IMPLEMENTING AN ISMS
The nine-step approach
June 2017
© IT Governance Ltd 2017
Protect ● Comply
1 ● Thrive
Implementing an ISMS v1.1
Implementing an ISMS
The nine-step approach
Information needs to be protected on three
Introduction
fronts:
Information security is not just about
antivirus software, implementing the latest Confidentiality
firewall or locking down your laptops and Information should only be accessible
web servers. The security of your to those who need access to it.
organisation’s information is as much about Integrity
protecting it as ensuring it is useful, and Information should be protected from
the overall approach to information security unauthorised modification, destruction
should be strategic as well as operational. and loss.
Different security initiatives should be Availability
prioritised, integrated and cross-referenced The information should be accessible to
to ensure overall effectiveness. authorised persons as and when
An information security management necessary.
system (ISMS) is a systematic approach to
Information is, after all, only useful if you
managing confidential or sensitive company
know it is correct and you are able to
information so that it remains secure. It access it. Protecting confidentiality alone is
encompasses people, processes and
not security.
technologies.
For an organisation to secure its
The fact that it is systematic is possibly the information, it must approach the problem
most important facet of an ISMS: it
from the perspectives of people, processes
provides protection for the organisation’s
and technologies. These are interlinked. In
information on the basis that it ensures the simplest sense, a technology needs a
consistent, effective behaviours. If an
person to manage and maintain it, and that
organisation knows how it needs to operate
person needs to follow defined processes in
to keep information secure, creating a doing so.
system to ensure this happens is a key to
success. This is part of the systematisation of
information security: ensuring full coverage
at any point that information could be
Defining ‘secure’ compromised.
In order to understand how to secure your
information, you first need to know what
Implementation is a project
that really entails. From a crude
perspective, you might say that you want While many organisations develop a range
to stop criminals accessing your of security measures as they grow, and
information. This is a laudable goal, but it’s many of those measures are effective,
really only a fraction of what information these information security regimes are
security is about. often disjointed, and gaps will inevitably be
discovered – either by the organisation or
by its enemies.
© IT Governance Ltd 2017 2 Implementing an ISMS v1.1
IT Governance Green Paper
Developing a comprehensive, effective explained with a cliché: well begun is half
ISMS to secure your organisation’s done.
information assets is almost inevitably a
The project leader will, at least initially, be
large undertaking for any organisation. It
the person who takes the initiative and
will essentially require the organisation to
begins the push for the ISMS. They will be
treat it as a major project, with all of the
the person to whom everyone else in the
associated trappings.
organisation looks for information and
The IT Governance nine-step approach to guidance on the project.
implementing an ISO 27001-compliant
The project mandate itself is essentially a
ISMS takes all of this into account, and
set of answers to the questions all projects
reflects the methodology used by our
face in their early stages:
consultants in hundreds of successful ISMS
implementations around the world. What are we hoping to achieve?
How long will it take?
This paper cannot possibly cover all of the
What will it cost?
possible issues you might encounter, or
Does it have management support?
spell out every incremental step, but it can
– and does – describe what we consider the The last of these is the most important. It is
essential implementation process. proof that the first three have been clearly
answered, and it is absolutely essential.
Successful implementation of an ISMS
Nine steps depends entirely on the project having real
support from the top of the organisation.
The nine steps outlined in this paper cover
the full extent of the project, from initial Developing the answers to these questions
discussions with managers through to may involve quite a lot of research and
testing the completed project. It is as much preparation – gap analyses, budgeting,
about having the board on your side as it is case studies, and so on. This is time well
about implementing security controls. spent, though, as a failure to adequately
prepare will likely mean that you can no
It is also important to remember that this
longer meet the expectations that you set
process is not exhaustive. Each
in the project mandate.
organisation will come against its own set
of stumbling blocks and will need to consult The final outcome of this step will be a set
other sources of information. of documents laying out the project.
