ISO/IEC 27001 is a global standard that provides guidelines for establishing, implementing, maintaining, and improving an Information Security Management System (ISMS). It does not provide a one-size-fits-all blueprint but rather a framework of required methods. Building an ISO/IEC 27001-compliant ISMS involves establishing management support, governance, policy, risk assessment, controls implementation, monitoring, review, and continuous improvement. Certification involves staged audits to assess the documentation and implementation of the ISMS.
1. ISO/IEC 27001
The road to protecting your information assets (and
certification, of course…)
2. What ISO27001 is and what it is not
“A global standard providing a model for
establishing, implementing, operating, monitoring, revie
wing, maintaining and improving an Information Security
Management System (ISMS).”
which means
ISO27001 sets out the required methods and guidelines to
be followed when building and operating an ISMS, but it
does not provide a copy-and-paste blueprint for what an
ISMS looks like for your organisation.
3. Building blocks of an ISO27001-compliant
ISMS
Management Support
ISMS Organisation
ISMS Governance
Establish the ISMS Policy Risk Treatment Statement of
ISMS Scope Risk Assessment
ISMS (and Procedures) Options Applicability
Risk Awareness Manage Security
Implement Implement Control
Treatment & Training Operations & Incident
and Operate Controls Measurement
Plan Programme Resources Management
Monitoring ISMS Measure Internal
Monitor and Review Risk Management
and Effectiveness Control ISMS
Review Assessments Review
Reviewing Reviews Effectiveness Audits
Maintain Implement ISMS Corrective and Change Monitor Improvements
and Improve Improvements Preventative Actions Management Effectiveness
4. The journey…
BAU
Phase 1
Phase 2 – first cycle of Implement, Operate, Operate, Moni
Scope, Design and
Monitor and Improve tor and
Build
Improve
Implement and Operate Plan
Establish the Act Do
Monitor and Review
ISMS
Check
Maintain and Improve
ISMS scope Implementation Implementation First cycle of First cycle of ISMS BAU
& policy plan agreed complete internal audits and improvements
agreed management implemented
reviews completed
Certification
Confirmed
Choose and engage Stage 1 Audit Stage 2 Audit
Certification Body (The documentation (The Big One)
check)
Start 3 mths 6 mths 9 mths 12 mths 18 mths
5. Certification audit overview
Stage 1 Audit
+ Outputs
ISMS design non-conformances
ISMS remediation plan
Stage 2 Audit Plan
Documented Information
Security Management System
Legal, regulatory and
contractual requirements
Stage 2
Audit
Stage 2 Audit +
Do your ISMS performance measures Do your people do what your ISMS documentation say they do?
corroborate the effectiveness of your ISMS? Have you implemented the necessary controls?
Can you provide the evidence?
6. Our approach
BAU
Phase 1
Phase 2 – first cycle of Operate, Moni
Scope, Design and
Implement, Operate, Monitor and Improve tor and
Build
Improve
We follow a two-phased approach, in line with the BSI‟s preferred method, to helping clients implement an ISO27001-
compliant ISMS. The objective of Phase 1 is to set up the scope and foundation elements of the ISMS, and to define
the scope of activities for the next phase. Phase 1 includes:
• defining of the ISMS scope and policy
• identifying the gap between ISO27001 and current processes and controls. Using or refining existing processes and
controls to address these gaps will reduce the time and effort, but the design of new processes and controls may
also be required
• identifying and determining the value of your information assets through workshops and 1-to-1 meetings with key
staff and management
• assessing the threats, vulnerabilities and risks to your information assets, and determining the options for treating
these risks
• preparing the ISO27001 Statement of Applicability on your behalf
• preparing the scope and programme of work for Phase 2, and providing input to further business cases if funding or
internal/external resources are required for the implementation or operation of new or revised processes and controls
Our role in this phase of the engagement includes project management, facilitating, document writing and providing
subject matter expertise. We can also liaise with the certification body on your behalf.
7. Our approach
BAU
Phase 1 Scope, Phase 2 – first cycle of Operate, Moni
Design and Build Implement, Operate, Monitor and Improve tor and
Improve
Phase 2 consists of four work streams:
• Implement is largely defined by the gap analysis and risk assessment activities from the prior phase.
Implementation will focus on integrating new and revised security processes and controls into your operational
security environment, including training of personnel earmarked for operating these processes and controls. Our role
in this work stream would be project management, facilitating integration and providing training.
• Operation is the normal day-to-day operations of information security management. This includes the management
of information security resources, security incident management, as well as training and awareness. Our role in this
work stream would be to provide support and hand-holding to staff responsible for running the ISMS.
• Monitor is the ongoing measurement and assessment of the effectiveness of security controls and of the ISMS itself.
This includes activities such as assessing control KPIs, testing of control effectiveness, internal audit of the ISMS
and management review. Our role in this work stream would be performing effectiveness reviews and internal audit
of the ISMS on your behalf.
• Improve is about taking the outputs from the Monitor work stream and identifying and determining improvements
that can be made to the ISMS and security controls. Our role here would be to help you design improvements and to
integrate these improvements back into the operational ISMS.
8. Our approach
BAU
Phase 1
Phase 2 – first cycle of Operate, Moni
Scope, Design and
Implement, Operate, Monitor and Improve tor and
Build
Improve
Once the integration of the ISMS processes and controls
are complete, the ISMS becomes a Business-As-Usual
Plan (BAU) system, fully operated by your staff, continuously
monitoring and improving information security within your
business.
Act Do Our role from this point onwards would be to support the
„Plan-Do-Check-Act ‟ cycle required for continuous
improvement of the ISMS through providing resource and
expertise for effectiveness reviews, performing the
Check required internal audits of the ISMS, and providing advice
and support for managing ISMS change on a „call-off‟
basis.
9. Why choose us?
• We have proven skills in implementing, operating and
improving Information Security Management Systems
• We have a Big-4 management consulting background
• We have the credentials –
CISSP, CISM, CISA, ISO27001 Lead Implementer
• We have a broad background in
security, IT, business, compliance and risk
management
• We have a broad industry background
• We are looking to establish our consultancy as a
market leader in Information Security compliance – so
we will pull out all the stops to deliver compliance
• We are committed to high-quality delivery and to
provide you with value-for-money services
• As a smaller-sized consultancy, we are able to provide
very competitive rates and give your business the focus
it demands
10. Points to consider
• Defining a manageable, business-relevant ISMS scope is key to success to establishing one from
scratch. The scope can be expanded subsequent to certification
• Cost of certification is proportional to the size of the organisation within the scope of the ISMS –
based on headcount (there is a standard for charging to which all CB must adhere)
• All requirements of ISO27001 are mandatory for certification – and will be audited against
• Most certification bodies (BSI, Lloyds) have a 6 month waiting list for commencing , therefore they
need to be engaged earlier rather than later
• The gap between stage 1 and stage 2 audit is typically 12 weeks (3 months) to allow for a body of
auditable evidence to build up
• Make sure the chosen certification body is United Kingdom Accreditation Service (UKAS) accredited
– otherwise your certification may only be worth the paper it is written on
• Certification bodies are not allowed to do consulting - some do, but these CBs are unlikely to be
UKAS accredited if they do so.
• If you already have a management system such as ISO9001 in place, you may reuse some
elements for ISO27001, i.e. document management and storage, etc.