ISO 27001 implementation is not easy, either you’ve hired a professional to help you or not. However helpful it might be to find someone who knows how to get around ISO 27001 implementation, there is no need to do so – all you need is an implementation roadmap and a team of people to help you with the matter.
After all, making changes in your company should be treated as another project, not a boring necessity that gets neglected when things get hectic. What are the key points of implementing ISO 27001?
Address Short-Term Attestation Requirements
Before you start working on your ISO 27001 implementation, you need to be able to prove to your clients that your company is secure and it won’t change during the implementation process. The first think you do is a vulnerability assessment, where you check the current state of your security and that the objectives you were aiming at up to this point are being achieved. It gives you the chance to identify any critical risks early on, which will make the whole process a bit easier.
At this stage you also need to make a SDFD (Secure Data Flow Diagram) which will provide evidence that key client risks are being mitigated to an acceptable level by an appropriate security design. By the end of this stage you should also make a preliminary ISO 27001 plan so that you have something to show your clients if they ask you to.
Getting an optimal image and understanding the current gap between the desired and current security state are necessary to properly allocate your resources such as personnel, costs and time needed and to ensure the project achieves objectives on time and on budget. Here, defining the ISMS scope will be crucial to optimise the chances of project success. You will also need to make a thorough risk assessment and risk treatment plan. After all is known, develop and execute the roadmap, which is basically your ISO 27001 implementation.
The plan should revolve around matters such as risks, client concerns, resource and skill set availability.
When making it reality, focus on closing compliance gaps, updating or creating necessary documentation and implementing new controls to help you stay on top of all ISO 27001 requirements.
In 2018, you are able to do so using the new ins2outs’s platform – innovative tool for ISO management in your company/organization, learn more: https://ins2outs.com
Operate the environment & certify
Assess efficacy of the newly created environment, monitor the ISMS, tune controls accordingly, and accumulate audit evidence for attestation and certification. While there are many significant advantages to implementing 27001, most notably demonstrably reducing risk and simplifying information security, for most entities certification is the best prove that you know what you’re doing.