Whip your information security into shape with ISO 27001

A simple, 9-step checklist for implementing one of the best and most popular information security standards around — and it works for any size business

things to do sign list deadlines
Thinkstock

Every company has sensitive data that needs to be protected. Securing information properly is a challenge that requires careful management of people and assets through the application of clear policies and procedures. Unfortunately, many businesses lack the expertise needed to ensure that information security is a reality.

Researchers at Digital Shadows found more than 12 petabytes of data, including medical data, payroll information, and intellectual property, is accessible online. That’s more than 1.5 billion files that organizations all over the world have accidentally made publicly available or exposed due to unmanaged devices or misconfiguration. The potential cost of data loss is enormous, so it’s vital that companies act to whip their information security into shape.

What is ISO 27001 and what can it do for you?

The International Standardization Organization (ISO) published ISO 27001 to teach businesses of any size how to manage information security. It offers a methodology devised by the world’s top InfoSec experts. Follow it and you’ll learn what risks are lurking out there and exactly what you need to do to neutralize them.

There are many potential benefits to adopting ISO 27001. The standard will help you comply with regulations and contractual requirements. Certification is a clear signal to everyone you do business with that you take data security seriously and that their data is safe with you.

If you can reduce the risk of incidents, you can save your company a lot of money – the cost of implementing ISO 27001 is a lot lower than the cost of a data breach. By defining procedures and processes properly, it will also help you to build a more robust and organized company where people understand what needs to be done and who is responsible for doing it.

How to implement ISO 27001

Now that you’re convinced of the value of ISO 27001, let’s break it down into nine digestible steps for implementation.

1. Set up a project and define the scope

You need to secure the support of the management team and get a commitment that it will provide the resources and time you need to implement the standard. Pitch the benefits, define the scope, and draw up a detailed project plan that lays out what needs to be done, what staff you need to do it, and how long it will take to complete. Get management to sign off on your project before you begin.

2. Start with an ISMS policy

A high-level Information Security Management System (ISMS) policy is critical at the outset to provide a framework for your project. It doesn’t need to cover everything, but it should provide some context, rules for setting objectives, and the criteria for risk evaluation. This will allow management to steer the project.

3. Perform a risk assessment

Start by laying out a clear set of rules for identifying risk and defining acceptable levels of risk that weighs the probability and potential impact of various vulnerabilities and threats on different assets. Use your rules to assess risk and build a comprehensive picture of all the threats to your organization’s information.

4. Select the relevant controls and draft a plan

You now need to cross-reference all your potential risks with the controls defined in Annex A of the ISO 27001 and draft a Statement of Applicability. What you’re essentially doing is selecting the controls that are applicable to your organization and discarding what you don’t need. This will give you the beginnings of a concrete plan to address your risks. The next step is to assign the controls to specific people and delineate a timeline and budget for implementation.

5. Consider how to measure effectiveness

It’s very important at this stage that you think about how you’re going to test that the controls have been implemented as intended. There must be clear objectives and a process in place for verifying fulfilment.

6. Implement the controls

You’re ready to put the relevant controls into place. Document every step and draw up all the procedures and policies you’re going to require. The ISO 27001 stipulates a long list of mandatory documents that need to be produced. You will also likely need to roll out new technology and make changes to the way things are done that will impact all staff.

7. Start training and awareness

We know security awareness training is vital for any company, but it’s especially important that you combine the implementation of your new security controls, policies and procedures with a clear explanation of why they are required and what they’re intended to do. Make sure that employees understand exactly what is expected of them so that they can modify their behavior accordingly.

8. Monitor, measure and assess

It’s time to cast an eye back to the ISMS policy you drafted at the beginning and monitor the controls in action to see if you have successfully achieved what you set out to achieve. Measure the effectiveness of your new controls and verify fulfilment based on the criteria you set in step 5. Finally, perform a full assessment of the system, documenting everything, and try to expose any areas where you’re falling short.

9. Remediate, rinse and repeat

Examine the issues you found in the last step and assess how best to remediate them. Dig down to the root causes of any problems that arose and implement preventive or corrective measures as appropriate. Remember that measuring, assessing and acting should be an ongoing process if you expect to maintain the standard.

It’s well worth gaining ISO 27001 certification and these steps should help you get there.

Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!