The ninth step is certification, which is not A project initiation document (PID) would
strictly necessary for an organisation to get be an ideal format for the mandate to take.
significant value from its ISMS. To realise
maximum value, however – such as from
improved business opportunities, simpler 2. Project initiation
compliance with legal and regulatory
With the mandate in place, the next step is
requirements, and so on – certification
to set up the project itself and the project
should certainly be a consideration. governance structure, as described in Nine
The following is a summary of our tried and Steps to Success. This is essentially an
tested nine-step process, which is extension of what is contained in the PID,
completely described in Nine Steps to comprising:
Success – An ISO27001:2013
Information security objectives
Implementation Overview.
The project team
A project plan
A project risk register
1. Project mandate
The information security objectives are
The first, obvious step is to start. Starting
more granular and specific than the project
any project is a critical phase succinctly
objectives set in the previous step. They
© IT Governance Ltd 2017 3 Implementing an ISMS v1.1
IT Governance Green Paper
will feed into the information security policy ISO 27000 (the overview for the ISO
and really start to shape how the ISMS is information security management
applied. Because these are ‘policy-level’ standards) recognises that a “process
objectives, they should include a time- approach” to continual improvement is the
bound statement about whether the most effective model for managing
organisation is seeking certification or just information security. That is, each process
compliance with the Standard. has a set of inputs and outputs, and the
outputs may become inputs for further
The project team should represent the
processes. In a broad sense, this can be
interests of every part of the organisation,
cyclical, as in continual improvement
and be composed of people at various
methodologies such as PDCA (Plan-Do-
levels of seniority. You should also draw up
Check-Act), COBIT® 5’s continual
a RACI matrix at this point, identifying who
improvement life cycle and ITIL®’s
is responsible, accountable, consulted and
Continual Service Improvement.
informed regarding the key decisions
relating to the project. ISO 27001 does not specify a particular
continual improvement methodology,
A key role is that of the information security
preferring instead to allow organisations to
manager. In addition to having a central
use whatever method they choose, or to
role in the implementation project, they will
use a model they already have in place. If
also eventually be responsible for the day-
your organisation does not yet have a
to-day functioning of the ISMS.
preferred methodology, Nine Steps to
The ‘project team’ should also develop Success discusses the merits of each of the
other essential teams, such as a steering most popular models.
group, which is essential to drive the
You will also need to establish your
project forward.
documentation structure.
The project plan is part of the process of
We recommend a four-tier documentation
gradually drilling down into what will
structure:
actually be done in implementing ISO
27001, and should include critical project Policies at the very top, defining the
data such as review dates. organisation’s position and
requirements.
Additional resources and information may
Procedures to enact the policies’
be necessary to make sure that the plan is
requirements.
comprehensive, suitably detailed, and
Work instructions describing the
accounts for the organisation’s unique
detail for the employees who enact
position and structure.
elements of the procedures.
The risk register should account for risks to Records tracking the procedures and
the project itself. These might be budgetary work instructions, providing
(will the organisation continue to fund the evidence that they have been
project?), cultural (will staff resist the followed correctly and consistently.
change?), lack of management commitment
This structure is simple enough for anyone
(will senior management openly support the
to grasp quickly, while also providing an
project?), legal (are there specific legal
effective way of ensuring policies are
obligations that might be at risk?), and so
implemented at each level of the
on. Each risk included in the register should
organisation.
have an assigned owner and a mitigation
plan. Crucially, the risk register and A great deal can be said about
mitigation plans should be reviewed documentation, but there are two key
regularly throughout the project. points to make:
1. Documentation should be controlled
to ensure the latest versions are
3. ISMS initiation
approved and identifiable.
© IT Governance Ltd 2017 4 Implementing an ISMS v1.1
IT Governance Green Paper
2. Documentation should be adequate The management framework essentially
and not excessive, enabling each comprises all of the factors that define the
process to be systematically project’s parameters.
communicated, understood,
executed and effective.
