Jun 06 2024

How to Implement ISO 27001: A 9-Step Guide

Category: Information Security,ISO 27kdisc7 @ 8:47 am

How to Implement ISO 27001: A 9-Step Guide

The hardest part of many projects is knowing where to start.

ISO 27001 is no exception. This standard describes best practice for an ISMS (information security management system).

In other words, it lays out the requirements you must meet, but doesn’t show you the how. How you can adopt or implement them.

With ISO 27001:2013 certification no longer available, many organisations are preparing to adopt the 2022 version of the standard – which means tackling a new Annex A control set, among other new requirements.

ISO 27k Chat bot

1. Project mandate

The implementation project should begin by appointing a project leader.

They’ll work with other members of staff to create a project mandate, which is essentially a set of answers to these questions:

  • What do we hope to achieve?
  • How long will the project take?
  • Does the project have top management support?
  • What resources – financial and otherwise – will the project need?

2. Develop the ISO 27001 implementation plan

The next step is to use your project mandate to create a more detailed outline of:

  • Your information security objectives;
  • Your project risk register;
  • Your project plan; and
  • Your project team.

Information security objectives

Your information security objectives should be more granular and specific than your answer to ‘What do we hope to achieve?’ from step 1.

They’ll inform and be included in your top-level information security policy. They’ll also shape how the ISMS is applied.

Project risk register

Your project risk register should account for risks to the project itself, which might be:

  • Managerial – will operational management continue to support the project?
  • Budgetary – will funding continue to see the project through?
  • Legal – are specific legal obligations at risk?
  • Cultural – will staff resist change?

Each risk in the register should have an assigned owner and a mitigation plan. You should also regularly review the risks throughout the project.

Project plan

The project plan should detail the actions you must take to implement the ISMS.

This should include the following information:

  • Resources required
  • Responsibilities
  • Review dates
  • Deadlines

Project team

The project team should represent the interests of every part of the organisation and include various levels of seniority.

Drawing up a RACI matrix can help with this. This identifies, for the project’s key decisions, who’s:

  • Responsible;
  • Accountable;
  • Consulted; and
  • Informed.

One critical person to appoint and include in the project team is the information security manager. They’ll have a central role in the implementation project and eventually be responsible for the day-to-day functioning of the ISMS.

3. ISMS initiation

You’re now ready to initiate your ISMS!

Documentation structure

A big part of this is establishing your documentation structure – any management system is very policy- and procedure-driven.

We recommend a four-tier approach:

A. Policies
These are at the top of the ‘pyramid’, defining your organisation’s position and requirements.

B. Procedures
These enact the requirements of your policies at a high level.

C. Work instructions
These set out how employees implement individual elements of the procedures.

D. Records
These track the procedures and work instructions, providing evidence that you’re following them consistently and correctly.

This structure is simple enough for anyone to grasp quickly. At the same time, it provides an effective way of ensuring you implement policies at each level of your organisation. Plus, that you develop well-functioning, cohesive processes.

Tips for more effective policies and procedures

Your policies and procedures must also be effective. Here are four tips:

  1. Keep them practicable by balancing aspirations against the reality. If your policies and/or procedures appear too idealised, staff will be much less likely to follow them.
  2. Keep them clear and straightforward, so staff can easily follow your procedures.
  3. Use version control, so everyone knows which is the latest document.
  4. Avoid duplication. This will also help with the version control.

Make sure you systematically communicate your documentation – particularly new or updated policies – throughout your organisation. Be sure to also communicate them to other stakeholders.

Continual improvement

As part of your ISMS initiation, you’ll need to select a continual improvement methodology.

First, understand that continual improvement might sound expensive, but is cost-effective if done well. As ISO 27001 pioneer Alan Calder explains:

Continual improvement means getting better results for your investment. That typically means one of two things:

1. Getting the same results while spending less money.
2. Getting better results while spending the same amount of money.

Yes, you need to be looking at your objectives, and asking yourself how well your ISMS is currently meeting them. And where your management system falls short, money may have to be spent.

But many improvements have little financial cost. You can make a process more efficient – perhaps by cutting out a step, or automating some manual work.

