Implementing ISO 27001
An ISMS is specific to the organisation that implements it, so no two ISO 27001 projects are the same. Getting ready for certification can take anything from three months to a year, depending on numerous factors specific to the organisation.
Although there is no typical ISO 27001 implementation project, most will follow this pattern, or something very similar:
- A gap analysis, which determines how far short of the Standard’s requirements your current processes fall.
- A risk assessment, which identifies risks and/or assets relevant to information security and conducts a risk estimation and evaluation of those risks.
- The identification and selection of appropriate controls in order to develop an appropriate risk response plan.
- Preparation of a risk treatment plan and a Statement of Applicability.
- Development of management system documentation, including relevant policies and procedures.
- Performance evaluation and preparation for an internal audit, which determines the extent to which your new procedures are successful.
- Development of relevant documented processes and related procedures for non-conformity, corrective action and continual improvement.
- Preparation for the certification audit.
- Surveillance, continual improvement and maintenance of your ISMS.
What is an Information Security Management System (ISMS)?
An ISMS is “a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organisation’s information security to achieve business objectives” (ISO/IEC 27000:2016).
It encompasses people, processes and technology, recognising that information security is not just about antivirus software, implementing the latest firewall or locking down your laptops or web servers. Technology alone is simply too weak to defend against the evolving nature of information security threats.
The overall approach to information security should be strategic as well as operational, and different security initiatives should be prioritised, integrated and cross-referenced to ensure overall effectiveness.
An ISO 27001-aligned ISMS helps you coordinate all your security efforts (both electronic and physical) coherently, consistently and cost-effectively.
ISO 27001 & The Cyber Essentials scheme
The Cyber Essentials scheme is a key deliverable of the UK government’s National Cyber Security Strategy, and was released on 7 April 2014. It aims to provide reassurances about cyber risk management to UK-based organisations, clients and partners, and to ensure that risk management practices have been independently tested and verified, where relevant.
The scheme provides a set of controls based on ISO 27001 that organisations can implement to achieve a basic level of cyber security.
Organisations can attain certification to two levels: Cyber Essentials and Cyber Essentials Plus. Certified compliance with the scheme will be required in certain government procurement contracts.
Contact Acumen Concept Services
If you require any further information on implementing ISO 27001 please feel free to contact Acumen Concept Services today.