CALL US TODAY : (0)20 8798 9282
So you have decided to implement ISO 27001 (perhaps you read this blog), but how do you do it? Well here is our simple 20-step ISO 27001 implementation checklist.
  1. Leadership commitment. Yes, information security and ISO 27001 starts at the top. No surprise there. Leadership needs to be involved and they need to define the information security policy and risk appetite, establish information security objectives in alignment with the strategic direction of the organisation, ensure integration in processes, provide necessary resources, communicate and promote continual improvement. Of course, they also need to provide the resources needed to establish and run the implementation project (see 9). So plenty to do for top management.
  2. Nominate a sponsor / management representative from top management (or could be someone nominated by top management) who will support the implementation on a daily basis. It should be someone with authority, management experience, direct access to top management and able to balance business needs with security issues.
  3. Nominate project manager. To get the best result you should treat this as a project and it needs someone who is focused on developing plans and driving the implementation. Either this can be someone internal to the organisation who perhaps already has a lot of ISO 27001 experience coupled with excellent project management skills or it could be an external consultant.
  1. Find a good external consultant. No checklist would be complete without this ? , but seriously this can add so much value if you get someone who of course is an expert in the ISO 27001 standard but also someone who understands your kind of business and can review and challenge your set ways of doing things.
  2. Define scope/context. This is an important step to begin early in the project where you need to define the boundaries of your information security management system (ISMS). Will the ISMS cover all or parts of you organisation/services/processes? What context does the organisation operate within? Needs and expectations of interested parties – staff, shareholders, customers, suppliers, sub-contractors?. Sometimes obtaining the help of a legal expert might be prudent to understand any legal requirements. This is also where you need to list any exclusions that might be relevant.
  3. Select certification body (if you are aiming for external certification otherwise skip this step).
  4. Create awareness in the organisation. Implementing ISO 27001 in your organisation is about implementing change and one extremely important aspect of any such project is to make sure you are managing that change. Information security is a mixture of various parameters such as product, policies, risk, process and PEOPLE. In fact I would argue that people is the most critical element for information security. From this perspective, involvement of the employees in the project is extremely important, not only because of change management but also perhaps more importantly because these are the real experts in the organisations processes and they have the knowledge you need to improve those processes. See blog.
  5. Perform gap analysis. I have put this step as number 8 but in reality sometimes, you would do this earlier. This will give you a good understanding of what you already have in place that can be used, what is currently in place but probably needs updating and what is not in place and needs to be defined and implemented. This is often an area where you would use external consulting.
  6. Prepare implementation project plan. A typical plan could at a high-level look like this, but the plan you want to make would have far more detail around tasks, time and resources.
  1. Estimate cost. Until you have performed your risk assessment and decided on your risk treatment plan is difficult to do a precise budget. However a certain level of budget is possible at this stage and would provide a relatively good overall number consisting of things like project management, external consultant, training, risk assessment, documentation, CB, potential controls, etc. See this blog and this one.
  2. Information Security Policy. This has to be created and documented.
  3. Risk Assessment & Risk Mitigation. If you already have an established risk assessment methodology then use that or define and agree a new methodology. It is important that your methodology works for you and produces reliable and repeatable results. You will need to have all your assets listed and decide what your risk appetite is. Leading from this is your risk treatment plan, which defines what controls you will implement to mitigate your risk.
  4. Create your Statement of Applicability. Which controls are in and which are out with justification.
  5. Write the necessary documentation (policies, procedures, controls, etc.)
  6. Implement the plan (controls and procedures). Now you have everything defined and documented it needs to be implemented. This would be a mix of training employees, physical controls and installing software/hardware. Again, this might just be one item on the checklist but not to be underestimated. This is about CHANGE and PEOPLE, which is always an interesting combination. If you did not read this before here is another chance.
  7. “Run” the system. Now the system just have to operate and produce evidence that it is running and performing as expected. If you are aiming to obtain external certification it is important that ALL parts of the system is running and records are kept.
  8. Internal audits. You need to establish and run internal audits. Some organisations would set this up internally and some would use an external consultant to help run the internal audit.
  9. Monitor & Measure. You need to review all the output from the system and determine if your metrics are meeting your stated objectives (errors, breaches, incidents, performance of security activities, security indicators, effectiveness of breach resolutions, control effectiveness, risk assessment review, etc.)
  10. Management review. Top management shall regularly review the ISMS looking at various system output such as relevant changes in external and internal issues, audit results, trends in security incidents, objectives vs targets, risk assessment, feedback from interested parties, etc.
  11. Make changes and improvements. It is all about continual improvement.
  12. GOTO 11.