In this blog, Alex Speakes, Information Security Consultant at URM shares his views on 6 must do’s when implementing an information security management system (ISMS) in order to conform to or certify against ISO 27001, the International Standard for Information Security Management. The blog is based on his personal experience implementing and managing an ISMS both as an ISMS Manager and as a consultant advising other organisations implementing ISO 27001.
Understanding the Standard
Before implementing ISO 27001, it is crucial to understand what the purpose of the Standard is, how the Standard is going to benefit your organisation, and why your organisation is seeking certification. It is important the organisation, particularly senior management, understands what the objectives of ISO 27001 are and what is involved in implementing it, but also the benefits that will be accrued both from a good governance and commercial perspective. It is important to communicate, for example, that this is a risk-based Standard and any security controls measures introduced are tailored to your organisation. We recommend all organisations purchase a copy of ISO 27001:2022 to use as a reference point in understanding and meeting the requirements of the Standard itself.
Top management support
An absolute must in any implementation of ISO 27001, is that it has the backing of your top management, such as your senior leadership team or board of directors. Whenever URM has been involved in producing an ISO 27001 case study post implementation and asked clients about key success criteria of the project, invariably the first criteria mentioned is gaining the commitment and support of top management. The backing of top management is not just about providing resources, but about building information security into the organisation’s culture and values, so it becomes business as usual, and the leadership team is seen to be leading by example, with no exceptions!
Completing an information security risk assessment against information assets
At the core of your ISMS is your information security risk assessment. The main goal here is always to start by identifying all the in-scope information you are processing along with any supporting assets used to process that information. One of the biggest challenges associated with this is understanding that you are assessing the information itself and its importance to your organisation, not necessarily the detail of particular assets i.e. serial numbers, these are information assets not assets on an asset register. The purpose of the risk assessment is to identify potential security threats to your key information assets and evaluate the risks associated with them. This assessment is absolutely central in guiding you to select the most appropriate information security controls.
Creating and communicating an information security policy
Your information security policy should lie at the heart of your ISMS. It needs to explain your organisation's approach to information security, as well as provide a framework for setting objectives and establishing an overall sense of direction and principles for securing information. An area that we sometimes see being overlooked is the need to communicate this policy with staff and interested parties. If you need to share your information security policy with external parties, make sure you don’t have conflicting rules set out in your classification scheme and you don’t set the classification as ‘internal use only’ or ‘company confidential’ for example.
Defining the scope of the ISMS
Clearly, defining the scope of your ISMS is critical and involves deciding which information, departments, locations, and technology will be covered. A well-defined scope ensures that everyone knows what is included and what isn't. We often see organisations struggle initially with the challenge of defining their ISMS scope but find the following questions really help in deciding on an appropriate and meaningful scope:
- Why are you looking to conform or certify to ISO 27001? Is it being specified by one or more major clients or is it to align with best practice, or to demonstrate to prospective clients the robustness of your information security practices and processes?
- Does the scope need to cover all information sites, people, teams, technologies, products and services?
- Or does the scope only need to only cover specific areas? This is particularly relevant if you are implementing ISO 27001 to meet a specific client’s requirements.
- Who needs to be involved in the decision-making process behind defining the scope? In URM’s opinion, this should be led by senior management and assigned to an appropriately qualified Information security professional.
Ensuring all staff are aware of the importance of information security
Countless surveys have shown that an organisation’s own staff represent one of the biggest threats to maintaining information security, e.g., falling victim to phishing attacks. As such, training and awareness programmes are vital in ensuring that all employees understand their role within the ISMS and how they can contribute to information security within your organisation. We tend to see challenges around evidencing staff awareness of information security and information security policies. A great starting point (literally) is ensuring that new starters’ induction programme includes sessions on your information security policy and supporting policies and processes. This can then be marked as complete on an induction checklist allowing you to evidence that staff were given visibility of policies and procedures. This can then be further supported by including some form of assessment test at the end of training/awareness sessions. These assessments can include multi-choice quiz questions with a requirement to achieve a specific pass mark or percentage. Not only will a test be valuable in identifying any gaps in new starters’ understanding but also in identifying any shortfalls in the training/awareness material.
How URM can help you?
Having assisted over 400 organisations to achieve and maintain ISO 27001 certification, URM is ideally placed to support your organisation’s implementation of the Standard. URM’s services are totally flexible and tailored to meet your organisation’s needs, and our ISO 27001 consultants can help you with any aspect of conformance to the Standard. This includes conducting a gap analysis to identify any areas of nonconformance, performing an ISO 27001 internal audit, through to full lifecycle implementation support. As well as our consultancy services, we offer a range of ISO 27001 training courses, all led by a qualified and experienced ISO 27001 consultant.
If your organisation has received a request for a SOC 2 report and is looking to meet all the necessary requirements, URM can offer you informed guidance and practical support.
URM can help you achieve ISO 27001 certification
URM can provide a range of ISO 27002:2022 transition services including conducting a gap analysis, supporting you with risk assessment and treatment activities as well as delivering a 2-day transition training course.
On 22 February 2024 ISO and IAF released a joint statement relating to an amendment to a total of 31 existing Annex SL management system standards.
There are many good reasons to implement an information security management system (ISMS) and get it certified to ISO 27001.
Broadly speaking, information security is held up by three pillars – People, Process and Technology. It is widely accepted that humans are the weakest link