ISO 27001 Checklist: 9-step Implementation Guide

Introduction

Implementing ISO 27001 can be a difficult process, but it’s also vitally important to the security of your business. And if you’ve never implemented a management standard before, it might seem overwhelming. However, there are things you can do to make this process easier and more successful for your Organization.

What is ISO 27001?

Before we get into the ISO 27001 checklist, let us first look at what exactly is ISO 27001 Framework.

ISO 27001 is an international standard for Information Security Management. The standard was developed by the International Organization for Standardization [ISO], a Non-Governmental Organization [NGO] that establishes and publishes thousands of standards and other technical documents.

ISO 27001 is intended to be implemented by any Organization that needs to protect the Confidentiality, Integrity and Availability of its information assets. This includes all Organizations regardless of their size, business sector or geographical location. ISO 27001 can also be applied in an outsourced IT Environment where services are provided, or even where you outsource some aspect of your internal processes such as payroll processing or HR Administration.

Implementing ISO 27001 helps you to manage risk and protect your Customers’ data. It also helps you meet regulatory requirements and meet Customer expectations, all of which can help reduce the cost of doing business.

ISO 27001 checklist

As with any implementation of a new system, it is important to plan carefully and involve all the relevant stakeholders. This will help you to ensure that everyone understands their roles and responsibilities when implementing ISO 27001. Let us look at the nine (9) step ISO 27001 Checklist that will help you achieve ISO 27001 Certification.

Step 1. Establish the scope

Establishing the scope of a project is one of the first steps in ISO 27001 implementation. When you define your project’s boundaries, you’re able to clearly outline what activities are within or outside of its purview.

Establishing your project’s purpose and goals is essential to its success. It can help you determine what processes need to be addressed by the security policy and how much time it will take for you and your team members to implement them.

Documenting these items will also help ensure that all parties involved—you, your team members, consultants or contractors working onsite—are clear on what measures need to be taken in order for everyone involved with implementing an Information Security Management System [ISMS] according to international standards like ISO 27001:2013 [ISO].

2. Conduct a risk assessment

A risk assessment is a process of determining the likelihood of an incident occurring and the impact it would have on your business. Threats are considered to be deliberate attempts by people or Organizations to cause harm to your Organization, its reputation or stakeholders. Vulnerabilities are weaknesses that can be exploited by threats, such as weak passwords or unpatched security vulnerabilities in software.

The goal of conducting a risk assessment is to identify areas where you need to take action in order to reduce risks and comply with best practices outlined in ISO 27001. The more complex your Organization is, the more difficult it will be for you to conduct an effective risk assessment.

3. Organize your ISMS and document it

ISO 27001 requires that your Organization implement an ISMS. The ISMS will be used to document your security plan, and it should contain the following sections:

• Management commitment and senior management responsibility.
• Organizational information such as structure and contact information.
• Information security policy that includes items such as acceptable use of IT resources, disciplinary measures, etc. This policy should be documented in writing by the top management or owner of the Organization.

The ISO 27001 standard requires that you keep all documentation up-to-date and accessible to all employees involved in any process related to Information Security. It is advised that you store all documents related to your ISMS in a secure location where unauthorized people cannot access them easily.

4. Implement controls to reduce risk

One of the most important steps in an ISO 27001 implementation is to implement controls to reduce risk. What this means is that you need to plan out how your Organization will manage its Information Security Risks, so that you can prevent or mitigate any negative impacts on your business if a breach occurs.

This is a continuous process; it’s not something you do once and then move on from it. In order for a Company or Organization to be truly effective at managing Information Security Risks, they must have Processes and Procedures in place for assessing new threats and implementing mitigating controls as necessary. The goal here is not just compliance with Standards like ISO 27001—it’s also about keeping your business safe from harm!

5. Monitor and measure the controls

Monitoring and measuring are two important aspects of ISO 27001 Compliance. Monitoring is the continuous process of collecting information about your ISMS, while measurement is the evaluation of that information.

It’s important to remember that monitoring and measurement don’t just happen once; they need to be ongoing throughout the life of your ISMS. You’ll use this data to determine whether or not your controls are working as intended, so it’s important not only to have a system in place for monitoring and measuring but also to make sure it’s working properly.

6. Develop a Continual Improvement Plan

A Continual Improvement Plan is a roadmap for your ISMS. It should be a living document that evolves over time and is reviewed annually or at least once every six months. The plan should include an update schedule, which may be as simple as listing dates on the calendar when updates will occur. It’s also important to keep track of any changes made to the plan so that you can refer back to it in order to determine if there are any issues with your ISO 27001 implementation process.

The following sections can be included in developing a continual improvement plan:

• What is the purpose of this activity? (Why do you need one?)
• Who will be involved in its development? (Who needs input or approval?)
• How often will it be updated?
• How often does it need to be reviewed?
• What are the steps to create this plan? (What does your process look like?)
• How will you keep track of changes that are made? (Who is responsible for making sure new versions are distributed?)
• How will you know when it is time to review the plan again?

7. Gain management approval for the ISMS

Management buy-in is critical to successful implementation of an ISMS. If your management team does not feel that an ISMS will benefit their Organization, they will be less likely to support the resource and time required to implement it. Before you begin, make sure you know how management feels about developing a risk-based information security program and whether they can commit adequate resources toward this goal.

