Top Tips For Implementing an Effective ISO 27001 Information Security Management System (ISMS)

Wayne Armstrong
Senior Information Security Consultant and Consultant Manager at URM
22 May

Table of Contents

An information security management system (ISMS) is a framework of policies, procedures, guidelines and associate resources that helps organisations manage and protect their information assets from unauthorised access, disclosure, modification, destruction or disruption, whether accidental or deliberate.

Drawing on nearly 2 decades of assisting organisations of all sizes and from all sectors implement ISMS’, typically when seeking certification to ISO 27001, URM provides some top tips for achieving an effective and successful management system implementation, including:

  • Setting objectives for implementing your ISMS
  • Establishing what resources are needed
  • Gaining senior management commitment
  • Implementing a risk management framework
  • Managing your information assets
  • Developing and delivering staff awareness training
  • Measuring and monitoring the effectiveness of your ISMS

Set objectives for implementing your ISMS

Before embarking on your ISMS implementation, you need to ensure you have fully identified what objectives you are looking to achieve.  It is essential that your organisation is clear on what you expect from your ISMS.  At a minimum, you need to answer the following questions:

  • Why are we doing this?
  • What do we want to achieve by doing this?
  • What are the benefits of doing this?

Examples of ISMS objectives, include ensuring:

  • Overall organisational business needs and objectives are being supported - It is critical that your ISMS is integrated with your organisation’s processes, management structure and is scaled to your organisation’s needs.
  • The confidentiality (protecting your sensitive information from unauthorised access or disclosure) integrity (guaranteeing information is accurate, complete and reliable) and availability (ensuring that access to information and associated systems and services is maintained for authorised users) of your information.
  • Your information-related risks are managed - Identifying, assessing and managing information security risks to protect your key information assets and minimise any potential impact.
  • Legal and regulatory compliance - Identifying and complying with applicable laws, regulations, contractual and client obligations, and industry standards related to information security.
  • Staff are aware and competent - Ensuring staff are aware of what they need to do to protect the confidentiality, integrity and availability, as well as what to do in the event of an information security incident.

Establish what resources are needed

Your organisation needs to establish what resources are required are for implementing your ISMS.  A key starting point will be determining the scope of your ISMS, i.e., will it be the whole organisation or specific functions/locations and what information systems will be included in the ISMS?  Conducting a gap analysis will be invaluable in helping you ascertain the gaps between your existing and required processes and security controls, and what resources are required to bridge the gaps. Gaps may be identified in terms of policies and processes, human resources, technical resources, training, infrastructure, risk tools (e.g., risk assessment), hardware and software.  You will then be in a position to answer the following questions:

  • How much financial resource is required for implementation and ongoing maintenance/improvement? There may be, for example, a requirement to invest in specific tools and technologies (firewalls, intrusion detection systems, encryption tools etc) or a requirement to upgrade your infrastructure (hardware and software updates etc).
  • What human resources will be required? Does your organisation have the necessary expertise and knowledge (and time!)  to implement an ISMS internally?  If not, you may need to engage external consultants to assist in various activities such as risk assessment, policy and process development, auditing and training.
  • What timing is anticipated for the implementation?  If your organisation is working to a tight deadline (e.g., achieving ISO 27001 certification to meet a client requirement).
  • Are you looking to certify your ISMS?  If your organisation’s goal is to certify your ISMS to ISO 27001, this will necessitate certification body assessment fees (stage 1 and 2, along with continuous assessment visits (CAVs) and recertification)
  • What training costs may be necessary?  If you are looking to utilise internal resource to implement, manage and maintain your ISMS and there is a knowledge/skills gap, you may need to budget for specialist training (e.g., lead ISO 27001 implementation and auditing courses).  Equally, in order to raise information security awareness across the whole of the workforce, there may be a necessity to invest in an online learning management solution with bespoke training content.

Gain senior management commitment

We cannot stress strongly enough how important senior management buy-in is to a successful ISMS implementation.  We have already identified the range of resources that are required to achieve a successful ISMS implementation and senior management naturally plays a pivotal role in allocating the necessary resources, be that signing off recruitment or training budgets or consultancy resource.

Senior management buy-in is also critical in terms of prompt decision making at the various stages of implementation, such as risk treatment and policy development. Furthermore, senior management commitment sets the tone for information security throughout the organisation.  Its visible support and endorsement of the ISMS sends a strong message to employees at all levels, emphasising the importance of information security and compliance.  

If your organisation is looking to achieve ISO 27001 certification, there are a number of mandatory requirements on senior management, including ensuring the availability of resources and communicating the importance of effective information security management to your organisation. Senior management also needs to be involved in ongoing high-level reviews of the ISMS to ensure it is performing as expected and required.

