How to Implement ISO 27001 in your organisation

The latest version of the standard didn’t experience any drastic changes within the 10 clauses of the ISO 27001 standard. However, there have been radical changes when it comes to the controls available in Annex A of the standard. This is exactly what I have been explaining.

Moving forward, let me explain a little bit more about the process that you will need to go through when implementing an information security management system based on ISO 27001. Then I will explain the process of a certification audit and finally, I will explain what you need to do to maintain your ISO certification.

When it comes to implementing an ISO 27001 information security management system, the first thing that you want to do would be to choose the implementation team. In smaller organisation this might be the managing director, however, in larger organisations, typically there will be the IT manager and possibly a DPO (Data Protection Officer) which, as you might know, is a requirement for organisations to be given GDPR.

After choosing the implementation team; i.e. the people who will be involved in the implementation process, the second thing that must be done would be to make sure that these people are trained on the proper meaning of what ISO 27001 certification is. I believe that training is extremely important because if people do not have the required knowledge and experience of what ISO 27001 is, then, unfortunately, you will be creating overly bureaucratic procedures that will then hinder the way in which you operate as a business. Knowing which clauses and which requirements of the standard apply to your organisation is critical and, in my opinion, that is why the services of an experienced consultant are extremely useful.

An experienced consultant, such as myself, will guide you on which policies and procedures are absolutely necessary within your organisation and which other procedures you can do without to make sure that you remain with a lean management system while at the same time protecting the information security within your organisation.

When implementing an ISO 27001 information security management system within your organisation, the next thing to accomplish is to set the boundaries for a certification. When setting the boundaries for certification, we must simply set the scope for certification and this relates to identifying the key elements within your organisation that will be included within the scope of certification. Remember that you don’t need to include all the elements of your organisation within the scope of certification and that is effectively what you will need to do at this third step; identify the scope of certification and what will apply to your organisation.

Following the boundaries, you must then create the information security manual. This manual is not an actual requirement of the standard, however, from my experience, it’s better if we create this manual because it can be saved as a consolidation document to make sure that all the relevant information is actually saved in its relative place. In the information security manual we are able to add information; for example, the needs and expectations of interested parties, we are able to define the scope of certification for the management system, we are able to define the information security objectives, we are able to do the necessary analysis and have a place where to put it.

As you can see, we can either have random, sporadic documents with limited information or else collect all this information within one document, which in this case would be the information security manual. Once the manual has been created and we have a clear understanding of what the boundaries for certification are, we would have clearly understood what is being considered in our information security management system. The next thing that we will need to do is to do a risk management exercise as per Annex A of ISO 27001.

As explained earlier, there are 93 controls in Annex A. For each control, we will need to define the risks associated with that particular control, we need to prioritise that risk. If the risk is high enough that deserves our attention, then we’re going to go ahead and define the mitigation actions that are require to mitigate those risks. We will then assign a risk owner, and create a deadline by when the person will implement the relative changes that are needed for the management system and then perform again the prioritisation exercise for our risks. This will ensure that the risks associated with each of the controls have been reduced after the mitigation activities have been finished.

Once Annex A and all of its controls have been considered, then we can move on to creating the supporting system. For example, the competence of people whereby we need to have a training plan and records to make sure that everyone within the organisation is aware and has the right knowledge about what an information security system is. We need to have a plan for maintenance and we need to have maintenance records for elements or equipment that might have an impact on the management system. We need to consider the incident management processes so all of these elements are within the supporting system and are analogous and similar to other ISO management systems.

If your organisation is already certified for some other standard, say ISO 9001, it will be a good idea to integrate the supporting system that you have for ISO 9001 with the supporting system of ISO 27001. This will enable you to have a seamless integration of both standards and thus, avoid having redundant work. As you might know, if you’ve been following me for a while, you may know that I am a firm believer that ISO management systems are not there to increase bureaucracy but rather to reduce bureaucracy. Therefore, this element is extremely important whereby if we can have one system to cater for both ISO management systems, that will be the best case scenario.

The next elements that we will consider when implementing a management system is to do the system deployment. Realise that whilst we are implementing the management system, we might come up with a few other meaningful changes that will have a benefit to the organisation. Then we’ll need to implement them within the organisation. This is the step where more training is needed, this time not only to the implementation team but also to other people within your organisation.

The sequential step involves the internal audit. When it comes to ISO standards, there is a saying that states you have to say what you do and do what you say. So in the first seven steps, you will effectively be portraying how you operate as a company, and the internal auditor will be documenting these procedures to make sure that they are in line with the management system. The auditor will then advise you to make certain tweaks. This is done so as to improve efficiency but also to meet the requirements of the relevance standards that are being implemented.

The next thing following the completion of the internal audit is to do a management review meeting. In short this is referred to as MRM and defined in the standard itself. Once this is done, you will need to work with a certification body to give you the actual ISO certification. When it comes to choosing a certification body the first part that you will need to do will be to go through the commercial process of getting numerous quotes from different certification bodies. After carefully choosing a relevant and accredited certification body, the technical process for the external audit will begin.

It’s critical to make sure that you are working with an accredited certification body. If you’d like to have a list of accredited certification bodies, please feel free to get in touch. I would love to put you in touch with some certification bodies that offer a good service for a reasonable price.

The technical process basically revolves around doing a stage one audit, involving the comparison of your documentation with the requirements of the standard, and then a stage two audit, where your documentation will be compared with what you are doing in practice. After that has been done then you will be able to get your certification. Finally, once you are certified, every year each ISO-certified company will have to do an internal audit a management review and host the certification body for a surveillance audit.

I hope that you found this presentation about ISO 27001 useful and if you have any questions please let me know, I would love to help you succeed and keep in mind that information security is constantly changing and therefore it’s very important to have such a management system within your organisation!

Once again, if you need any further questions or help when it comes to implementing ISO 27001 within your organisation I would love to help you succeed, thank you and goodbye for now.

WANT TO DISCOVER MORE IMPLEMENTING ISO 27001 INFORMATION SECURITY MANAGEMENT SYSTEM?

As an ISO management system consultant Luke Desira will make it his personal mission to put your company in a class above all others!

If you are on the hunt on information on how to get certified, have a look at this guide on how to get ISO certified with Luke Desira, and find out about the 10 pitfalls that you may encounter when implementing ISO in your organisation. Make sure to reach out to him to discover whether there are any funding opportunities o help you get certified for ISO 27001 Information Security Management System.

Don’t forget to follow us on our Facebook and LinkedIn profiles, and subscribe to our Youtube Channel for more great content.