For example, if your Organization has limited budget and staff and is already struggling with compliance requirements such as PCI DSS or HIPAA, pursuing ISO 27001 may be too much for them to consider at this time. You may need to revisit this checklist after gaining more senior leadership buy-in or wait until a later date when additional resources are available.

8. Conduct internal audit, review by management and continual improvement of ISMS

Conduct Internal Audits to assess the current stage of Compliance. The final step to becoming compliant with ISO 27001 is to conduct internal audits. Management should review these audits and determine whether the Organization is ready for certification. If not, then management should decide what needs improvement before another round of audits can begin.

Make appropriate changes to the ISMS when they are required based on the results of internal audits or external audits conducted by an independent body such as an accredited certifier or government regulator/authority.

Review the ISMS periodically to ensure that it remains relevant and current. The frequency of reviews will depend on the level of change within your Organization and the nature of its business environment. It may be necessary to conduct more frequent reviews in some cases, while less frequent audits may be adequate for others.

9. Gain external certification

The final step to gain ISO 27001 Certification is gaining external certification. This is optional, but it can be a very beneficial step in demonstrating your commitment to Information Security and gaining trust from others. When you attain ISO 27001 Certification, you can use the logo on your website or marketing materials to convey your commitment to Information Security. You may also want to consider adding this logo if you have other certifications that demonstrate quality management standards such as ISO 9001 or ISO 14001.

Many companies choose not to pursue external certification because they are concerned that it will cost too much money and take up too much time. However, there are many ways in which you can reduce costs while also making the process more efficient:

• Get quotes from different providers before deciding on one company for all services (audit + management system).
• Find out what level of service each provider offers; some offer only management systems audits while others offer both audit and management system services together.

How to Implement ISO 27001:

The ISO 27001 Checklist provides an insight on what are the requirements on ISO 27001 Standard and how you can implement them in your Organization. In summary:

• Understand the goal of your ISO 27001 implementation and determine whether it is achievable.
• Define a clear target for your ISO 27001 project, including timeframes and resources required to complete it successfully.
• Conduct an audit of your current business processes, focusing on areas at risk of non-compliance with ISO 27001 requirements (for example: policies, procedures or practices).
• Identify gaps between existing systems/processes and what’s required by the standard (best practice) while keeping in mind that they’re not identical; they should be as close as possible to the standard without being overly prescriptive or constraining innovation within your Organization’s culture.
• Develop a plan to close these gaps, including an audit trail that tracks progress.
• Once the gaps are closed, start the external Certification process. The Certification process involves an audit by a third-party auditor to verify that your Organization has met or exceeded the requirements of the standard, and that it’s ready for certification.

What Support Can Neumetric Provide for ISO 27001 Certification?

The ISO 27001 certification process can be daunting, especially if your company has never had to deal with an external accreditation body before. Neumetric helps you understand the requirements of ISO 27001 and how they affect your business. We assist in creating a detailed plan for implementation and maintenance of the standard, and more. Neumetric can provide you with a customized, risk-based approach to your ISO 27001 certification efforts. We’ll work with you to develop a detailed plan of action and provide support throughout the process, including:

• Review of existing processes against ISO 27001 requirements.
• Identify gaps between existing systems/processes.
• Creation of a detailed action plan which outlines how and when changes should be made to meet the requirements of ISO 27001.
• Training on how to implement new processes/systems in accordance with the standard.
• Monitoring and reporting on progress.
• Conduct Risk Assessments for your Organization.
• Conduct regular Internal Audits to make sure your Organization remains compliant with the Standard.
• Co-ordinate and support throughout the entire External Certification Audit Process.
• Continuous improvement of processes as needed (e.g., adding/removing controls, changing the frequency of monitoring and reporting, etc.)

To know more about our ISO 27001 Certification Service and how we make your Organization ISO 27001 Certified, click here.

Conclusion

We hope that this article has given you a good overview of how to implement ISO 27001. It’s not an easy task and it will require a lot of work from you and your team, but if you follow these steps diligently, then we’re sure you’ll be able to achieve certification within 12 months!

FAQs

What are the 14 domains of ISO 27001?

The fourteen (14) Domains of the ISO 27001 Standard are:

• Information security policies
• Organisation of information security
• Human resource security
• Asset management
• Access control
• Cryptography
• Physical and environmental security
• Operations security
• Communication Security
• System acquisition, development and maintenance
• Supplier relationships
• Information security incident management
• Information security aspects of business continuity management
• Compliance

What are the 11 clauses of ISO 27001?

The clauses zero (0) to three (3) include the general information about the Standard.

• Introduction
• Scope
• Normative references
• Terms and definitions

The Clauses four (4) to ten (10) are mandatory requirements of the ISO 27001 Standard.

• Context of the Organization
• Leadership
• Planning
• Support
• Operation
• Performance evaluation
• Improvement

What are the mandatory requirements of ISO 27001?

The Clauses four (4) to ten (10) are mandatory requirements of the ISO 27001 Standard. If you are aiming for ISO 27001 certification, these are the documents and processes that need to be created or included in your system.