So how do you gain the support of senior management in the face of competing demands?  Your focus needs to be on demonstrating the value and benefits of the ISMS and, very importantly, aligning the ISMS with organisational goals and objectives.  Key benefits you can include when presenting your business case, include:

  • Improving information security, reducing the likelihood and impact of security incidents and protecting sensitive data and the organisation’s reputation
  • Instilling trust and confidence in customers and other interested partners, particularly where sensitive information is being processed
  • Where ISO 27001 certification is involved, stressing there may be a tangible return of investment in terms of the Standard being used as a prerequisite for tendering or a contract being awarded
  • Highlighting how the ISMS can help the organisation meet any legislative and regulatory requirements and avoid potential penalties (e.g., ICO fines) or reputational damage
  • Considering the ‘cost of doing nothing’, i.e., what the potential impacts are if the ISMS implementation is not backed by management.

Establish a risk management framework

The term ‘risk management framework’ is open to different interpretations, but fundamentally, it involves systematically identifying and managing risks to your information assets.  It provides a systematic process for understanding and addressing potential threats, vulnerabilities, and impacts on your organisation's information security and ensuring the confidentiality, integrity, and availability of sensitive information.  

In establishing your risk management framework, your organisation needs to define the necessary risk assessment criteria (e.g., specific parameters used to evaluate and prioritise risks, typically based on factors such as likelihood and impact), metrics (quantitative or qualitative measures used to assess and compare risks) and risk appetite (level and type of risk that an organisation is willing to accept or tolerate in pursuit of its objectives) and also what risk treatment process and recording mechanisms will be employed.  

There are numerous benefits to establishing a risk management framework, not least in providing the capability to produce reliable, repeatable and comparable results across the organisation, irrespective of where it is being applied and who is operating it.  By taking a systematic approach, your organisation can allocate appropriate resources to prioritise and mitigate the most critical risks first.  Investing in information security can be costly, and resources need to be allocated effectively.  A risk management framework will enable your organisation to make informed decisions about where to invest resources by assessing the potential impact and likelihood of risks.  As such, you can ensure that security measures are proportional to the identified risks, and you can allocate resources in an optimal manner.

When establishing your risk management framework, it is important to obtain senior management buy-in.  If your organisation already has a risk assessment process, it may be beneficial to review that process to understand if it is suitable for the ISMS or whether it can be adapted to meet the requirements of the ISMS.

Identify and classify your information assets  

An information asset refers to any piece of information, irrespective of format or location, that contributes to your organisation's business activities.  Information assets can take many forms including customer data, employee information, operational data, R&D information and compliance documentation, as well as intellectual property and branding information.  It is important to identify the value of your information assets and this is best achieved by determining what the impact would be if there was a breach of the confidentiality, integrity or availability of each type of information asset.  

To ensure such disparate types of information receive appropriate levels of protection in accordance with its importance, an information classification scheme should be established surrounding the classification, labelling and handling of assets that fall within the scope of your ISMS.  

The effectiveness of the scheme will rely on the guidance you provide on how to assess the sensitivity of information (classification criteria) and, based on its classification, what controls and protective measures are required for the classification of information, in terms of its handling, transfer and storage.  As an example, a paper document that is classified as ‘public’ can be disposed of in a recycling bin, whilst a paper document classified as ‘confidential’ must be disposed of securely, by being shredded.

Develop and deliver awareness training

It is often reported that the weakest link in any organisation’s information security regime is its staff.  Employees can unintentionally or deliberately cause information security breaches by mishandling or not sufficiently protecting sensitive information, clicking on malicious links, falling victim to phishing attacks, or misusing access privileges.  One of the most effective and potent risk mitigation tools is the delivery of awareness training to educate employees about their roles, responsibilities and the possible risks they may encounter, therefore increasing their vigilance and making them more security conscious.

Where appropriate, all members of staff who fall within the scope of your ISMS are required to be provided with awareness training.  You should ensure that this is provided at induction for new joiners, and at regular intervals to all personnel.  The training should be reviewed and updated to ensure that it remains current and reflects the changing requirements for information security as determined by the changes in technology and threat landscape.  It is recommended that this should also include some form of training assessment, in order to assess that recipients have fully understood what is required of them.  Training assessment will also help to identify whether there are any particular areas within the training that are not clear and need to be improved.  The actual training content should be heavily influenced by your risk assessment and the identification of threats which are particularly relevant to your organisation.

Typical training and awareness topics include access control and the need for strong password management, along with the need to be aware of the latest phishing attacks and to be sensitive around the protection of personally identifiable information.  As a result, the likelihood of security incidents can be reduced and associated risks can be mitigated.  Through training, employees are able to recognise and respond appropriately to potential threats, such as social engineering attempts or malware.  They will become empowered to take a more proactive approach and take the necessary precautions in their day-to-day activities.  

