15 Steps for Implementation of ISO/IEC 27001:2013

15 Steps for Implementation of ISO/IEC 27001:2013

15 Steps for Implementation of ISO/IEC 27001:2013

Starting the implementation of ISO/IEC 27001 may seem like a daunting task for any organization. There is, however, a systematic route, which involves 16 steps that you can follow to make the process less frightful. Let’s discuss them:

  1. Management support

For a successful implementation of this standard, the management must be in support. Many organizations fail because the task is not taken seriously, or the management fails to provide enough people and resources to cover implementation.

2. Look at it as a project.

Apply the principles of project management to navigate the implementation successfully. ISO/IEC 27001 has many moving parts, from people to activities, if responsibilities and targets are not clearly defined, then it could become more complex.

3. Be clear on the scope.

How far do you want to implement your Information Security Management System (ISMS)? If your organization is vast, will you implement it throughout or in only one area? Define the scope of implantation early on to determine how much you will need to do.

4. Come up with an information security policy.

An information security policy or ISMS policy is the highest level internal document in your system. This document should, therefore, define the basic requirements for information security in your company.

5. Figure out how you will assess risk and what method you will use

To avoid the risk of your getting unusable results, your organization will need to define a way to identify risks, impacts and likelihood. Your organization also needs to specify the acceptable level of risk.

6. Perform risk assessment and treatment

After risk identification, your organization will need to perform the risk assessment to get a clear picture of any danger your organization faces internally and externally. Use risk treatment to mitigate the risks that are not acceptable.

7. The statement of Applicability

Also referred to as the SOA, this document is used to list all controls in implementation. It sorts the acceptable ones from the ones that are not. Once you have completed risk assessment and treatment, start writing the SOA.

8. Write down the risk treatment plan.

This document strictlydetails how controls in the SOA will be implemented, who will implement them, and with what budget.

9. How will you measure the effectiveness of controls?

Define how you will measure the effectiveness of your Information Security Management System. Here, you need to know whether the objectives are met.

10. Implement controls and procedures

Kick-off implementation- This will involve a complete shift in the company’s behavior, so be mindful as you go about it.

11. Training and awareness

For a seamless and less invasivebehavior, an excellent way to keep your team together and motivated is to offer training and awareness of ISMS implementation.

12. Use your ISMS

Here, ISO/IEC 27001 is adopted into your organizations routine. Keeping sufficient records is bound to support this.

13. Monitor your system

How effective is your system? What are the incidents and their frequency? Are all procedures being adhered to?

14. Internal audits

This is an excellent tool that you can use to find out existing and potential problems, which would otherwise spell disaster to your company. Use it at this point of implementation.

15. Management review

The management will have the opportunity to review the effectiveness of the system. They can now verify whether everyone was on board, and if the ISMS is achieving the desired results.

Implementation of ISO/IEC 27001 is a herculean task. However, with the right guidance, your organization will be on its way to earning its certification. Consult a specialist.

Leave a Reply

Your email address will not be published.