Once the board has recognized the need to deploy a structured information security management system, the steps to implementation are relatively straightforward. There are three preparatory steps that should be taken in every instance.
The first is to obtain, and study, copies of both ISO 27001 and ISO/IEC 17799:2005. It is against these standards specifically that compliance will be measured and they, therefore, have precedence over any other guidance or commentary. Copies of the standards can be obtained from your national standards body or from www.itgovernance.co.uk (IT Governance Ltd is an authorized BSI international distributor).
The second is to obtain, and study, detailed guidance on how to take the project forward. The only currently available manual that fulfils this function is IT Governance: a Manager’s Guide to Data Security and BS7799/ISO17799, (3rd edition) which is available from www.itgovernance.co.uk, from Amazon, or from most good bookshops.
Thirdly, you need to determine whether or not your ISO 27001 system is to fit in with any other management system (eg ISO9001) and take appropriate steps to map ISO 27001 components to your existing management system.
The first planning step is a scoping exercise, to determine exactly which parts of the organization should be within the scope of the ISMS, and which not. In larger, more complex organizations, there may be benefits in a staged approach to implementation. Scoping is usually the first part of the initial gap analysis.
Next, you need to carry out an initial Gap Analysis, to identify the gap between your existing information security system and the specification contained in ISO 27001. This initial gap analysis is carried out a high level; its primary objective is to inform your ISO 27001 project plan.
Policy drafting, project planning and securing ongoing board commitment; without detailed planning and real board commitment, your project will not deliver the expected benefits and, ultimately, will fail.
Once the board is committed, the key project stages are below (and are outlined in substantially more detail inNine Steps to Success: an ISO 27001 Implementation Overview, available online from IT Governance).
A risk analysis and risk assessment, which (if appropriate) is integrated into any existing risk management frameworks or methodologies you may already have. A risk assessment is a systematic consideration of
the business harm likely to result to each identified information asset from a range of specific, possible business failures and
the realistic likelihood of each such failure occurring
Identification of the treatment and controls which are appropriate for each of the identified risks (what ISO 27001 calls a Statement of Applicability).
Generation of the policies, procedures and work instructions that are necessary to document your ISMS, and their integration into any other management system you already have in place. This is the most time-consuming aspect of your IOS 27001 project and you should deploy pre-written policy, procedure and work instruction templates (for instance, the Complete BS7799 Documentation Toolkit – available on download or CD-Rom) to help you cost-effectively accelerate and fast track this process.
An operational implementation plan, to bring the infrastructure, processes and competences up to the required standard. This plan may contain a number of individual security improvement programs that tackle specific areas of weakness in greater depth.
A communication and training plan, to ensure that all users of the IT systems work within the improved information security environment; this should be effectively integrated into your existing HR and training framework and activities. Purchasing and deploying multiple copies of this book can substantially assist in the process of getting organization-wide understanding of the need for an ISMS and the consequent ‘buy in’ to the project.
Internal compliance audit program, to check that each control area has been effectively implemented, to identify and implement possible improvements, and to prepare for certification.
Selection of external certification organizations and actual certification.