Can you explain ISO 27001 simply?
Overview
ISO 27001 is a standard which requires that information is managed in a such a way that Confidentiality, Integrity and Availability (CIA) of data is assured via the implementation of an Information Security Management System (ISMS) via policies, procedures and most importantly risk management. It is not inherently complex, it isn't prescriptive and you can decide on the scope you need to be covered by the standard but there are a number of components to it and it is a continuous process. To explain it simply, the easiest thing is to explain the steps logically. Below is a high level list of those steps.Clause 4 Context of the Organisation
In order to determine the scope and requirements for the implementation of ISO 27001 you need to understand:• The organisation's products and services.
• The strategy and direction of the organisation.
• The stakeholders: for example, employees & teams in the organisation, clients, vendors, and government agencies.
• Determine and document the scope: the scope doesn't have to cover the whole organisation, it can just cover a specific process, product or service within the organisation.
Clause 5 Leadership
ISO 27001 is a strategic decision which requires resources to implement and maintain, therefore, for a successful and sustainable implementation, managers at the highest levels of the organisation must be committed to the program.• The commitment must be relayed to the entire organisation.
• The leaders need to create an overarching data policy which covers all types, sources and repositories of data (data objects) and the rules around the confidentiality, integrity and availability of this data.
• Information security should be a part of the operating procedures within the scope. They shouldn't be an afterthought or supplementary to the applicable processes.
• There should be clear roles and responsibilities for data objects. Accountable owners need to ensure that the CIA of the data is monitored, maintained and improved.
Clause 6 Planning
For the determined scope, controls must be identified using a risk based approach.• Identify risks and opportunities and capture in a risks register.
• Rate the risks and determine the risk level that will trigger a risk treatment plan - this depends on the risk appetite of the company.
• For the risks to be treated, identified the controls that would best reduce the risk.
• Draft a risk treatment plan.
• Determine your organisation's risk objectives.
The CIA risks of all data assets should be minimised but your objectives should consider what the most important factors are in relation to business delivery. Could be system uptime, security, data quality etc. For example, in manufacturing or SaaS companies it might be system uptime, in healthcare it might be data security and in a publishing company it might be data quality.
• Create a project plan for implementing the changes and a continuous improvement plan to sustain the quality of the ISMS.
Clause 7 Support
A key requirement for an organisation to achieve and retain their accreditation is to demonstrate that the system is continuously being improved. To achieve this, a number of conditions need to exist.• Resources - maintaining the ISMS requires that people spend time reviewing and maintaining it.
• Competence - the people responsible and accountable for delivering the ISMS have to have the correct level of knowledge and experience in their area.
• Everyone who interacts with the ISMS needs to be trained on document standard operating procedures to ensure the right quality is maintained.
• Everyone in the organisation has to be aware of the security objectives and that they should always consider security in their normal work.
Clause 8 Operations
The goal is for the ISMS to be a natural part of business operations rather than discreet activities with the purpose of meeting ISO 27001 requirements.• For example, SOPs for business operations can be updated to include ISMS actions as part of the workflows.
• Risk management should be an ongoing activity and risks should be logged as they arise and reviewed by the directors on a frequent basis, minimum suggested is once a quarter.
This is a high level summary of the implementation of ISO 27001.
Can I implement ISO 27001 myself?
You can implement ISO 27001 yourself. You can purchase the tools and templates from this website very cost effectively ISO 27001 Templates Store - Do It Yourself ISO 27001 Templates (hightable.io).Best Practice
You can implement ISO 27001 and get accreditation to tick the box and look good on your website. That is a perfectly valid approach and will open doors to new clients.However, to really benefit from the standard, to reduce firefighting and add resilience to your organisation, you need to embrace it fully, give your team members the capacity to properly maintain and improve the system as part of their role. This costs money, but it should be viewed as an investment because focussing on clearly defined objectives, creating polices, documenting procedures and managing risk, will pay dividends in efficiency and efficacy, you will reduce incidents and therefore firefighting and you will be well prepared to deal with any events that you could not predict, whether that be something negative or an unexpected opportunity.