While continual improvement is a critical element of an ISO 27001 ISMS, the Standard doesn’t specify any particular continual improvement methodology.

Instead, you can use whatever method you wish, so long as it continually improves the ISMS’s “suitability, adequacy and effectiveness” (Clause 10.1). That can include a continual improvement model you’re already using for another activity.

ISO 27001 Standard, Risk Assessment and Gap Assessment

ISO 27001 standards and training

Key strategies for ISO 27001:2022 compliance adoption

What is ISO 27002:2022

ISO 27k Chat bot

Implementation Guide ISO/IEC 27001:2022

Please send an email related to ISO27001:2022 implementation to info@DeuraInfoSec.com and we are happy to help!

ISO 27001 Controls Handbook: Implementing and auditing 93 controls to reduce information security risks

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Implement ISO 27001, ISO 27001 2022

May 16 2024

ISO 27001 Standard, Risk Assessment and Gap Assessment

Category: ISO 27kdisc7 @ 10:45 am

The core section of the standard retains its 11 clauses with minor modifications, while significant structural revisions have been implemented in the Annex A controls. Control categories have been rearranged, resulting in a reduction in the total number of controls. Broadly speaking, 11 new controls have been added, 57 controls have been consolidated, 23 controls have been rebranded, and three controls have been eliminated. The introduction of these 11 new controls underscores the heightened significance of Cloud, DevOps, and Personal Information, which have evolved over the past decade.

  • A.5.7 Threat intelligence 
  • A.5.23 Information security for the use of cloud services 
  • A.5.30 ICT readiness for business continuity 
  • A.7.4 Physical security monitoring 
  • A.8.9 Configuration management 
  • A.8.10 Information deletion 
  • A.8.11 Data masking 
  • A.8.12 Data leakage prevention 
  • A.14.1.4 Secure development policy 
  • A.16.2.4 Security of supplier services 
  • A.18.2.3 Protection of personal information in public clouds 

ISO 27002:2022 has three control types, #Preventive, #Corrective and #Detective. Some of these controls share more than one control types. There are total 12 Detective, 13 Corrective, and 83 Preventive controls and 15 controls (12+13+83 = 108 -15 = 93) which share more than one control type in ISO 27002:2022 latest guidance. If you like to know more about how and when to start complying with new and latest control guidance, please contact us to book an appointment to discuss the details, how DISC llc can assist your organization with ISO 27001 compliance or certification plans. 

for more details: iso-27001-assessment

To download and review the standard: COPYRIGHT PROTECTED DOCUMENT

ISO 27001 Controls Handbook: Implementing and auditing 93 controls to reduce information security risks

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: ISO 27001 2022

Feb 09 2024

Key strategies for ISO 27001:2022 compliance adoption

Category: Information Security,ISO 27kdisc7 @ 1:18 pm

In this Help Net Security interview, Robin Long, founder of Kiowa Security, shares insights on how best to approach the implementation of the ISO/IEC 27001 information security standard.

Long advises organizations to establish a detailed project roadmap and to book certification audits at an early stage. He also recommends selecting an internal team that includes a leader with the ISO 27001 Lead Implementer qualification and suggests that in some cases, the best approach to the standard may be to start by prioritizing a limited number of “security wins” before embarking on full implementation.

A few general points about ISO 27001, before getting onto the questions:

1. The documentation behind ISO/IEC 27001:2022 (“ISO 27001”) is broken into two main parts: ISO/IEC 27001 itself, which contains the primary guidance, and a ‘guidance document’ called ISO/IEC 27002, which lists suggested information security controls that may be determined and implemented based on the risk analysis that is carried out according to the requirements of the primary document.

ISO 27001 is also supported by the other standards ISO/IEC 27000:2018 (IT security techniques) and ISO/IEC 27005:2022 (Information security, cybersecurity, and privacy protection), among others.

All these are developed and maintained by the International Organization for Standardization (ISO), which is based in Geneva, Switzerland.

