• United States




Whip your information security into shape with ISO 27001

Mar 22, 20195 mins
ComplianceData and Information SecurityRegulation

A simple, 9-step checklist for implementing one of the best and most popular information security standards around — and it works for any size business

things to do sign list deadlines
Credit: Thinkstock

Every company has sensitive data that needs to be protected. Securing information properly is a challenge that requires careful management of people and assets through the application of clear policies and procedures. Unfortunately, many businesses lack the expertise needed to ensure that information security is a reality.

Researchers at Digital Shadows found more than 12 petabytes of data, including medical data, payroll information, and intellectual property, is accessible online. That’s more than 1.5 billion files that organizations all over the world have accidentally made publicly available or exposed due to unmanaged devices or misconfiguration. The potential cost of data loss is enormous, so it’s vital that companies act to whip their information security into shape.

What is ISO 27001 and what can it do for you?

The International Standardization Organization (ISO) published ISO 27001 to teach businesses of any size how to manage information security. It offers a methodology devised by the world’s top InfoSec experts. Follow it and you’ll learn what risks are lurking out there and exactly what you need to do to neutralize them.

There are many potential benefits to adopting ISO 27001. The standard will help you comply with regulations and contractual requirements. Certification is a clear signal to everyone you do business with that you take data security seriously and that their data is safe with you.

If you can reduce the risk of incidents, you can save your company a lot of money – the cost of implementing ISO 27001 is a lot lower than the cost of a data breach. By defining procedures and processes properly, it will also help you to build a more robust and organized company where people understand what needs to be done and who is responsible for doing it.

How to implement ISO 27001

Now that you’re convinced of the value of ISO 27001, let’s break it down into nine digestible steps for implementation.

1. Set up a project and define the scope

You need to secure the support of the management team and get a commitment that it will provide the resources and time you need to implement the standard. Pitch the benefits, define the scope, and draw up a detailed project plan that lays out what needs to be done, what staff you need to do it, and how long it will take to complete. Get management to sign off on your project before you begin.

2. Start with an ISMS policy

A high-level Information Security Management System (ISMS) policy is critical at the outset to provide a framework for your project. It doesn’t need to cover everything, but it should provide some context, rules for setting objectives, and the criteria for risk evaluation. This will allow management to steer the project.

3. Perform a risk assessment

Start by laying out a clear set of rules for identifying risk and defining acceptable levels of risk that weighs the probability and potential impact of various vulnerabilities and threats on different assets. Use your rules to assess risk and build a comprehensive picture of all the threats to your organization’s information.

4. Select the relevant controls and draft a plan

You now need to cross-reference all your potential risks with the controls defined in Annex A of the ISO 27001 and draft a Statement of Applicability. What you’re essentially doing is selecting the controls that are applicable to your organization and discarding what you don’t need. This will give you the beginnings of a concrete plan to address your risks. The next step is to assign the controls to specific people and delineate a timeline and budget for implementation.

5. Consider how to measure effectiveness

It’s very important at this stage that you think about how you’re going to test that the controls have been implemented as intended. There must be clear objectives and a process in place for verifying fulfilment.

6. Implement the controls

You’re ready to put the relevant controls into place. Document every step and draw up all the procedures and policies you’re going to require. The ISO 27001 stipulates a long list of mandatory documents that need to be produced. You will also likely need to roll out new technology and make changes to the way things are done that will impact all staff.

7. Start training and awareness

We know security awareness training is vital for any company, but it’s especially important that you combine the implementation of your new security controls, policies and procedures with a clear explanation of why they are required and what they’re intended to do. Make sure that employees understand exactly what is expected of them so that they can modify their behavior accordingly.

8. Monitor, measure and assess

It’s time to cast an eye back to the ISMS policy you drafted at the beginning and monitor the controls in action to see if you have successfully achieved what you set out to achieve. Measure the effectiveness of your new controls and verify fulfilment based on the criteria you set in step 5. Finally, perform a full assessment of the system, documenting everything, and try to expose any areas where you’re falling short.

9. Remediate, rinse and repeat

Examine the issues you found in the last step and assess how best to remediate them. Dig down to the root causes of any problems that arose and implement preventive or corrective measures as appropriate. Remember that measuring, assessing and acting should be an ongoing process if you expect to maintain the standard.

It’s well worth gaining ISO 27001 certification and these steps should help you get there.


Michelle Drolet is a seasoned security expert with 26 years of experience providing organizations with IT security technology services. Prior to founding Towerwall (formerly Conqwest) in 1993, she founded CDG Technologies, growing the IT consulting business from two to 17 employees in its first year. She then sold it to a public company and remained on board. Discouraged by the direction the parent company was taking, she decided to buy back her company. She re-launched the Framingham-based company as Towerwall. Her clients include Biogen Idec, Middlesex Savings Bank, PerkinElmer, Raytheon, Smith & Wesson, Covenant Healthcare and many mid-size organizations.

A community activist, she has received citations from State Senators Karen Spilka and David Magnani for her community service. Twice she has received a Cyber Citizenship award for community support and participation. She's also involved with the School-to-Career program, an intern and externship program, the Women’s Independent Network, Young Women and Minorities in Science and Technology, and Athena, a girl’s mentorship program.

Michelle is the founder of the Information Security Summit at Mass Bay Community College. Her numerous articles have appeared in Network World, Cloud Computing, Worcester Business Journal, SC Magazine, InfoSecurity,, Web Security Journal and others.

The opinions expressed in this blog are those of Michelle Drolet and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.