ISO 27001

Posted on by Ruchi Kandpal

ISO 27001 Implementation

ISO 27001, the international standard for information security management, defines a comprehensive set of controls to help organizations protect their information assets. The structure and number of these controls have evolved with the standard’s updates.

Readiness Assessment:

– Conduct a current readiness assessment to identify gaps in the existing Information Security Management System (ISMS).

– Report the findings to executive stakeholders.

Establishing ISMS:

– Establish the Information Security Forum.

– Develop communication mechanisms to monitor, measure, analyse, and evaluate the performance of Information Security.

 

Risk Treatment:

– Develop a risk treatment plan.

– Obtain management approval for the risk treatment plan.

– Implement the risk treatment plan.

– Document the results of the Information Security Risk Treatment plan.

– Review and improve the plans.

Internal Audit:

– Conduct a preliminary review of the documented ISMS to highlight key findings.

– Remediate the findings and prepare for certification.

Key Factors for ISMS Certification:

– Scope for audit and certification.

– Asset structure.

– Statement of applicability.

– Maturity of the ISMS and management.

Planning phase:

Define the scope of the ISMS, define an ISMS policy, and outline an approach to risk assessment. Identify the risks, assess them, and identify and evaluate options for risk treatment. Select control objectives and controls and prepare a Statement of Applicability (SOA).

Do phase:

Formulate a risk assessment, develop a treatment plan, implement risk controls, implement training and awareness programs, manage operations and resources, and implement procedures to detect and respond to security incidents.

Check phase:

Execute monitoring procedures, undertake regular reviews of ISMS effectiveness, review the level of residual and acceptable risk, conduct internal ISMS audits, and regularly review the ISMS. Record actions and events that impact the ISMS.

Act phase:

Implement the identified improvements. Take corrective or preventive action. Apply the lessons learned (including from other organisations). Communicate the results to interested parties. Ensure that the improvements achieve the objectives.

Leave a comment

Unknown's avatar

Published by Ruchi Kandpal

Fun loving and fact loving. I love soaking in new information. A conscientious, rational individual with attention to details. Sphinx. An enigmatic and a mysterious person with several interests.