2. Although there are a number of things that you are obliged to do if you’re seeking certified conformity to the standard, it is actually quite flexible about the details. Even the “requirements” – the obligatory clauses in the 27001 document – generally allow a fairly broad range of interpretation. This makes sense when you think that ISO 27001 has been developed as a one-size-fits-all system for all types and sizes of organization that handle sensitive information.

When you look at it like that, it immediately becomes less intimidating.

3. If you decide to go ahead and implement ISO 27001, it’s highly recommended to put together a detailed road map that defines targets of what should be achieved by what date in the timeline of the project (Gantt charts are good for this – look them up!). This helps to keep the project under control and reduces the risk of time and budget overrun. Breaking the project up into weekly components also makes it less daunting.

4. You’ll also need to define a (small) group of people to carry out, maintain and be accountable for implementation of the standard. You might call this the ‘ISMS Team’ (where ISMS means Information Security Management System, another way to describe ISO 27001). This team should ideally incorporate expertise and experience in IT, business development and data protection, and have a channel to senior management.

How do you recommend organizations approach understanding and implementing ISO 27001’s wide range of controls and requirements, especially those new to information security management?

As a consultant myself, I’m aware of the conflict of interest, but I have to say that I do think it makes sense to hire external advice for assistance with implementation of ISO 27001, for internal audit, and interaction with certification auditors.

One of the main responsibilities of such an advisor is to assist with understanding of the standard and information security management generally, at both high and low levels. The range of ISO27002 controls – for example – is wide indeed, but a competent consultant will break them down into manageable portions that are taken on one by one, in a carefully planned order.

Whether or not you decide to hire a consultant, it’s a pretty good idea also to send the leader of the ISMS Team on an ISO2 7001 Lead Implementer (LI) course. These courses typically run for about three days, and they are helpful. Note that ISO 27001 requires the organisation to provide evidence of the competence of key participants in the project, and the LI qualification for a team member indicates a reasonable degree of knowledge and commitment regarding the standard.

Of course, there are also a number of helpful online resources including the ISO27k Forum.

Implementing ISO 27001 can be resource-intensive. What advice do you have for organizations, particularly SMEs, in effectively allocating resources and budget for ISO 27001 implementation?

It’s true that implementation of ISO 27001 necessarily consumes resources, in terms of money and other assets – particularly people’s time. The critical question is whether the resource cost is offset by perceived gains, and this is largely about efficiency of allocation. Among other methods that we can use to attempt to optimise this are:

1. Use of a roadmap – as mentioned above – that takes the organisation all the way through to the two-stage certification audit process at a granular (weekly) level.

2. Early selection of the certification auditor and agreement of tentative dates for the certification audits. The benefits of doing this include the psychological one of getting an end date in the diary to help define the project roadmap. The cost of certification audits is also an important part of the overall budget, and the certification body will provide quotes for these at this stage.

Note that along with the two initial certification audits, there are a couple of (roughly annual) surveillance audits and a recertification audit after three years. These audits all cost money, of course, and require budgeting.

3. Watching out for some of the less obvious costs, including the potential charges associated with:

  • Legal work on modifications/additions to employment contracts, NDAs etc.
  • Pen testing/vulnerability scanning if necessary
  • Software that you choose to install e.g., anti-malware, IDS, etc.
What strategies can be employed to convince top management of the necessity and benefits of ISO 27001 compliance?

Consultancy companies love to answer this question – on their websites – with a list of bullet points.

However, I can tell you that in nearly all cases there is just a single key factor at play, and it is a commercial one: Potential important clients or partners have been identified that require certification to the standard. Organisations that operate in sensitive sectors (finance, critical infrastructure, healthcare…) have already learned this or are in the process of learning it, and don’t need to be told about it. If they don’t know, then by all means tell them!

Other reasons that I consider completely valid and credible include:

  • Perceived improvement in the level of an organisation’s information security provides assurance to other stakeholders apart from clients – investors, senior management, regulators, suppliers and so on – regarding information security risks to the organisation.
  • Implementation of ISO 27001 can help smaller companies with their expansion. For example, it can help with the development of sound HR policies, with procedures around business continuity, disaster recovery and change management, and several other areas.
  • Note that ISO 27001 isn’t by any means just about personal data but is also concerned with other types of sensitive information, in particular intellectual property or “IP” (including trade secrets and source code). For many tech start-ups, these are the main assets of the business, and need to be well protected.
Risk management and performance evaluation are critical yet challenging aspects of ISO 27001. How should organizations approach these elements to ensure an effective Information Security Management System (ISMS)?

