Implementing ISO 27001
ISO 27001 implementation takes time and effort, but it isn’t as expensive or difficult as many organisations across Asia-Pacific might think.
IT Governance has trained more than 7,000 professionals across the world on ISMS (information security management system) implementations and audits, and we have helped more than 600 organisations with ISO 27001 compliance and certification projects, which means we know exactly what it takes to ensure the project is a success.
Our ISO 27001 implementation bundles can help reduce the time and effort required to successfully implement an ISMS, and eliminate costs associated with traditional consultancy.
ISO implementation checklist
Familiarise yourself with ISO 27001 and ISO 27002
The first step in your project is to familiarise yourself with the Standards and their core requirements. ISO/IEC 27001:2013, ISO/IEC 27002:2013 and ISO/IEC 27000:2018 will serve as your principal points of reference.
Assemble a project team and initiate the project
You will need to appoint a project leader to manage the implementation project, gather information to review objectives and information security goals, and develop a project plan and project risk register.
Conduct a gap analysis
Determine which areas of your organisation are not compliant with ISO 27001 and what to do to achieve compliance.
Scope the ISMS
This is an essential step in your project where you decide which information assets to ring-fence and protect. Too big a scope will escalate the time and cost of the project; too small a scope will leave your organisation vulnerable to risks that were not considered.
Develop policies, procedures and other key ISO 27001 documentation
You need to set out high-level policies for the ISMS that establish roles and responsibilities, and put in place a continual improvement process. Mandatory documentation includes an information security policy, information security objectives and evidence of competence.
- ISO 27001 Documentation Toolkit – contains customisable documentation templates that will save you weeks of work trying to develop all the required policies and procedures.
Undertake a risk assessment
Risk assessments are at the core of an ISO 27001-compliant ISMS and provide an accurate snapshot of the threats facing your organisation. Risk assessments help determine how effective your organisation’s current controls are.
Select and apply controls
Controls should be compared against ISO 27001’s reference control objectives and controls in Annex A. If you choose to not include any of these, you should justify those decisions.
- ISO 27001 Documentation Toolkit – provides a full set of the required policies and procedures, mapped against the Annex A controls, ready for you to customise and implement.
- vsRisk™ risk assessment software – includes all Annex A controls, in addition to controls from other leading frameworks, such as PCI DSS and NIST 800-53.
Develop risk documentation
ISO 27001 requires an RTP (risk treatment plan) and SoA (Statement of Applicability) to be produced. The SoA lists all identified controls from ISO 27001 and details whether each control has been applied, along with a justification of its inclusion or exclusion.
- vsRisk™ risk assessment software – generates six audit-ready reports, including the RTP and SoA, which can be exported, edited and shared across the organisation and with auditors.
Conduct staff awareness training
Human error has been widely demonstrated as the weakest link in cyber security. To increase awareness of information security issues and the purpose of the ISMS, all employees should receive regular training.
Assess, review and conduct an internal audit
You must conduct regular audits and tests to ensure controls are working as intended and incident response plans are functioning effectively. The ISMS’s performance should be reviewed by top management at least annually.
Opt for a certification audit
If your organisation opts for external certification, the body you use must be accredited by a recognised national accreditation body and a member of the IAF (International Accreditation Forum). This provides an independent opinion about your security posture by reviewing your documentation, checking control implementation and performance, and conducting an on-site audit to test procedures.
ISO 27001 implementation bundles
IT Governance offers four different implementation bundles that have been expertly created to meet the unique needs of organisations across Asia-Pacific, and are the most comprehensive mix of ISO 27001 tools and resources currently available.
Find out more >>
Speak to an expert
For more advice or guidance on implementing ISO 27001, please contact our team below.