5. Baseline security criteria
The baseline security criteria are the core
4. Management framework
security requirements that the organisation
At this stage, the ISMS needs a broader has identified. These are the requirements
sense of the actual framework. ISO 27001 and corresponding measures or controls
addresses this in clauses 4 and 5, requiring that the organisation must have in place to
the organisation to define the context for do business. For example, a business may
the ISMS, and the roles that the have a legal requirement to retain certain
organisation’s leadership plays. records; another organisation may be
contractually obliged to provide a minimum
The context of the organisation with regard
level of security to a key customer’s
to information security is really about
information assets.
identifying the range of interests that need
to be taken into account. The organisation, This step is generally quite straightforward,
clearly, has interests in information because it operates on the basis that you
security, as do clients, partners, legal and have already done much of this work. You
regulatory authorities, and so on. You need only identify the practices you already
began examining these interests with the have in place, assess their effectiveness,
risk register. and ensure that they continue – potentially
in an improved state – under the auspices
As you might gather, this phase is
of the eventual ISMS.
especially important as it really defines
what the ISMS will eventually become. You should, of course, ensure that you are
From this perspective, it is obviously currently meeting your obligations. Tools
important that you recognise all relevant and databases exist that track legal
interests so that the ISMS can meet your requirements for information security (such
organisation’s needs. as Vigilant Software’s Compliance
Manager), and you should ensure that this
Part of this will involve identifying the scope
process covers all of the necessary
of the ISMS, which will heavily depend on
jurisdictions.
the context. The scope also needs to ensure
it takes into account mobile devices and
teleworkers – the organisation’s logical
6. Risk management
perimeter that might be mobile, and might
include devices that employees own. Risk management is at the heart of the
ISMS. On the basis of regular risk
The management framework also needs to
assessments, your ISMS will adapt to meet
set the groundwork for the rest of the
new and evolving challenges, and ensure
implementation, so you’ll need to formalise
that the risks to information security are
some key arrangements:
adequately and appropriately mitigated.
The information security policy. Risk management will need to become a
Ensuring there are adequate core competency for any organisation
resources to meet your objectives. implementing ISO 27001.
Defining your communication
ISO 27001 allows the organisation to
strategy and/or policy (both internal
broadly define its own risk management
and external communications).
processes. Common methods focus on
Identifying competence
looking at either risks to specific assets or
requirements.
risks presented by specific scenarios. There
are pros and cons to each, which are
© IT Governance Ltd 2017 5 Implementing an ISMS v1.1
IT Governance Green Paper
discussed in Nine Steps to Success, and the red area should be terminated. You
some organisations will be considerably might choose to transfer some risks on a
more suited to one method than the other. case-by-case basis.
There are five important steps in an ISO The key outputs of an ISO 27001 risk
27001 risk assessment: assessment are the Statement of
Applicability (SoA) and the risk treatment
1. Establish a risk assessment
plan.
framework
2. Identify risks The SoA is a document that contains the
3. Analyse risks “necessary controls” you have selected,
4. Evaluate risks justifications for their inclusion, whether or
5. Select risk management options not they have been implemented, and
justification for excluding any controls from
The risk assessment framework is a critical
Annex A of ISO 27001. It essentially proves
part of the process, and will involve
that you’ve done due diligence by
designating the person(s) responsible for
considering all of the reference controls,
the risk assessment. Without someone who
and is especially important if you are
is capable of performing the assessment,
seeking to certify your ISMS.
the whole exercise will fail.
The risk treatment plan, meanwhile, shows
You will also need to define your risk
the results of the risk assessment – that is,
acceptance criteria, which involves
for each identified risk, what the
understanding how risks affect the
organisation intends to do. This should
organisation and how likely they are to
include other essential information such as
actually occur. By determining the impact
responsibility for the risk and deadlines for
and the likelihood of a given risk, you can
completion.
determine how severe a risk it really is.
Risk managers often present this in a
simple matrix:
7. Implementation
While we call this the ‘implementation’
phase, what we really refer to is the
implementation of the risk treatment plan.
Impact
This is the process of building the actual
security controls that will protect your
organisation’s information assets.
In order to ensure these controls are
Likelihood completely effective, you will need to
The results of this analysis can be used to ensure that staff are appropriately
determine how you respond to the risk. competent to operate or interact with the
There are considered to be four ways of controls, and that they are aware of their
responding to a risk: information security obligations.
