Build and manage your Information Security Management System (ISMS) and establish ISO27001 accreditation
Why is information security important?
Information is now widely regarded as one of the organisation’s most valuable and unique assets.
So, keeping your information secure just makes great business sense.
Some key benefits:
- Increases customer trust
- Preservation of brand reputation and standing in the industry
- Reduces business risk and cost of disruptive security events
- Improves operational resilience against disruptive events like cyber attacks
- Protection of intellectual property
- Reduces insurance premiums
- Improves employee knowledge of security via training – a key part of your defences
- Indicates that security is taken very seriously and has been audited by an independent third party against a globally recognised standard
Where are we now?
Start with an Information Security Gap Analysis
This process has several objectives:
- To convey an understanding of the ISO 27001 framework, supported by some reference documentation
- To produce a report on the status of your organisation against the ISO 27001 standard
- To provide recommendations for action and an indication of possible next steps
What should we do next?
Next, we provide a breakdown of each area of the ISO 27001 standard.
This defines:
- your current position,
- examples of evidence required for certification,
- and recommended actions
You’ll be able to see where the big gaps are and work out what you should deal with first.
High level action plan
The set of actions that the client needs to undertake are grouped by ISO 27001 subject area in Section 2.
The list has been ordered by likely sequence of execution, whilst noting that some actions may be performed in parallel, and each action given a comparative effort size estimate. Further analysis and project planning would be required to provide more accurate estimates and is also dependent on resource availability and knowledge.
Note this is a plan to get to initial certification, there will also be an ongoing commitment to maintain and improve the ISMS, so it continues to retain its certification and provide benefits to the client. Finally, this high level action plan covers all the identified gaps that need remediation. It does not specifically include the integration of existing client governance structures into the ISMS.
How are we going to get there?
We provide a high-level implementation process flow and describe all the key supporting requirements.
An average ISO 27001 implementation takes 9 to 12 months.
Other key considerations include:
- Internal cost of employee time
- Potential for new systems
- Project Management – internal/external/internal with external consultancy assistance?
- Implementation options – internal only/internal with external consultancy assistance?
Who needs to be involved?
The security of your information is everyone’s business, so at a high level everyone is involved, i.e., they receive job appropriate security training
For implementation, certification and ongoing maintenance, this will typically involve:
- Senior Management, including a project sponsor
- IT
- HR
- Business Projects Team
- Facilities
- QA including supplier/vendor management
- Legal
- Risk and Compliance