These are indeed arguably the core areas of ISO 27001. Among the critical things to remember regarding risk assessments are:

  • You should really at least try to come up with all the possible information security risks (internal and external) that are or might be faced by your organisation. This is best done by brainstorming in a group based around the ISMS Team.

ISO 27001 fundamentally breaks down to: “What information security risks do we face? How should we best manage them?”

  • Just as the chicken may come before the egg, note that what should happen in this case is that you identify the risks first and then select the controls that help to manage those risks.

You definitely don’t have to apply all of the controls, and nearly all organisations treat some, validly, as non-applicable in their Statement of Applicability. For example, businesses where all employees work remotely simply don’t have the full range of risks that can benefit from mitigation by the physical controls.

When it comes to performance evaluation, it’s largely a case of working through the relevant clauses and controls and agreeing how good a job the organisation is doing trying to meet the associated requirements. The ones that are selected for monitoring, measurement and evaluation will depend on the type and size of the organisation and its business objectives. These are basically key performance indicators (KPIs) for information security and might include supplier evaluations and documented events, incidents, and vulnerabilities.

Specifically for cloud solutions like Microsoft 365, what unique challenges do organizations face in implementing ISO 27001, and how can they be addressed?

The switch towards remote working and use of cloud resources has been quite disruptive for ISO 27001. The 2022 version has been somewhat adapted (via modifications to the controls) to reflect the change in working conditions. However, it still gives a lot of attention to traditional physical places of work, networks, and pre-SaaS style suppliers.

The big switch away from locally downloaded software to cloud services means that we need to take advantage of the flexibility of ISO 27001 to interpret the 27002 controls in a corresponding way, for example:

  • Thinking less about networks and more about secure configuration of cloud resources.
  • Focusing on aspects of the ‘supplier relationships’ controls that are relevant to SaaS suppliers.
  • Remembering that if cloud resources are very important for handling and storage of sensitive data in your business, then the new control 5.23 (Information security for use of cloud services) is correspondingly important for your business and must be tackled carefully and rigorously. It almost definitely applies to you – and there’s a lot there.
  • Note that business continuity/disaster recovery for an organisation with employees that work remotely using cloud services becomes largely a question of how the relevant cloud provider(s) manage backups, redundancy of storage/compute etc.
ISO 27001 requires a commitment to continuous improvement. How should organizations approach this, particularly regarding incident management and response?

This is an enigmatic section of clause 10 (Improvement) that organisations tend to struggle with (the second part is about dealing with non-conformities and is much clearer regarding what needs to be done).

It seems to me that the best approach is to raise the question of ‘how can we make the ISMS better?’ at the periodic ISMS management meetings, come up with some examples whereby this may be achieved and then provide any observed progress in the right direction. That means that by the time of the first follow-up (surveillance) audit you should be able to present a list of several potential improvements along with how they are being achieved.

I’d like to finish up by mentioning that nothing stops your organisation implementing ISO 27001 without getting the certification, or even doing a partial implementation. Many businesses like the concept of ISO 27001 but aren’t quite ready to commit fully. In that case, I highly recommend the following implementation model:

1. Decide which areas of information security are priorities for your organisation in terms of incremental increase in security, resources (money, time, personnel) required and ease of implementation. You can call these your ‘lowest-hanging security fruit’ if you must. Possible examples include access control, HR security or endpoint security.
2. Work through these one by one according to the relevant 27002 controls.
3. Once you have the highest priority areas covered off, start working on lower levels of priority.
4. After a few months of this, you may feel that ISO 27001 isn’t quite so formidable, and that you are ready to tackle it. Go for it!

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: ISO 27001 2022, ISO 27001 compliance

Sep 10 2023

ISO 27k1/2 Transitioning to the 2022 standards

Category: ISO 27kdisc7 @ 8:08 am

Implementing and auditing an Information Security Management System in small and medium-sized businesses

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: ISO 27001 2022, ISO 27002 2022

Jul 12 2023

What is ISO 27001 and in What Situation this Cert will be appropriate?

