ISO 27001 is the world's most widely used international standard for managing information security and compliance is maintained through an Information Security Management System (ISMS)
The ISO 27001 accreditation strengthens your organisation's image by giving partners and customers contentment that their information assets, such as personal and sensitive data, are being handled properly.
However, successfully implementing ISO 27001 will require some paperwork. Documentation is crucial to keep track of your assets, sources of information, responsibilities and more.
With so much to consider, we have created the following article to give you a complete overview of the ISO 27001 certification journey, and we have included a downloadable documentation checklist as well.
In this Article
- ISMS: What does it mean?
- ISO 27001 Implementation Roadmap
- ISO 27001 Documentation Checklist
- Employees implementing a project: What are their roles?
- How much effort is required to implement and maintain the ISMS?
- How much time is needed for initial implementation?
- What are the key success factors for an ISO 27001 project?
- What are the 4 main advantages of implementing ISO 27001?
- How much does implementation cost?
- What do you need to look for in ISO implementation tools?
ISMS: What does it mean?
ISMS helps an organisation with its management of data in order to ensure its confidentiality, integrity, and availability to customers. Policies, procedures, and other controls including people, processes, and technology make up an ISO 27001 ISMS.
You may use the ISO 27001 toolkit to create your ISO 27001 ISMS, which contains all the policies and procedures you'll need.
ISMS implementation may be a time-consuming process with several phases and customers, which may become complicated. Even if certification is not the goal, an organisation that follows the ISO 27001 standard can benefit from the ISMS’s best practices.
ISO 27001 Implementation Roadmap
The times shown are estimates based on our experiences working with businesses on ISO 27001 certification. Overall, your commitment as a business is the main factor impacting the time to complete the different steps and getting certified.
Step 1: Assemble your team
For ISO 27001 implementation to be a success, you need a responsible person or project manager to drive the initiative. They will need to assemble a team to ensure that the project has the right support. This team should meet to outline the project goals, vision, and desired timeline. Define the business stakeholders that should be involved, along with team roles and responsibilities.
Estimated Time required: 2 - 4 weeks
Deliverables: Project Team RACI Chart, drafting of Statement of Applicability and Scope of Application documents.
Step 2: Draft your Scope of Application and your Information Security Policy
ISO 27001 doesn’t specify a particular method for implementation. In our experience, the best way to get started is to think about the Scope of Application: should your entire company be covered by the ISMS, or one location, or one service, or some other scope?
Next, create your Information Security Policy, outlining what your team wants to achieve and how. Ensure that senior management fully buys into the policy and supports you with adequate resources. You should also draft documents detailing your company's position on specific issues, for example, mobile device management, the physical security of your premises or user access Management.
Estimated Time required: 2 - 3 weeks
Deliverables: Information Security Policy, Employee Training Plan, plus designing records for tracking the effectiveness of your procedures.
Step 3: Identify and mitigate against risks
Risk assessment is likely to be the most complex task of the entire project. You will need to define the rules for identifying risks, their impact on your business, and the likelihood of them occurring. As a team, you will also need to define the acceptable level of risk. This will vary from company to company depending on your appetite for risk, so try to define a level that you deem acceptable.
Estimated Time required: 4 - 8 weeks
Deliverables: Risk Management Processes, Risk Assessment and Treatment Plans, and an
Information Security Controls Gap Assessment.
Step 4: Implementation of processes
Start to implement your processes such as employee training and awareness programmes, as well as implementing the controls and mandatory procedures. As you gain clarity about your processes, you might need to add documentation or make changes accordingly.
Estimated Time required: 10 - 25 weeks
Deliverables: Information Security Management System (ISMS) manual, new Information Security Policies, updated Internal Information Security Audit Plan, updated Risk Assessment and Treatment Plans, etc.
Step 5: Measure, monitor and review
Check in on what is happening with your Information Security Management System (ISMS). What incidents have occurred, and how many? Did you run all the internal audits? What measures have resulted from them? What KPIs are useful for you to measure? This is where the objectives you set out get tested. Develop a process to determine, review and maintain the necessary requirements to achieve your ISMS objectives.
Monitor, measure, analyse and evaluate your programme. A common metric is quantitative analysis, where you assign a number to whatever you are measuring. Alternatively, you can base the results purely on judgement. We recommend doing this annually at a very minimum, so that you can keep a close eye on the changing landscape of threats and risks.
