6 Must Do's When Implementing ISO 27001

Alex Speakes
|
Information Security Consultant at URM
|
PUBLISHED on
23 Jan
2024

Table of Contents

In this blog, Alex Speakes, Information Security Consultant at URM shares his views on 6 must do’s when implementing an information security management system (ISMS) in order to conform to or certify against ISO 27001, the International Standard for Information Security Management.  The blog is based on his personal experience implementing and managing an ISMS both as an ISMS Manager and as a consultant advising other organisations implementing ISO 27001.

Understanding the ISO 27001 Standard

Understanding the Standard

Before implementing ISO 27001, it is crucial to understand what the purpose of the Standard is, how the Standard is going to benefit your organisation, and why your organisation is seeking certification.  It is important the organisation, particularly senior management, understands what the objectives of ISO 27001 are and what is involved in implementing it, but also the benefits that will be accrued both from a good governance and commercial perspective.  It is important to communicate, for example, that this is a risk-based Standard and any security controls measures introduced are tailored to your organisation. We recommend all organisations purchase a copy of ISO 27001:2022 to use as a reference point in understanding and meeting the requirements of the Standard itself.

Top management support

Top management support

An absolute must in any implementation of ISO 27001, is that it has the backing of your top management, such as your senior leadership team or board of directors.  Whenever URM has been involved in producing an ISO 27001 case study post implementation and asked clients about key success criteria of the project, invariably the first criteria mentioned is gaining the commitment and support of top management. The backing of top management is not just about providing resources, but about building information security into the organisation’s culture and values, so it becomes business as usual, and the leadership team is seen to be leading by example, with no exceptions!

Information security risk assessment

Completing an information security risk assessment against information assets

At the core of your ISMS is your information security risk assessment. The main goal here is always to start by identifying all the in-scope information you are processing along with any supporting assets used to process that information.  One of the biggest challenges associated with this is understanding that you are assessing the information itself and its importance to your organisation, not necessarily the detail of particular assets i.e. serial numbers, these are information assets not assets on an asset register.  The purpose of the risk assessment is to identify potential security threats to your key information assets and evaluate the risks associated with them.  This assessment is absolutely central in guiding you to select the most appropriate information security controls.

Communicating an information security policy

Creating and communicating an information security policy

Your information security policy should lie at the heart of your ISMS.  It needs to explain your organisation's approach to information security, as well as provide a framework for setting objectives and establishing an overall sense of direction and principles for securing information.  An area that we sometimes see being overlooked is the need to communicate this policy with staff and interested parties.  If you need to share your information security policy with external parties, make sure you don’t have conflicting rules set out in your classification scheme and you don’t set the classification as ‘internal use only’ or ‘company confidential’ for example.

Defining the scope of the ISM

Defining the scope of the ISMS

Clearly, defining the scope of your ISMS is critical and involves deciding which information, departments, locations, and technology will be covered.  A well-defined scope ensures that everyone knows what is included and what isn't.  We often see organisations struggle initially with the challenge of defining their ISMS scope but find the following questions really help in deciding on an appropriate and meaningful scope:

  • Why are you looking to conform or certify to ISO 27001? Is it being specified by one or more major clients or is it to align with best practice, or to demonstrate to prospective clients the robustness of your information security practices and processes?  
  • Does the scope need to cover all information sites, people, teams, technologies, products and services?
  • Or does the scope only need to only cover specific areas?  This is particularly relevant if you are implementing ISO 27001 to meet a specific client’s requirements.
  • Who needs to be involved in the decision-making process behind defining the scope? In URM’s opinion, this should be led by senior management and assigned to an appropriately qualified Information security professional.
Saff aware of the importance of information security

Ensuring all staff are aware of the importance of information security

Countless surveys have shown that an organisation’s own staff represent one of the biggest threats to maintaining information security, e.g., falling victim to phishing attacks.  As such, training and awareness programmes are vital in ensuring that all employees understand their role within the ISMS and how they can contribute to information security within your organisation.  We tend to see challenges around evidencing staff awareness of information security and information security policies.  A great starting point (literally) is ensuring that new starters’ induction programme includes sessions on your information security policy and supporting policies and processes.  This can then be marked as complete on an induction checklist allowing you to evidence that staff were given visibility of policies and procedures. This can then be further supported by including some form of assessment test at the end of training/awareness sessions.  These assessments can include multi-choice quiz questions with a requirement to achieve a specific pass mark or percentage.  Not only will a test be valuable in identifying any gaps in new starters’ understanding but also in identifying any shortfalls in the training/awareness material.

How URM can help you?

Having assisted over 400 organisations to achieve and maintain ISO 27001 certification, URM is ideally placed to support your organisation’s implementation of the Standard.  URM’s services are totally flexible and tailored to meet your organisation’s needs, and our ISO 27001 consultants can help you with any aspect of conformance to the Standard.  This includes conducting a gap analysis to identify any areas of nonconformance, performing an ISO 27001 internal audit, through to full lifecycle implementation support.  As well as our consultancy services, we offer a range of ISO 27001 training courses, all led by a qualified and experienced ISO 27001 consultant.

Alex Speakes
Information Security Consultant at URM
Alex possesses the unique combination of having managed an integrated management system himself for a number of years as well as supporting in excess of 70 organisations (of all sizes and from a wide range of business sectors) in achieving and maintaining certification to the respective ISO 27001, ISO 22301 and ISO 9001 Standards.
Read more

Book FREE Consultation

URM is pleased to provide a FREE consultation on Transitioning to ISO 27001:2022 for any UK-based organisation.
Thumbnail of the Blog Illustration
Information Security
Published on
19/7/2022
How do you Categorise Your Assets When Conducting an Information Security Risk Assessment?

‘How do we approach asset identification within our information security risk assessment?’. This blog examines which assets or asset types to include.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
18/7/2022
Key Things You Should Know About ISO 27001

ISO 27001 is a standard for Information Security Management that provides any organisation with a framework to protect most valuable assets.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
27/7/2022
What is the Difference Between IT and Information Governance?

In this blog, we are going to look at governance. We are regularly asked, ‘is information governance the same as IT governance?’

Read more
Very concise webinar giving some interesting thoughts on transition etc. and guidance on preparation for transition.
Webinar 'ISO 27001:2022 – What’s new?'
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.