Category: ISO 27kdisc7 @ 2:42 pm

ISO 27001 is an internationally recognized Information Security Standard that is widely acclaimed. It is published by the International Organization for Standardization (ISO) and provides a certifiable framework comprising security policies and procedures. The standard aims to assist organizations in safeguarding their data by implementing an Information Security Management System (ISMS).

To obtain ISO 27001 certification, organizations must fulfill the requirements for establishing, implementing, maintaining, and continuously improving an Information Security Management System (ISMS) that aligns with their specific business needs. The ISO 27001 standard consists of two distinct parts: Clauses and Annex A. The Clauses outline the general requirements for an ISMS, while Annex A provides a set of controls and objectives that organizations can choose to implement based on their risk assessment and security requirements.

Clauses 4-10 in ISO 27001 consist of mandatory requirements that all organizations seeking certification must fulfill. Each clause includes several sub-requirements. Here is a brief overview of each clause:

  1. Clause 4: Context of the Organization – Organizations must determine the scope of their ISMS, identify internal and external issues relevant to information security, and define the interested parties.
  2. Clause 5: Leadership – Top management should demonstrate leadership and commitment to the ISMS by establishing policies, assigning responsibilities, and promoting awareness.
  3. Clause 6: Planning – This clause emphasizes the importance of risk assessment and treatment, setting objectives, and planning to achieve them.
  4. Clause 7: Support – Organizations must provide the necessary resources, competence, awareness, communication, and documented information to support the ISMS.
  5. Clause 8: Operation – This clause covers the implementation of risk treatment plans, management of changes, and effective operation of controls and processes.
  6. Clause 9: Performance Evaluation – Organizations need to monitor, measure, analyze, and evaluate the performance of the ISMS and conduct internal audits.
  7. Clause 10: Improvement – This clause focuses on nonconformities, corrective actions, continual improvement, and the management of incidents and improvements.

Meeting these mandatory requirements is crucial for organizations seeking ISO 27001 certification.

Annex A of ISO 27001 comprises a collection of security controls that are not obligatory but can be selectively implemented based on the specific needs of an organization. By conducting a risk assessment, organizations can identify the security controls that align with their security program and effectively address their risks and vulnerabilities. This approach allows organizations to tailor the implementation of controls to their unique requirements and enhance their overall information security posture.

After establishing the necessary policies, procedures, and documentation for ISO 27001 compliance and ISMS is operational, organizations can engage an accredited certification body to perform an audit. This audit assesses the implementation and effectiveness of the Information Security Management System (ISMS) against the ISO 27001 requirements. If the audit is successful and the organization meets all the necessary criteria, an ISO 27001 certificate will be issued, validating the organization’s adherence to the standard and their commitment to information security.

By adhering to ISO 27001 standards, organizations can establish robust policies, procedures, and technology measures that effectively safeguard their data, regardless of its location. This comprehensive approach significantly reduces the risk of cyber-attacks and fosters a culture of information security within the organization.

Obtaining ISO 27001 certification serves as a notable competitive advantage for businesses, irrespective of their industry or size. The certification acts as concrete evidence to customers that the organization is dedicated to protecting their data and fulfilling contractual security obligations. Moreover, ISO 27001 certification holds international recognition, making it instrumental in expanding global business opportunities and establishing trust with partners worldwide.

DISC LLC offers the expertise of a team comprised of former ISO auditors and experienced practitioners who can assist in preparing your organization for a successful ISO 27001 audit. Their services aim to guide you towards certification by identifying and addressing any gaps that may exist within your current security program. They provide support in implementing the required policies, procedures, and technologies to meet the ISO 27001 standards. With their knowledge and experience, DISC LLC can help your organization navigate the certification process and ensure a solid foundation for information security.