Estimated Time required: 6 - 12 weeks
Deliverables: Define Information Security Metrics and KPIs, Internal Audit Report, creation of
Annual Report, presentation for key stakeholders, Corrective Action Plan(s) and Continual
Step 6: Certification
Once your ISMS is up and running, the next step is to pursue ISO 27001 certification via an external audit. There are several auditing bodies to choose from; UKAS in the UK is a reliable resource to use for more information.
You should consider which auditor has experience in your industry, as they will be able to give you the best feedback. The audit will be conducted in two stages. The first stage determines whether or not your ISMS has been developed in line with ISO 27001’s requirements. If the auditor is satisfied, they'll conduct a more detailed investigation, including an on site visit. Please be aware that you should be confident in your processes before committing to an audit: you'll still be charged even if you fail the first stage.
Estimated Time required: 4 weeks
Deliverables: Certification Audit Preparation Plan, Corrective Action Plans for Non-Conformitie.
ISO 27001 Documentation Checklist
Although ISO 27001 certification isn't always required by law, it does come with several advantages. Certification makes it easy to comply with regulatory obligations, gives verification of your security implementation, and emphasises your company's reliability to your customers.
With so much to think about, we've compiled a downloadable ISO 27001 checklist to provide you a comprehensive overview of the paperwork necessary for ISO 27001 certification, and tips on how to prepare it.
Employees implementing a project: What are their roles?
In small to medium organisations, the project manager usually also serves as the security officer, while the project manager in a large organisation will only lead the project.
The organisation will usually have a separate security officer who will take charge being responsible for the overall security while also participating in the project.
Additionally, you will need to include a few of your employees in the following activities no matter the size of your organisation is:
- Risk assessment – figuring out how much and how your data would be risked
- Risk treatment – determining which risk-reduction strategies to use
- Reviewing policies and procedures – ensuring that security policies are in line with current organisation practices
- Approval of security objectives, documentation, and required resources – maintaining alignment and commitment towards the organisation's strategy
Department heads can be used to fulfil the first 3 jobs mentioned above whereas the last job will need to be carried out by higher management such as CEO, COO or CTO of larger companies.
How much effort is required to implement and maintain the ISMS?
The internal project manager of the implementation process in a larger organisation would need to spend around 25% of their time throughout this whole project.
The bigger the organisation, the more time the project manager will need to invest. For example in an organisation of 500-1000 employees, the project manager would need to work full time on the implementation of ISO 27001.
Larger companies tend to have both a project manager and a security officer therefore they both will need to spend equal time working on this project.
The implementation of the ISO 27001 certification does not stop with just the implementation process. It is a continuous process where you will be required to constantly maintain and improve the ISMS that was created at the beginning of the implementation process.
If your organisation chooses to hire an external consultant for the implementation of ISO 27001, you will only be required to focus on reviewing and approving the documentation. DataGuard can act as your external consultant in such a situation.
How much time is needed for initial implementation?
Once you start your ISO 27001 certification journey, you may find yourself spending the most time on the ‘planning’ and ‘doing’ phases of implementation. For example, you may spend your time familiarising yourself with the certification, assembling an in-house or external team to start the process, and work alongside that team to conduct the initial gap analysis.
The estimated time mentioned below has been calculated when an organisation works alongside an external consultant to help you with the certifications implementation. If your organisation is doing this using an in-house team, chances are that it will take much longer.
The length of time it usually takes to complete the initial implementation of the certification varies depending on the size of your organisation:
- Companies of 1-20 employees – Up to 3 months
- Companies of 20 to 50 employees – 3 to 5 months
- Companies of 50 to 200 employees – 5 to 8 months
- More than 200 employees – 8 to 20 months
What are the key success factors for an ISO 27001 project?
Many organisations are unaware that effectively establishing the ISO 27001 project from the start of the implementation is one of the most crucial parts if you want to complete the implementation on time and on budget.
- Management support will be required
This is a process in which you must take an active role: first, you must recognize the relevant advantages for your organisation, and then you must consistently communicate this message to decision makers.
- Study the topic- Be knowledgeable
If you have not already implemented ISO 27001 in your organisation,you will need to learn and understand what it is and how to implement it for your particular organisation.
We recently wrote an updated comprehensive article focusing on what ISO 27001 is, as a whole. Visit the article if you want to learn more.
