Alan Calder, our author of the month for October 2018, explores the reasons for implementing ISO 27001 and explains how to implement the Standard.
When the EU’s GDPR (General Data Protection Regulation) came into effect in May 2018, conformance to information security best practice effectively became mandatory, rather than being merely desirable.
This is where ISO/IEC 27001:2013 comes in.
Why implement ISO 27001?
ISO 27001 is the international standard for an ISMS (information security management system), a best-practice approach to information security that covers people, processes and technology.
An ISMS is based on the outcome of a business-led risk assessment, so each organisation’s ISMS is unique and provides a highly tailored approach to threat mitigation. As information security management practices are driven by informed decisions, expenditure on controls can be balanced against the business harm likely to result from security failures.
The adoption of an ISO 27001-compliant ISMS enables all organisations to integrate international best practice into their existing management approach to information security.
Such an approach streamlines and strengthens business processes to help organisations ensure the confidentiality, integrity and availability of their critical information assets.
Moreover, organisations can achieve independently audited certification to the Standard to demonstrate their commitment to securing their clients’ information – and demonstrate compliance with the secure processing requirements of the GDPR.
ISO 27001 certification is already a supply chain requirement for many international markets.
Making the business case for ISO 27001
Because an ISMS encompasses the entire organisation, the success of your ISO 27001 project depends on board-level commitment and support.
One of the main barriers to implementing the Standard is that management often fails to understand information security risks, so creating a strong business case is essential to getting decision-makers on your side.
My book The Case for ISO27001:2013 sets out a compelling argument for implementing the Standard.
It will show you how to:
- Fight cyber crime – Implementing an ISO 27001 ISMS will help protect your organisation from the threat of organised crime.
- Combat cyber terror – Implementing an ISMS makes it easier to defend your company against a destructive cyber attack.
- Improve your corporate governance – Reducing your company’s financial exposure to the risk of losses resulting from IT system failure is now a corporate governance requirement. ISO 27001 will help you to comply.
- Recover from data breach incidents – With ISO 27001, you can minimise the risk that your information will be lost or corrupted as a result of human error.
How do you implement ISO 27001?
When it comes to actually implementing the Standard, no two ISMS projects are the same. The entire project, from scoping to certification, will vary considerably depending on the size and complexity of your firm, your experience and available resources, and the amount of external support you need.
Many people are understandably daunted by the scale of implementing an ISMS, but complying with ISO 27001 needn’t be a burden.
As the majority of organisations already have some information security measures – albeit ones that have been developed ad hoc – you could well find that you already have many of ISO 27001’s controls in place. Bringing them into line with the Standard’s requirements and integrating them into a proper management system could be well within your grasp.
If you’re new to ISO 27001, Nine Steps to Success – An ISO27001:2013 Implementation Overview will give you the guidance and direction you need to make your implementation project a success.
Completely updated to reflect the implementation methodology used in hundreds of successful ISMS implementations around the world, Nine Steps to Success covers each element of the ISO 27001 project in simple, non-technical language.
It will show you how to:
- Get management support.
- Create a management framework.
- Perform a gap analysis to understand the controls you have in place and identify where to focus your efforts.
- Structure and resource your project, including advice on using consultants and an examination of the tools and resources available to help with your project.
- Conduct a five-step risk assessment, and create an SoA (Statement of Applicability) and RTP (risk treatment plan).
- Integrate your ISO 27001 ISMS with an ISO 9001 QMS (quality management system) and other management systems.
- Address the documentation challenges you will face as you create policies, procedures, work instructions and records.
- Continually improve your ISMS, including internal auditing, testing and management review.
About the author
Alan Calder led the implementation of the world’s first management system to achieve accredited certification to BS 7799 – the forerunner to ISO 27001 – and has been working with the Standard and its successors ever since.
The founder and executive chairman of IT Governance Ltd, Alan served as a member of the Department of Trade and Industry’s Information Age Competitiveness Working Group, and for many years was a member of the DNV Certification Services Certification Committee, which certifies compliance with international standards including ISO 27001. He works with a wide range of clients on IT governance and information security projects, and speaks at seminars and presentations on IT governance, regulatory compliance and information security.
Save 15% on all of Alan’s ITGP publications in October 2018
Browse the full list of Alan’s publications on his author page, choose the title(s) you’d like and enter the discount code CALDER15 at the checkout.