ISO 27001 checklist: 16 Steps for the implementation

This one may appear to be obvious but it is frequently ignored. However, in my experience, this is the primary reason why ISO 27001 certification projects fail: management either does not provide enough personnel to work on the project or does not provide enough funding.

2. Approach it as a project.

If your organization is large, it makes sense to start implementing ISO 27001 in one part of the business. This approach reduces project risk because you upgrade each business unit separately and then integrate them together at the end.

Your management team should help define the scope of the ISO 27001 framework and should participate in a risk register and identify assets (i.e. tell you which business assets to protect). The implementation of scoping includes internal and external factors, such as relationships with your human resources and marketing and communications teams, as well as with regulatory authorities, organizations certification and law enforcement agencies. Think about how your security team will work with these dependencies and document each process (be sure to indicate who is the decision maker for each activity).

In your ISMS scope documentation, you should include a brief description of the location, floor plan and org chart – this is not a strict requirement by the standard, but certified auditors as they have included. ISMS scope documents are a requirement of ISO 27001, but these documents can form part of your information security policy.

4. Write an Information Security Policy

The most difficult task in the ISO 27001 project is risk assessment; the objective is to define the rules for identifying risks, impacts, and likelihood, as well as the acceptable level of risk. If those rules were not clearly defined, you might end up with results that are unusable.

6. Conduct the risk assessment and risk treatment

The aim of the risk treatment process is to reduce unacceptable risks, which is usually accomplished by planning to use Annex A controls. (For more information, see the article 4 risk mitigation options according to ISO 27001.)

Once you have completed your risk treatment process, you will know exactly which controls from Annex A you need (there are a total of 114 controls, but you probably won’t need them all). The purpose of this document (frequently referred to as the SOA) is to list all controls and to define which are applicable and which are not, and the reasons for such a decision; the objectives to be achieved with the controls; and a description of how they are implemented in the organization.

Just when you thought you were done with risk-related documents, here comes another one – the purpose of the Risk Treatment Plan is to define exactly how the controls from the SoA are to be implemented – who will do it, when, on what budget, and so on. This document is actually an implementation plan centred on your controls, without which you would be unable to coordinate further project steps.

9. Define how to measure the effectiveness of controls

This is where you put the documents and records required by clauses 4 through 10 of the standard, as well as the applicable controls from Annex A, into action. Because it necessitates the implementation of new behaviors, this is usually one of the riskiest activities in the project. New controls, policies, and procedures are required, and people frequently resist change. As a result, the next step is critical to avoiding this risk becoming a problem.

11. Implement Training & Awareness Programmes

In order to comply with ISO 27001, your security awareness training programme should include the following components:

2.Security awareness poster campaigns

4.Simulated phishing exercises

One of the most common reasons for project failure is the absence of these activities in an ISMS.

12: Operate the ISMS

Automatically created records:

Reports created from the information systems