News Article

10 Point ISO Action Plan for Implementing ISO 27001

10 Point ISO Action Plan for Implementing an ISO 27001 Information Security Management System (ISMS)

1. Management Commitment and Support.

There is a requirement for the motivation and direction for the management system to come from top management.  They must be actively engaged in ensuring the direction of your ISMS and that it is compatible with your organisation’s strategic direction. The must also own key aspects of the system, such as the policy and objectives. Success will come if management understands the reasons for implementing an ISMS and fully support its design and operation.

2. Develop a Plan.

Success is even more likely if you develop a meaningful and realistic plan, measure performance against it and then be prepared to change it in the event of unforeseen circumstances.

3. Understand the Standard and your Stakeholders.

As with any project, to implement an ISMS you need to familiarise yourself with the standard.  Understand the criteria that you must meet, the structure of the standard and hence the structure of your ISMS and associated documentation.

Having a clear understanding of why you are implementing the standard, as well as those who may impact or be impacted by your ISMS, will provide you with a clear insight into how your management system should be designed.

4. Management Processes.

Defining processes and ensuring top management’s understanding of these processes are critical to the effective implementation of your ISMS:

– Having a clear understanding of your market, stakeholders, risks, objectives and strategy will help you define and understand your context whilst helping to drive your ISMS and the ethos of continual improvement.

– Adequate resources (people, equipment, time and money) should be allocated to the development, implementation and monitoring of your ISMS. You must ensure that you have adequately trained and competent individuals within your organisation who fully understand and are committed to the ISMS.

– Internal audits verify that your management system is operating as intended and is identifying nonconformities and any opportunities for improvement.

– Management review provides the opportunity for top management to assess how well your management system is operating and supporting the business.

5. Define the Scope of your ISMS.

It is essential that the logical and geographical scope of your ISMS is accurately defined so that the boundaries security responsibilities can be identified.

6. ISMS Policy.

Define your ISMS policy in terms of the characteristics of the business, the organisation, its location, assets and technology.

7. Risk Assessment and Risk Management.

Risk assessments are the foundation on which an ISMS is built. They provide the focus for the implementation of security controls and ensure that they are applied where they are most needed and most cost-effective.

The process should consider the threats and vulnerabilities and any opportunities associated with your assets and the impact of their exploitation. A SWOT analysis is a good way to analyse the potential risks for your business. Finally, you must determine the level of risk and identify the controls to be implemented to manage those risks.

8. Risk Treatment.

The risk assessment identifies risk levels which are then compared to the acceptable level of risk determined by your organisation’s security policy. Once they have been determined, implement controls to mitigate these risks.

9. Gap Analysis. 

This assessor delivered activity offers the opportunity to focus on critical, high risk or weak areas of your system in order to create a certifiable system. It can also compare existing management systems or procedures and how they can be utilised to meet the requirements of the ISO 27001 standard.

10. Certification.

Certification is an external assessment of your ISMS to ensure that it meets the requirements of ISO 27001. It is typically a two-stage process consisting of a system appraisal and an initial assessment, the duration of which is dependent on the size, complexity and nature of your organisation.

Previous Next
education-and-skill-funding-agency.png
ascb-logo.png
irqao.png
brchamber.png
apprenticeships-logo.png
skyeducation.png
matrix-qm-black.png
dc-badge1-002.png
cyberessentials-accredited.png
Contact Us

SEND US A MESSAGE