journey to_iso_27001_new_2013

Copyright © 2013 BSI. All rights reserved.

The journey to ISO 27001 certification

Copyright © 2013 BSI. All rights reserved.2

The start of the journey –who will manage this?

Copyright © 2013 BSI. All rights reserved.3

So what is the journey to certification?

• At some point the business has a brainwave

• Or a client asks ‘do you have certification to ISO 27001?’

• And of course we don’t

• So what happens next?

• The idea of certification is then bounced around the business – do we need it? What will cost? Who will do it?

Copyright © 2013 BSI. All rights reserved.4

The journey to certification (cont.)

• And then the question is asked does it belong to the IT Director or the Quality Director or the Security Manager?

• And it lands on your desk, with no background of why and where.

• So what do we do next?

• What are we going to ask?

• Who are we going to turn to for help?

Copyright © 2013 BSI. All rights reserved.5

The journey to certification: What are the questions?

• What is this for?

• What money do we have?

• Do we have any resources?

• Is there any training?

• Has anyone looked at the Standard?

• What will be the Scope of the Certification?

• How much time do we have?

Copyright © 2013 BSI. All rights reserved.6

The journey to certification: What will we need in the ISMS?

• Security policy

• Organizational security

• Asset classification and control

• Personnel security

• Physical and environmental security

• Communications and operations management

• Access control

• System development and maintenance

• Business continuity management

• Compliance

Copyright © 2013 BSI. All rights reserved.7

The journey to ISO 27001 certification: Planning

30/01/2015

Copyright © 2013 BSI. All rights reserved.8

Planning phase

We now need to spend time planning the task –We should spend:

But we spend:

80% of our time planning

20% of the time implementing

20% of our time planning

60% of the time fire fighting

20% of the time implementing

Which then ends up lasting the life of the system or to our retirement which ever comes sooner.

Copyright © 2013 BSI. All rights reserved.9

Planning phase

• Security policy

• Organizational security

• Asset classification and control

• Personnel security

• Physical and environmental security

• Communications and operations management

• Access control

• System development and maintenance

• Business continuity management, ISO 22301

• Compliance

Copyright © 2013 BSI. All rights reserved.10

What are the next steps for implementation?

Copyright © 2013 BSI. All rights reserved.11

Project plan

• We will be following a defined project plan

• The plan has 4 stages and 18 defined steps

Copyright © 2013 BSI. All rights reserved.12

The journey to ISO 27001 certification

Stage 1: Commitment to implement

Copyright © 2013 BSI. All rights reserved.13

Commitment to Implement

Copyright © 2013 BSI. All rights reserved.14

The journey to ISO 27001 certification

Stage 2

Copyright © 2013 BSI. All rights reserved.15

The journey to ISO 27001 certification: Stage 2

• Receive Training

• Perform Gap Analysis

• Prepare Implementation Project Plan

• Estimate Costs

Copyright © 2013 BSI. All rights reserved.16

Where we are …

Copyright © 2013 BSI. All rights reserved.17

The journey to ISO 27001 certification

Stage 3

Copyright © 2013 BSI. All rights reserved.18

Implement and Operate

• Support Project

• Monitor Project

Copyright © 2013 BSI. All rights reserved.19

The journey to ISO 27001 certification

Stage 4

Copyright © 2013 BSI. All rights reserved.20

Monitor, Measure and Review

• Management review

• Prepare for Certification

Copyright © 2013 BSI. All rights reserved.21

The journey to ISO 27001 certification

Lessons Learned

Copyright © 2013 BSI. All rights reserved.22

So what are the lessons learned?

We rarely look at the lessons learned. Let’s look at some of the main lessons for us all.

1. Lack of Commitment

2. Time

3. Resources

4. Scope and boundaries creep

5. Training and awareness – Impact to our process.

6. Project Management – The need of good project management.

Copyright © 2013 BSI. All rights reserved.23

The journey to ISO 27001 certification

Certification process with BSI

Copyright © 2013 BSI. All rights reserved.24

The registration process

• Obtain quotation and submit application

• Client manager appointed

• System reviewed to ensure standard requirements addressed and registration assessment planned

• Initial assessment conducted

• Conformity and effectiveness of system to standard assessed

• Corrective action plan (if required) submitted

• Registration confirmed

• Certificate issued

• Continuous assessment programme (3 year cycle)

• Total client care

Copyright © 2013 BSI. All rights reserved.25

Consider certification

Contact BSI

Stage I Assessment

Stage II Assessment

Certification

• www.bsiamerica.com• 1-888-429-6178• Ask your Account Manager

• Documentation Review• Assessment of the MS Planning and readiness• Corrective action (if applicable)• Planning for Stage II

• Assessment of the implementation of the MS• Assessment of risk management• Corrective action (if applicable)• Certification recommendation

• Clear corrective actions• Certification review process• Surveillance assessments• 3-yearly recertification assessments

Copyright © 2013 BSI. All rights reserved.26

Contact Us

Address: BSI Group America Inc.

12110 Sunset Hills Road, Suite 200

Reston, VA 20190

Main Office Telephone: 888-429-6178

Fax: 703 437 9001

Email: Inquiry.msamericas@bsigroup.com

Links: http://www.bsiamerica.com