ISO 27001
ISO 27001
Agenda
What is ISO 27001
The PDCA Model
Steps to achieve ISO
27001Certification
PDCA Model
The "Plan-Do-Check-Act" (PDCA) model applies at different levels throughout the ISMS (cycles within cycles)
The diagram illustrates how an ISMS takes as input the information security requirements and expectations and through the PDCA cycle
produces managed information security outcomes that satisfy those requirements and expectations
Plan
Do
Check
Act
Information security requirementsand expectations
Managed information security
PDCA Model
Plan (establish the ISMS)
Establish ISMS policy, objectives, processes and procedures relevant to managing risk and improving information security to deliver results in
accordance with an organization’s overall policies and objectives
Do (implement and operate the ISMS)
Implement and operate the ISMS policy, controls, processes and procedures
Check (monitor and review the ISMS)
Assess and, where applicable, measure process performance against ISMS policy, objectives and practical experience and report the results
to management for review
Act (maintain and improve the ISMS)
Take corrective and preventive actions, based on the results of the internal ISMS audit and management review or other relevant information,
to achieve continual improvement of the ISMS
10 Steps to Achieve ISO 27001
Step 1: Decision
Senior management need to be behind the decision for ISO 27001 certification. There is definite value in communicating this internally,
it enforces the company’s aspiration to pursue best practice
What is needed? Concise and positive briefing to senior management outlining benefits and how it provides a platform for business
growth
Step 2: ISO Management Representative
The company appoints a responsible and knowledgeable manager to run the program and implementation. This person will become the
company’s ISO 27001 specialist, understanding the controls and milestones needed towards accreditation
What is needed? Selection of the right individual with a specific job description and knowledge of ISO and ISMS requirements
10 Steps to Achieve ISO 27001
Step 3: Gap Analysis and Risk Assessment
An assessment of risk or a gap analysis is conducted to find out what can go wrong and which threats endanger the Confidentiality, Integrity
and Availability of information. This is to understand the maturity of existing controls within the business and to determine the risk profile
What is needed? The gap analysis followed by a risk assessment of all in scope people, processes and technology performed by a qualified
auditor. Understanding the maturity of controls and risk profile
Step 4: Scope & Implementation Plan
The review of output from the gap analysis allows the business to validate the scope of implementation and the functional / operational
boundaries. For each risk identified, appropriate controls are set to manage the risk in a systematic way. This will ensure nothing important is
missed. Important milestones, time requirements, dates for any pre assessment and staged audits are set
What is needed? A step by step concise guide to explain the ISO 27001 process in sufficient detail
10 Steps to Achieve ISO 27001
Step 5: Employee Introduction
It is important to engage with employees from the beginning to ensure they buy in to the ISO 27001 certification process and respond
appropriately. Also to help them to understand the individual, company and client benefits
What is needed? A short and easy-to-understand ISO 27001 and security introduction briefing that focuses on how employees are affected
and their role in the successful implementation
Step 6: Documentation, documentation, documentation!
ISO 27001 certification requires extensive documentation addressing all relevant millstones and individual controls. This forms the criteria the
company is measured against to meet the ISO standard
What is needed? A set of policies, standards and procedures to ensure the business is adhering to all requirements in an efficient and
achievable manner
10 Steps to Achieve ISO 27001
Step 7: Realisation
With the gap analysis, scope and documentation ready, it is time to put new processes into ‘business as usual’ throughout the company to start
realising the many benefits of ISO 27001. At this stage it would be beneficial to conduct a pre assessment to ensure the company is on the
right track and validate the evidence
What is needed? Pre assessments forms, checklists and the gathering of evidence. Communication to staff about the revised processes, the
need to adopt them fully and report back on what isn’t working
Step 8: Internal ISO 27001 Audits
ISO 27001 requires an internal audit to assess where the company is at with the milestones and the implementation phase. An auditor will
complete documentation assessing the risk, noting controls and remediation to highlight the improvements required
What is needed? An experienced internal or external auditor. Audit tools that include forms, complete audit checklists and audit reports
10 Steps to Achieve ISO 27001
Step 9: ISO 27001 Certification
The most important step is to pass the ISO 27001 certification audit. An independent assessor will issue a certificate stating that the
business is meeting the ISO 27001 controls and requirements. The appointed internal representative needs to be confident with the
process they have followed and consider how to best interact with the assessor
What is needed? Employee preparation for the ISO 27001 certification including questions that may be asked and the areas the audit
will focus on. An independent assessor from a reputable company
Step 10: Maintaining the ISO 27001 Certification
It is important to keep the ISO management system working by its integration into daily operations. The business should focus on
continual improvement
What is needed? A reinforcement message to employees. Focus on maintaining the standards through an internal champion. Treat it as
integral component of the business processes and not a one off project
Question & Answer?