Following the attainment of ISO 27001 certification, we offer services to manage and maintain your Information Security Management System (ISMS). Our expert team will diligently oversee and guide your ISMS to ensure ongoing compliance with ISO 27001 requirements, thereby facilitating future certifications. By entrusting us with the management of your ISMS, you can focus on your core business activities while maintaining the necessary level of information security and sustaining your commitment to ISO 27001 standards.

We’d love to hear from you! If you have any questions, comments, or feedback, please don’t hesitate to contact us. Our team is here to help and we’re always looking for ways to improve our services. You can reach us by email (info@deurainfosec.com), or through our website’s contact form.

Transition plan from ISO 27001 2013 to ISO 27001 2022

Why the updated ISO 27001 standard matters to every business’ security

Detailed explanation of 11 new security controls in ISO 27001:2022

6 Pocket eBooks every ISO professional should read

ISO 27001 Internal Audit

Tool for defining the ISO 27001 ISMS scope

Risk Management document templates



How to Maintain ISO 27001 Certification: 7 Top Tips

Implementing an ISMS – The nine Steps approach

ISO 27001 CyberSecurity Toolkit

Top 3 ITG ISO 27001 books 

Enhance your privacy management with ISO 27701

ISO/IEC 27701 2019 Standard and Toolkit

CISSP training course

InfoSec tools | InfoSec services | InfoSec books

Tags: ISO 27001 2022, iso 27001 certification, ISO 27002 2022

Jun 27 2023

How to transition to the 2022 version of ISO27001

Category: Information Security,ISO 27kdisc7 @ 7:54 am

By Chris Hall

This article gives some guidance on how to transition to ISO27001:2022 from the 2013 version.

This approach is tried and tested in that I have used it to successfully transition an organization to the new version. In the transition audit there were no nonconformities.

#iso27001 #iso27001transition

How to transition to the 2022 version of ISO27001

Tags: ISO 27001 2022, ISO 27002 2022

Feb 28 2023

Transition plan from ISO 27001 2013 to ISO 27001 2022

Category: ISO 27kDISC @ 11:10 pm

How to create a transition plan from ISO 27001 2013 to ISO 27001 2022

Transitioning from ISO 27001:2013 to ISO 27001:2022 involves updating your Information Security Management System (ISMS) to meet the new requirements specified in the latest version. Here are some steps you can take to help ensure a smooth transition:

  1. Review the changes: The first step is to familiarize yourself with the changes made in the 2022 version. Some of the key changes include a more risk-based approach, more emphasis on leadership, and greater alignment with other ISO management system standards. You can find a detailed list of changes on the ISO website.
  2. Identify gaps: Once you have reviewed the changes, identify any gaps between your current ISMS and the new requirements. This may involve reviewing your policies, procedures, and controls to ensure they align with the new standard.
  3. Develop an action plan: Based on the gaps you identified, develop an action plan to address them. This may involve updating policies and procedures, implementing new controls, or conducting additional training.
  4. Train staff: It is important to ensure that all relevant staff members are trained on the new requirements and how they impact their roles and responsibilities.
  5. Conduct internal audits: Conduct internal audits to ensure that your updated ISMS is effectively implemented and meets the new requirements.
  6. Seek certification: Once you are confident that your updated ISMS meets the new requirements, seek certification from an accredited certification body.
  7. Monitor and continually improve: Finally, monitor your ISMS and continually improve it to ensure that it remains effective and aligned with the latest best practices.

Overall, transitioning to the new version of ISO 27001 requires careful planning and execution. By following these steps, you can help ensure a successful transition and maintain the security of your organization’s information assets.

ISO 27001 2022 strategy

ISO 27001 2022 Changes

Previous posts on ISO 27k

Certified ISO 27001:2022 ISMS Transition Self-Paced Online Training Course

Detailed explanation of 11 new security controls in ISO 27001:2022

6 Pocket eBooks every ISO professional should read | ISO 27001/2 Titles

We’d love to hear from you! If you have any questions, comments, or feedback, please don’t hesitate to contact us. Our team is here to help and we’re always looking for ways to improve our services. You can reach us by email (info@deurainfosec.com), or through our website’s contact form.

Contact DISC InfoSec if you need further assistance in your ISO 27001 2022 transition Plan

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: ISO 27001 2013, ISO 27001 2022