Another key focus of awareness training is how to respond effectively to security incidents.  By educating staff on how to identify and report suspicious activities promptly, your organisation can initiate appropriate incident response measures more quickly, mitigate the impact and prevent further damage.

Measure and monitor your ISMS

With any ISMS, a key goal is to continually improve it, and measurement and monitoring play a key role in enabling you to assess its performance and effectiveness, and evaluate how well it aligns with your defined objectives.  Metrics provide quantifiable data and indicators that can help you evaluate the performance, progress and impact of various components of the ISMS, such as processes, security controls and risk management activities.  

When developing ISMS metrics or key performance indicators (KPIs), your organisation should ensure that the metrics are aligned with your specific business goals and the outputs from your risk assessment.

Here are some examples of metrics that can help in measuring performance:

  • Incident response and management - average time to detect and respond to security incidents, incident closure rates, or the number of incidents by severity level
  • Compliance - number of nonconformities raised during the year, % of nonconformities closed within target timeframe, system uptime as a percentage of available time
  • Security awareness - number of staff who have attended information security training and awareness sessions, pass rates achieved on security awareness assessments
  • Trends in incidents - frequency and types of incidents
  • Risk management - percentage of risks mitigated within established timeframes.

In terms of monitoring the effectiveness of your ISMS, you have a number of tools at your disposal and these include the following:

  • Internal audit – Probably the most commonly-used tool involved in assessing your conformance to the mandatory clauses and appropriate controls from ISO 27001, as well as to your own policies and processes.  In doing so, audits will help you identify non-compliance issues, vulnerabilities, and areas for improvement.  In terms of getting the most out of your audits, it is essential that you define the scope, frequency, and objectives of your internal audits and that your audit plan covers all relevant areas and processes and is tailored to your organisation's unique needs and requirements.  There are also a number of other key success criteria attached to conducting internal audits and these will be addressed in future URM blogs.
  • Management reviews – As identified earlier, an important role of senior management is to conduct periodic management reviews of the ISMS to evaluate its overall performance and identify opportunities for improvement.  Management reviews involve analysing audit results, KPIs, risk assessments, and other relevant data.
  • Security incident monitoring – A robust system needs to be introduced in order to monitor security incidents and breaches.  This can be achieved through real-time event monitoring, log analysis, intrusion detection systems (IDS), and security information and event management (SIEM) tools.
  • Vulnerability scanning - Your organisation needs to regularly scan and assess your systems and networks for vulnerabilities.  Automated vulnerability scanning tools can be used to identify weaknesses in your infrastructure, web applications, and configurations.
  • Business continuity exercises - Your business continuity and disaster recovery plans need to be exercised in order to assess their effectiveness and readiness in responding to and recovering from potential disruptions or disasters.

How URM can help you?

Having been involved in implementing ISO 27001 conformant ISMS’ since the Standard’s inception in 2005, URM has unrivalled insights into the Standard’s requirements and how best to satisfy them.  URM’s ISO 27001 consultants are adept at supporting all stages of the Standard’s lifecycle, from conducting gap analyses and risk assessments through to ongoing management system and control audits.  URM can offer your organisation full lifecycle services in order to achieve either ISO 27001 conformance or ISO 27001 certification.

Wayne Armstrong
Senior Information Security Consultant and Consultant Manager at URM
Wayne is a Senior Information Security Consultant and Consultant Manager at URM with over 30 years’ experience in IT, information security and risk management. He has attained and maintained CISSP, CISMP, PCIRM, and CISA qualifications and is a Qualified Security Assessor (QSA) for the Payment Card Industry Data Security Standard (PCI DSS).
Read more

Are you looking to implement ISO 27001? Or certify against the Standard?

URM offers a host of consultancy services to assist you implement and maintain ISO 27001, including gap analyses, risk assessments, policy development, auditing and training.
Thumbnail of the Blog Illustration
Information Security
Published on
How do You Avoid Information Security Breaches?

With the news often including stories regarding high-profile information security breaches, many of us find ourselves asking how we can avoid it.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
What is ISO 27001?

ISO 27001 is the International Standard for Information Security Management. It provides organisation with a framework and an approach to protecting assets

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
What is the CIA Security Triad? Confidentiality, Integrity and Availability Explained

URM’s blog explains how the principles of confidentiality, integrity and availability (CIA) can help align your information security controls with best practice

Read more
Very good explanation of ISO 27001 auditing, with real use case experience which is very important for attendees.
Webinar 'ISO 27001 Internal Auditing, the 6 Pillars of Success'
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.