence

What is needed? Pre assessments forms, checklists and the gathering of evidence. Communication to staff about the revised processes, the need to adopt them fully and report back on what isnt working

Step 8: Internal ISO 27001 AuditsISO 27001 requires an internal audit to assess where the company is at with the milestones and the implementation phase. An auditor will complete documentation assessing the risk, noting controls and remediation to highlight the improvements required

What is needed? An experienced internal or external auditor. Audit tools that include forms, complete audit checklists and audit reports

10 Steps to Achieve ISO 27001Step 9: ISO 27001 CertificationThe most important step is to pass the ISO 27001 certification audit. An independent assessor will issue a certificate stating that the business is meeting the ISO 27001 controls and requirements. The appointed internal representative needs to be confident with the process they have followed and consider how to best interact with the assessor

What is needed? Employee preparation for the ISO 27001 certification including questions that may be asked and the areas the audit will focus on. An independent assessor from a reputable company

Step 10: Maintaining the ISO 27001 CertificationIt is important to keep the ISO management system working by its integration into daily operations. The business should focus on continual improvement

What is needed? A reinforcement message to employees. Focus on maintaining the standards through an internal champion. Treat it as integral component of the business processes and not a one off project

Question & Answer?