TEN STEPS TO INFORMATION SECURITY WITH ISO 27001

In this guide, you will learn step by step how to implement an information security management system.
1. STUDY 27001 Start by familiarising yourself with the standard and its purpose. It is not uncommon for organisations to introduce an information security management system before they have a full understanding of what the standard is about and its requirements. This way it is easy to use the standard as a checklist of requirements that must be ticked off. With this strategy you can easily spend time preparing documentation that ISO 27001 does not require. In addition, you risk to only partly meet the requirements of the standard and that the work becomes unsystematic. Preparations are essential to obtain a successful certification. 2. ENSURE THAT MANAGEMENT IS INVOLVED AND HAS APPROVED THE PROJECT Success requires that management is involved and committed. Management must commit to plan, implement, monitor, review, maintain and continually improve the management system. Management should also ensure that resources are available to work with the information security management system and that the employees responsible for developing, implementing and maintaining the system have the necessary competence and receive appropriate training. With these prerequisites in place, you can: Develop an information security policy Determine objectives and plans relating to information security Define and allocate roles and responsibilities within information security 3. DETERMINE POLICY AND SCOPE OF THE INFORMATION SECURITY When management is involved and committed, work with the information security management system can start. In this step the company determines the scope of the information security management system. You need to define: A policy for information security Objectives for information security Clear roles/responsibilities with respect to information security. When these issues are defined you need to decide which parts of the organisation should be included in the management system areas, locations, resources, techniques etc. 4. CHOOSE A METHOD FOR RISK ASSESSMENT A risk assessment will help you identify potential information security risks, how they can affect your sensitive information and the probability for these security risks to become a reality. The choice of risk assessment model is one of the most important elements when implementing an information security management system. The standard does not specify which risk assessment model that should be used. Instead, the standard requires that the chosen model works to: Assess risks related to confidentiality, integrity and availability Set goals to keep risks at an acceptable level Establish criteria that defines when a risk is acceptable Assess risks

5. IDENTIFY, ANALYSE AND ASSESS RISK When the risks have been identified they need to be analysed and assessed. Evaluate how the organisation would be damaged if the identified security risks become a reality. Evaluate what the consequences would be if the confidentiality, integrity or availability of your assets (information resources) would be compromised or damaged. Complete an estimate of the different risk levels. Determine whether the risks are acceptable or require action by following previously defined criteria for acceptability. Choose one of the following actions: Accept the risk. For example, if the actions are too costly or if its not possible for the organisation to take action (for example in the event of natural disasters or political revolutions). Transfer the responsibility for the risk to someone else. For example, an external provider or an insurance company. Enable control mechanisms to keep risk at an acceptable, low level. 6. DEFINE ACTIONS AND OBJECTIVES FOR RISK MANAGEMENT To meet the requirements identified during the risk assessment process, objectives and actions must be identified and implemented. This identification needs to take into account the criteria for acceptable and unacceptable risks as well as legal, regulatory and contractual obligations. 7. FINAL IMPLEMENTATION OF ISO 27001 Implement a plan that includes: A description of the risk management where management actions, resources, responsibilities and the order of priority for actions with respect to information security is provided. A risk management plan to reach the objectives. This includes both funding and allocation of roles and responsibilities. The measures necessary to meet the objectives. Training Implementation of the management system and resources. 8. EDUCATE EMPLOYEES AND ALLOCATE RESOURCES Sufficient resources (staff, time and money) must be assigned to implement an information security management system and associated safety measures properly. It is also important that employees that work with the information security management system (for example with system maintenance, documentation and security) receive correct training.

9. INTERNAL AUDITS, MANAGEMENT REVIEW AND IMPROVEMENTS To ensure that the information security management system is and remains effective, the standards include the following requirements: Execute internal audits Management must execute regular evaluations of the information security management system to ensure that the system remains complete and to facilitate finding improvements in the information security management system procedures. 10. START YOUR ROAD TO CERTIFICATION EARLY AND CONSIDER A PRE-ASSESSMENT The certification process can take a few months, from the request for quote until the certification audit is completed. Please contact us at DNV Business Assurance early (during step 9) to request a quote for the entire certification process. It is common that much energy is devoted to perfecting things that already work well, while other, essential elements dont get the attention they need. Plan an external pre-assessment a few months before the certification audit even if your management system is not completely finished. Identifying areas of non-conformance at an early stage will allow you to correct these before you move on to the certification audit. Keep in mind that the management system does not have to be perfect for the first audit - it is enough that all elements are compliant with the requirements of the standard. Notify DNV Business Assurance that the pre-assessment should be included in the contract and schedule it for the last phase of step 9. CONTACT DNV BUSINESS ASSURANCE Send us a request for quote as soon as you have an understanding of how long it will take before the requirements of the standard can be finalised. Request for quote: dnvba.com/contact WHY PARTNER WITH US? DNV Business Assurance is a world leading certification body. We work with our customers to assure the performance of their products, processes and organisations through certification, assessment and training services. Our services help customers build stakeholder trust and create a platform for sustainable business performance.

www.dnvba.com