1. Tolerate the risk You will need to develop a process to
2. Treat it by applying controls determine, review and maintain the
3. Terminate the risk by avoiding it competences necessary to achieve your
entirely ISMS objectives. Part of this will involve
4. Transfer the risk, such as through conducting a needs analysis, and you
insurance or agreements with other should also develop an organisational
parties definition of competence to provide a target
to work towards.
For instance, your organisation might
decide that anything in the green area is an Competence should take into account not
acceptable risk; that you’ll apply controls to only the specific skills and knowledge
anything orange or yellow; and anything in needed for the relevant controls, but also a
© IT Governance Ltd 2017 6 Implementing an ISMS v1.1
IT Governance Green Paper
strong understanding of ISO 27001 and be analysed and evaluated to determine
how the ISMS should operate. A small how effective the control actually is.
number of staff should seek out appropriate
Internal audits should be scheduled at
qualifications, focusing particularly on areas
planned intervals and should cover the
such as implementing and auditing
whole of the ISMS. While this may seem
information security, risk management,
prohibitively intrusive, there is no
business continuity, and so on.
requirement for the whole audit to be
The Standard also requires staff, carried out at the same time. You do not
contractors and other types of employee to need to suspend all work just to audit the
be aware of the information security policy, ISMS.
how they contribute to effective information
It should go without saying that internal
security management, and the implications
auditors are likely to need specialised
of failing to conform to the requirements of
training, and that they should not audit
the ISMS.
their own work.
Staff are almost always the organisation’s
The results of these tests form the inputs
weakest point, so ensuring they know what
for the management review, alongside
they have to do to preserve information
information about any nonconformities and
security is critical. Like other processes,
corrective actions that have been taken.
your staff awareness programme should be
The outputs of the review, as mentioned
systematic and maintained over time.
earlier, will be fed into the continual
And, of course, all of this will need to be improvement process, allowing the
documented. This will fall into the organisation to make corrections and
documentation framework you developed in adjustments to the ISMS.
the initiation phase.
This is a large and highly detailed phase of
9. Certification
the whole implementation project; it would
be wise to read up on the process and what The final step is, obviously, to have your
will be required in detail. ISMS examined and certified by an
independent external body. There are a
number of certification bodies, but you
8. Measure, monitor and review should ensure that the one you select
meets a few conditions:
In order for the ISMS to be useful, it must
meet its information security objectives. To They should be accredited by your
know whether it is doing so, you need to national accreditation body, which
measure, monitor and review its should be a member of the
performance. International Accreditation Forum
(IAF).
ISO 27001 requires the organisation to
They should have an approach to
establish a series of processes that feed
assessment that takes each
into the continual improvement cycle
organisation’s circumstances into
(established in step 3 – ISMS initiation):
account. An ISMS is unique to its
Monitoring, measurement, analysis organisation, and the certification
and evaluation audit, therefore, should not simply
Internal audit be a mechanical comparison of the
Management review ISMS against the Standard.
You will need to identify metrics or other Furthermore, if you already have a certified
methods of gauging the effectiveness and management system, you should consider
implementation of your controls. Remember the value of an integrated certification
that you shouldn’t just be looking at the service to minimise disruption and costs.
results, but also at elements like how often
a control is used. The results should then
© IT Governance Ltd 2017 7 Implementing an ISMS v1.1
IT Governance Green Paper
The actual certification audit will determine to answer the auditor’s questions. This
whether the ISMS is worthy of certification. should include ensuring appropriate staff
In order to maximise the likelihood of have a thorough knowledge of the areas of
passing certification at the first attempt, information security they are responsible
there are several things you can do. for.
Ensure your documentation is complete, Management should be fully involved in the
comprehensive and available for the certification audit. It may be useful to
auditors to inspect. This should be in place rehearse with them the sorts of questions
before the actual certification audit, as the they may be asked, and to review the
auditors will want to review your formal, management-level policies and
documentation ahead of the visit. declarations.
