ISO 27001 (formerly known as ISO/IEC 27001:27005) is a set of specifications that helps you to assess the risks found in your information security management system (ISMS). Implementing it helps to ensure that risks are identified, assessed and managed in a cost-effective way. In addition, undergoing this process enables your company to demonstrate its compliance with industry standards. With this set of controls, you can make sure that your security objectives are obtained, but just how do you go about making it happen? That is where using a step-by-step ISO 27001 checklist can be one of the most valuable solutions to help meet your company’s needs.
- Make Your Case To Management
Meeting ISO 27001 standards is not a job for the faint of heart. It involves time, money and human resources. In order for these elements to be put in place, it is crucial that the company’s management team is fully on board. As one of the main stakeholders in the process, it is in your best interest to stress to the leadership in your organization that ISO 27001 compliance is a vital and complex project that involves many moving parts. Its successful completion can lead to enhanced security and communication, streamlined procedures, satisfied customers and potential cost savings. Making this introduction of the ISO 27001 standard gives your managers a chance to view its advantages and see the many ways it can benefit everyone involved.
- Determine The Scope Of The Assessment
Depending on the size of your organization, you may not wish to do an ISO 27001 assessment on every aspect. During this stage of your checklist process, you should determine what areas represent the highest potential for risk so that you can address your most immediate needs above all others. As you consider your scope, keep in mind the following requirements:
- Internal and external systems that may represent risks;
- Vendors and other third parties whose systems and equipment may place yours in jeopardy;
- Any other outside systems with which you interface or on which your infrastructure is dependent.
It is also often helpful to include a floor plan and organizational chart. This is particularly true if you plan to work with a certification auditor at some point. In a nutshell, your understanding of the scope of your ISO 27001 assessment will help you to prepare the way as you implement measures to identify, assess and mitigate risk factors.
- Write An Information Security Policy
This is one of the most important pieces of documentation that you will be creating during the ISO 27001 process. While it is not a detailed description, it functions as a general guide that details the goals that your management team wants to achieve.
- Define Your Risk Assessment Methodology
Now that your general game plan is established, you can get down to the brass tacks, the rules that you will follow as you view your company’s assets and the risks and vulnerabilities that could impact them. Using these standards, you will be able to prioritize the importance of each element in your scope and determine what level of risk is acceptable for each. Those that pose an unacceptable level of risk will need to be dealt with first. In the end, your team might elect to correct the situation yourself or via a third party, transfer the risk to another entity such as an insurance company or tolerate the situation.
- Perform The Risk Assessment
Using the rules and protocols that you establish during the previous step on your checklist, you can now implement a system-wide assessment of all of the risks contained in your hardware, software, internal and external networks, interfaces, protocols and end users. Once you have gained this awareness, you are ready to decrease the severity of unacceptable risks via a risk treatment strategy. Upon completion of your risk mitigation efforts, you must write a Risk Assessment Report that chronicles all of the actions and steps involved in your assessments and treatments. If any issues still exist, you will also need to list any residual risks that still exist.
- Write Your Statement of Applicability (SOA)
The ISO 27001 standard’s Annex A contains a list of 114 security measures that you can implement. While it is not comprehensive, it usually contains all you will need. Moreover, most companies do not need to use every control on the list. This document also details why you are choosing to use specific controls as well as your reasons for excluding others. Finally, it clearly indicates which controls are already being implemented, supporting this claim with documents, descriptions of procedures and policy, etc.
- Complete Your Risk Treatment Plan
This document takes the controls you have decided upon in your SOA and specifies how they will be implemented. It answers questions such as what resources will be tapped, what are the deadlines, what are the costs and which budget will be used to pay them.
- Define Measurement Outcomes
You may know what controls need to be implemented, but how will you be able to tell if the steps you have taken were effective? During this step in the process, you answer this question by defining quantifiable ways to assess each of your security controls.
- Implement Controls and Procedures
The following is a list of mandatory documents that you must complete in order to be in compliance with ISO 27001:
- Scope of the ISMS
- Information security policies and objectives
- Risk assessment and risk treatment methodology
- Statement of Applicability
- Risk treatment plan
- Risk assessment report
- Definition of security roles and responsibilities
- Inventory of assets
- Acceptable use of assets
- Access control policy
- IT management operating procedures
- Secure system engineering principles
- Supplier security policy
- Incident management protocols
- Business continuity procedures
- Statutory, regulatory and contractual requirements.
In addition, you are expected to provide the following records:
- Records of skills, experience, qualifications and training
- Results of monitoring and measuring
- Results of internal audits
- Results of management review
- Results of corrective actions
- Logs of user activities, security events and exceptions.
Other documentation you might want to add could focus on internal audits, corrective actions, bring your own device and mobile policies and password protection, among others. ISO 27001 furnishes you with a lot of leeway as to how you order your documentation to address the necessary controls. Take sufficient time to determine how your unique company size and needs will determine your actions in this regard.
- Train Your Stakeholders
Without staff understanding and buy-in, your new policies and procedures are useless. Therefore, it is important that you give them the information, training and awareness that they need. Hopefully, this is something that you have already built into your projected budget.
- Operate and Monitor Your ISMS
After all of that hard work, the time has come to set your new security infrastructure into motion. Ongoing record-keeping is key and will be an invaluable tool when internal or external audit time rolls around. Use human and automated monitoring tools to keep track of any incidents that occur and to gauge the effectiveness of procedures over time. If your objectives are not being achieved, you must take corrective action immediately.
- Conduct an Internal Audit
On a regular basis, you should perform an internal audit whose results are restricted only to your staff. Experts generally recommend that this takes place once a year but with no more than three years between audits. It is the best way to assess your progress in relation to objectives and make modifications if necessary.
- Perform a Management Review
Throughout the process, company leaders must remain in the loop, and this is never truer than when incidents or problems arise. If unforeseen events happen that require you to make pivots in the direction of your actions, management must know about them so that they can get relevant information and make fiscal and policy-related decisions.
- Take Preventive And Corrective Actions
Supported by company higher-ups, it is now your responsibility to systematically address areas of concern that you have found in your security system. That means identifying where they originated and who was responsible as well as verifying all actions that you have taken to fix the issue or keep it from becoming a problem in the first place.
Armed with this knowledge of the various steps and requirements in the ISO 27001 process, you now have the knowledge and competence to initiate its implementation in your firm. If you’re ready, it’s time to start. Assign your expert team and begin this necessary yet surprisingly straightforward process.