- Run the implementation as a project
Standards such as these take a long time to implement, so plan ahead. You will not only waste time, but you will also miss an opportunity to assist your organisation expand and thrive if implementation is done carelessly or without clear objectives.
- Choosing the right project manager
A person in charge of information security in your firm is the most natural person to lead the project - there are various titles for this position: Chief Information Security Officer (CISO), Information Security Officer (ISO), Security Manager, and so on.
What are the four main advantages of implementing ISO 27001?
While trying to convince your higher management to invest in improving and maintaining information security in your organisation, the first question they may ask is ‘why do we need to improve information security in the first place?’
We have put together four key benefits of using ISO 27001 to help you show your higher management the balance and benefit of this investment. They are:
If an organisation needs to comply with a variety of standards relating to data protection and privacy, ISO 27001 can provide the approach that will allow it to do so in the most effective manner possible.
- Marketing Edge
In an increasingly competitive market, it might be tough to identify something that will set you apart from the competition in the eyes of potential clients.
ISO 27001 could be a differentiator that sets you apart from the competition, especially if new customers want their data to be handled with care.
- Lowering the Expenses
Information security is usually considered as a cost with no obvious financial gain. However, if you take compliance to heart and abide by the regulations, your chances of going through a data breach is highly unlikely.
In the event of a data breach you will have to pay up to £17.5 million or 4% of annual global revenue, whichever is greater.
- Bringing order to your organisation
ISO 27001 is particularly good at forcing you to define different roles and responsibilities across the organisation very precisely, and in turn strengthen your internal team even up to the higher management.
If you are able to first understand and then communicate the above advantages to your higher management, they will then realise that the ISO 27001 certification is crucial for any organisation, and start getting things in order to work on implementation.
How much does implementation cost?
While determining a precise cost for any compliance certification can be tricky, ISO 27001 is particularly variable. It is advisable that you begin your ISO 27001 compliance journey as soon as possible to minimise the costs associated with deferring ISO 27001.
The real cost of adopting ISO 27001 is determined by the organisation's risk tolerance and the amount of risk it is willing to take. However, the three primary costs to consider are the cost of internal and external resources, the cost of implementation, and the cost of certification.
Apart from the above, the total cost of the implementation will depend on the following:
- The size of your organisation or the number of employees.
- The level of importance of information.
- The kind of technology the organisation is using.
- Legislation requirements.
You can learn more about the cost of ISO 27001 certification by reading a more comprehensive article we created on this exact topic.
What do you need to look for in ISO 27001 implementation tools?
If you are planning to work with an internal team without any external support, it is recommended to use an ISO 27001 tool to start and manage the implementation.
However, before deciding on a software solution, keep in mind that not every tool will meet your needs. As a result, you will need to select a tool that has the features you need to move the ISO 27001 project ahead, as well as built-in knowledge on how to meet ISO 27001 criteria.
You need a platform that will:
- Outline the processes for implementing ISO 27001 in your project.
- Provide easy-to-use language in all documentation.
- Fill out the Statement of Applicability automatically based on the risk treatment and needs of interested parties.
- Allow for simple cooperation among those involved in the ISO 27001 implementation.
- Provide a clear picture of the tasks you have received and the duties you have delegated to others, as well as their status.
- Allow automation not just for the initial deployment of the ISMS, but also for its ongoing maintenance.
- Be adapted to the size of your firm. The paperwork and flow of procedures are tailored to the size of your organisation.
- Provide support from experienced experts. If you have some questions on how to approach your specific case.
- Teach all the people about security. The point is not only to mechanically ask people to do some tasks, but also to explain to them why these tasks are needed.
Finally, one of the most significant requirements for choosing an ISO 27001 implementation tool is that it must include built-in expert reasoning on how to properly apply the standard – in other words, it must be created by ISO 27001 experts, not just designers and software developers.
ISO 27001 implementation benefits your customers as it may improve their trust in the firm and reduce the risk of their personal information falling into the wrong hands and approaching ISO 27001 certification is easier when your organisation is armed with a structured plan and the advice of an expert.
Whether you require industry-specific information, assistance setting up your ISMS, or assistance preparing for an external audit, DataGuard's, InfoSec-as-a-Service is designed to help you along the way. To book an ISO 27001 consultation, get in touch with our experts today.