Ensure that you have records of internal For many organisations, this is going to be
audits and testing. These provide evidence seen as one of the most critical stages:
that your ISMS is an active management proving that the implementation
system rather than just a set of documents, programme was effective and being able to
and may also demonstrate your corrective show that to partners, customers and other
actions and continual improvement in stakeholders. To maximise the chances of
action. getting to this stage, read Nine Steps to
Success.
Make sure your staff are open and honest
with the auditors, and that they know how
© IT Governance Ltd 2017 8 Implementing an ISMS v1.1
Useful ISMS resources
IT Governance offers a unique range of ISMS implementation products and services, including
books, standards, pocket guides, training courses and professional consultancy services.
Standards
ISO 27001 ISMS Requirements
ISO/IEC 27001:2013, usually referred to just as ISO 27001, is the best-practice
specification that helps businesses and organisations throughout the world to
develop an ISMS.
Books
Nine Steps to Success – An ISO 27001:2013 Implementation Overview
Now in its third edition, this must-have guide has been completely updated to align
with IT Governance’s implementation methodology, used by our consultants in
hundreds of successful ISMS implementations around the world.
Toolkits
ISO 27001 ISMS Documentation Toolkit
Fulfil your ISO 27001 documentation obligations with customisable templates and
implementation guidance from ISO 27001 auditors. Ensure total coverage of your
project with this complete set of mandatory and supporting documentation.
Take a free trial >>
Training
ISO 27001 Certified ISMS Lead Implementer Masterclass
If you are involved in information security management, writing information security
policies or implementing ISO 27001 – either as a Lead Implementer, or as part of the
planning/implementation team – this masterclass covers all the key steps in preparing
for and achieving ISMS certification first time. Also available as a Live Online course.
Software
vsRisk™ – the definitive ISO 27001 risk assessment tool
Fully aligned with ISO 27001, vsRisk streamlines the risk assessment process and
helps you produce robust risk assessments. The software tool saves 80% of your time
and significantly cuts the consultancy costs that are typically associated with tackling a
risk assessment.
© IT Governance Ltd 2017 9 Implementing an ISMS v1.1
IT Governance solutions
IT Governance writes and publishes extensively on cyber security and IT GRC (governance,
risk management and compliance) subjects, and has developed a range of tools for IT
governance, information security and regulatory compliance practitioners. This expertise
provides the basis for a number of products and services, including toolkits, books, training
materials and green papers.
IT Governance is your one-stop shop for corporate and IT governance information, books,
tools, training and consultancy. Our products and services are designed to work together; you
can benefit from them individually or use different elements to build something bigger and
better.
Books
We sell the most sought-after publications covering all areas of corporate and IT governance.
Our publishing team also manages a growing collection of titles that provide practical advice
for staff taking part in IT governance projects, suitable for all levels of staff knowledge,
responsibility and experience.
Visit www.itgovernance.co.uk/shop/category/iso-27001-books to view our full catalogue.
Toolkits
Our unique documentation toolkits are designed to help small and medium-sized organisations
adapt quickly and adopt best-practice management using customisable template policies,
forms and documents.
Visit www.itgovernance.co.uk/product-demos to view and trial all of our available toolkits.
Training
We offer training courses from staff awareness and foundation courses, through to advanced
programmes for IT practitioners and certified Lead Implementers and Auditors.
Our training team organises and runs in-house and public training courses all year round, as
well as Live Online and distance-learning classes, covering a growing number of IT governance
topics.
Visit www.itgovernance.co.uk/iso27001-information-security-training for more information.
Consultancy
We are an acknowledged world leader in our field. We can use our experienced consultants,
who have multi-sector and multi-standard knowledge and experience, to help you accelerate
your IT GRC projects.
Visit www.itgovernance.co.uk/iso27001_consultancy for more information.
Software
Our industry-leading software tools, developed with your needs and requirements in mind,
make information security risk management straightforward and affordable for all, enabling
organisations worldwide to be ISO 27001-compliant.
Visit www.itgovernance.co.uk/software for more information.
Contact us: + 44 (0)845 070 1750
© IT Governance Ltd 2017
www.itgovernance.co.uk 10 Implementing an ISMS v1.1
servicecentre@itgovernance.co.uk