Implementing ISO 27001

Checklist

The first step in your project is to familiarise yourself with the Standards and their core requirements. ISO/IEC 27001:2013, ISO/IEC 27002:2013 and ISO/IEC 27000:2018 will serve as your principal points of reference.

Solutions

• Free ISO 27001 resources
• IT Governance – An International Guide to Data Security and ISO 27001/ISO 27002
• Nine Steps to Success – An ISO 27001 Implementation Overview
• Buy ISO/IEC 27001:2013 and ISO/IEC 27002:2013

Checklist

You will need to appoint a project leader to manage the implementation project, gather information to review objectives and information security goals, and develop a project plan and project risk register.

Solutions

• ISO 27001 Documentation Toolkit – contains a range of project tools that will help you tackle the ISMS, including an implementation manager to plot tasks against the Standard’s requirements.

• ​​ISO 27001 Certified ISMS Lead Implementer online training course – a three-day course that teaches you how to implement an ISMS from beginning to end, including how to overcome common pitfalls and challenges. 

Checklist

Determine which areas of your organisation are not compliant with ISO 27001 and what to do to achieve compliance.

Solutions

• ISO 27001 Documentation Toolkit – contains an ISO/IEC 27001:2013 and ISO/IEC 27002:2013 gap analysis tool to help you determine what you have to do to achieve compliance.

• ISO 27001 Gap Analysis consultancy – a specialist, in-person review of your current information security posture against the requirements of ISO 27001.

Checklist

This is an essential step in your project where you decide which information assets to ring-fence and protect. Too big a scope will escalate the time and cost of the project; too small a scope will leave your organisation vulnerable to risks that were not considered.

Solutions

• ISO 27001 Certified ISMS Lead Implementer online training course – a three-day course that teaches you how to scope the ISMS effectively.

Checklist

You need to set out high-level policies for the ISMS that establish roles and responsibilities, and put in place a continual improvement process. Mandatory documentation includes an information security policy, information security objectives and evidence of competence.

Solutions

• ISO 27001 Documentation Toolkit – contains customisable documentation templates that will save you weeks of work trying to develop all the required policies and procedures. 

Checklist

Risk assessments are at the core of an ISO 27001-compliant ISMS and provide an accurate snapshot of the threats facing your organisation. Risk assessments help determine how effective your organisation’s current controls are.

Solutions

• vsRisk™ risk assessment software – avoid errors and take advantage of the risk database and corresponding Annex A controls, so you can conduct accurate and effective risk assessments.

Checklist

Controls should be compared against ISO 27001’s reference control objectives and controls in Annex A. If you choose to not include any of these, you should justify those decisions.

Solutions

• ISO 27001 Documentation Toolkit – provides a full set of the required policies and procedures, mapped against the Annex A controls, ready for you to customise and implement. 
• vsRisk™ risk assessment software – includes all Annex A controls, in addition to controls from other leading frameworks, such as PCI DSS and NIST 800-53. 

Checklist

ISO 27001 requires an RTP (risk treatment plan) and SoA (Statement of Applicability) to be produced. The SoA lists all identified controls from ISO 27001 and details whether each control has been applied, along with a justification of its inclusion or exclusion.

Solutions

• vsRisk™ risk assessment software – generates six audit-ready reports, including the RTP and SoA, which can be exported, edited and shared across the organisation and with auditors.  

Checklist

Human error has been widely demonstrated as the weakest link in cyber security. To increase awareness of information security issues and the purpose of the ISMS, all employees should receive regular training.

Solutions

• ISO 27001 Staff Awareness e-learning Course – a cost-effective solution for improving general staff awareness about information security and the ISMS.

Checklist

You must conduct regular audits and tests to ensure controls are working as intended and incident response plans are functioning effectively. The ISMS’s performance should be reviewed by top management at least annually.

Solutions

• ISO27001 Certified ISMS Lead Auditor Online Masterclass – equips you with all the skills to successfully undertake or lead an ISMS audit project. 

Checklist

If your organisation opts for external certification, the body you use must be accredited by a recognised national accreditation body and a member of the IAF (International Accreditation Forum). This provides an independent opinion about your security posture by reviewing your documentation, checking control implementation and performance, and conducting an on-site audit to test procedures. 

Solutions

• Lead auditor training course - our auditor course give you the skills to successfully undertake or lead an ISMS audit project.