Implementing ISO 27001: A Step-by-Step Guide

Posted byAayush GoelPosted iniso 27001Tags:, , , , , ,

Steps to implement ISO 27001

  1. Context Setting
  2. Risk Assessment
  3. Gap Assessment
  4. Documentation
  5. Implementation
  6. Internal Audit
  7. Certification & Closure

Context Setting

What activities you should follow:

  1. Planning
  2. Scoping
  3. Organizational Context Study
  4. ISMS Objectives Definition
  5. ISMS Organizational definition

These activities should deliver the following:

  1. Project Plan
  2. ISMS scope
  3. Organizational Context
  4. Objectives
  5. ISMS Org Structure

The below templates can be used for documentation purposes:

Project PlanDownload
Organizational ContextDownload
ObjectivesDownload
ISMS ScopeDownload
ISMS Organizational Structure (Sample)Download

Risk Assessment

  1. Risk is the ‘effect of uncertainty on objectives’
  2. Risk management involves identifying risks; analyzing, evaluating and treating them; and monitoring & measuring them in order to control and minimize their impact
  3. ‘Risk Owners’ their own the risks in functional areas, and need to apply management principles to address risk and mitigate those risks

Threats, Vulnerabilities & Risks

Threat: A potential cause of an unwanted Incident, which may result in harm to a System or Organization

Vulnerability: A vulnerability is a weakness of an asset or control that could potentially be exploited by one or more threats.

Risk: A combination of the probability of an Event and its Consequence

Risk Assessment is the total sum of

  • Asset Assessment & Valuation
  • ThreatAssessment & Valuation
  • Vulnerability Assessment

Risk Analysis: A systematic use of information to identify sources and to estimate the Risk

Types of Risk Analysis – Quantitative & Qualitative

The below templates can be used for documentation purposes:

Gap Assessment ScheduleDownload
Risk RegisterDownload
Statement of Applicability (SOA)Download
ISMS Risk Assessment Methodology (Sample)Download

Gap Assessment

  1. Assessment Planning
  2. Gap Assessment vis-a-vis ISO 27001:2022
    • Documents Audit
    • Practice Audit
  3. Reporting & Presentation
    • Gap Assessment plan (.ppt/.doc)
    • Gap Assessment Report (.ppt/.doc)
Gap Assessment PlanDownload
Gap Assessment ReportDownload
ISMS Gap Assessment ChecklistDownload

Documentation

Development of applicable documents like Policies, Procedures, Templates and Manuals.

Implementation

What activities you should follow:

  • R&R Assignment
  • Role Based Trainings
  • RTP Implementation
  • Go-Live
  • Performance Monitoring of performance
  • Regular mentoring

These activities should deliver the following:

  • Role Based Trainings
  • Go Live of the ISMS

Internal Audit

  • Planning
  • Audit Team Training
  • Documents & Practice Audits
  • Management Reporting
  • Corrective & Preventive actions planning
  • Actions closure coordination

The below templates can be used for documentation purposes:

Internal Audit Checklist vis-à-vis ISO 27001Download

Certification and Closure

  • Coordination of External Audit by an RCB
  • Corrective actions planning for identified non-conformances
  • Achievement of certification
  • Closure
Sample certificateDownload

Discover more from Information Security Blogs

Subscribe to get the latest posts sent to your email.

Leave a comment

Discover more from Information Security Blogs

Subscribe now to keep reading and get access to the full archive.

Continue reading