How do I Implement ISO 27001?
The ISO 27001 is a broad quality standard developed by the International Standards Organization (ISO) to approach information security. Information security varies by organization; however, in general it includes all forms of data, communications, conversations, recordings, documents and even photographs. It includes everything from email to faxes and telephone conversations. Specifically, ISO 27001 implementation is used to obtain certification for an organization's information security management system (ISMS). The ISMS defines a standard for the entire organization by providing goals, marked by an actionable plan to achieve and improve upon these goals according to management standard.
Other People Are Reading
Instructions
-
-
1
Establish goals. Every information security management system should have a set of ISMS to work toward. The exact goals set will depend on the organization and the regulatory environment of the industry in which the organization works in. For instance, a bank working with high net-worth clients will need to set more stringent goals relating to information security than a cattle company.
-
2
Define the scope and boundaries of your ISMS goals. For each goal, assign a value to help measure the scope of your goal success. For instance, if you want to reduce fraud relating to information security, you can set a goal which includes a 5 to 10 percent reduction in fraud for the year. Additionally, you may want set different goals for different departments in the organization. For instance, the sales force may have a higher rate of fraud occurrences than other back office or support functions. Defining the scope and setting boundaries will improve implementation success.
-
-
3
Identify the best way to approach risk assessment. Risks for ISO 27001 are events that can compromise the information security of an organization. For example, your company may want internal audit or accounting to assess risks on a regular basis in conjunction with its normal tasks. These groups tend to work objectively with the entire organization and usually help to set and monitor internal controls.
-
4
Identify the major security risks in your organization. After assessing the risks, you will have a list of security events. Prioritize these risks for the implementation team.
-
5
Evaluate your current information security environment and measure the threat of each security risk. Each security risk must also be connected to a specific goal to measure performance over time.
-
6
Create a plan to treat and improve these risks. Each risk must have a list of actions and options for the risk assessment team to follow. The actions must provide a clear way to meet goal objectives as well as defined controls to help monitor risks. For a large organization, break the plan up into different sections. For instance, you might want to start with a pilot and then roll-out the plan to the larger organization.
-
7
Obtain management approval. Management must formally ratify the plan prior to implementation. Ask management to make a general announcement of the plan to the organization. Also provide management with a time line for implementation to approve and disseminate across the organization.
-
8
Begin implementation. Perform regular internal audits and report on findings regularly to management. Update your goals and security plans appropriately.
-
1
References
- Photo Credit information image by Danielle Bonardelle from Fotolia.com
