In this post, we’ll review important elements that must be taken into account prior to implementing ISO 27001, as these are very useful during information security management system (ISMS) planning and operation phases within an organization.
These factors can be key to the success or failure of the ISMS implementation, due to the day-to-day activities in the organization and the resources required for system operation.
What needs to be taken into account when planning an ISMS?
Although there is no step-by-step procedure that describes how to implement the standard, there are some factors that are essential to obtaining a better projection of the effort required and achieving acceptable results, which we describe below.
1. Support and collaboration
The main element to be taken into consideration before implementation is the support of senior management for the information security activities, and specifically for the initiative to start operating an ISMS.
The idea can arise at any level of the organization, but it requires backing from the highest levels.
The support and commitment of senior management is the difference between a combined effort and an isolated project run by a subordinate. It is also useful to create structures within organizations to enable collaboration and cooperation between representatives from the different parties who have relevant roles and functions.
In this respect, it is good practice to develop a suitable structure for making decisions about the management system by creating a security forum or committee that manages the implementation of “information security governance”, that is, all the responsibilities and actions exercised by senior management in relation to security.
2. Decision-making structure
For the purposes of security management activities, the committee is an interdisciplinary group responsible for making decisions relating to the implementation and operation of the management system, as well as maintaining administrative control of the security work framework.
The aim is to integrate members of senior management (including the CEO) in order to provide a business vision for the decisions within the committee’s remit, as well as generating a consensus around the security requirements and initiatives, in alignment with the objectives of the organization.
In general, you can group together the needs and viewpoints of the organization’s members, such as users, administrators, auditors, security experts and other departments including legal, HR, IT and risk management.
Others who could be part of this forum are the system manager, the heads of the functional areas of the organization and an auditor to carry out an objective and impartial evaluation of the ISMS.
3. Gap analysis
Gap analysis is a preliminary study that tells us how an organization is performing in terms of information security in relation to industry best practice. Established criteria in the form of norms or standards are used for this.
The analysis establishes the difference between actual and desired performance. Although the analysis is applicable to any certifiable standard, it is usually carried out for new certification schemes, which are those that create the most doubt in organizations due to their newness.
4. Business impact analysis (BIA)
Business impact analysis (BIA) is a tool used to estimate the potential effects an organization could experience in the event of an incident or disaster.
It has two main objectives: the first is to provide a basis for identifying the critical processes in an organization’s operations and the prioritization of this set of processes, following the criterion of the greater the impact, the higher the priority.
The BIA relates directly to the processes that have a critical time frame for implementation, because although all time-critical processes are mission-critical, not all mission-critical processes are time-critical.
5. Resources: time, money, and personnel
Based on the results of the gap and business impact analyses, it is possible to estimate what is required for the implementation of ISO/IEC 27001. In the case of the first cycle of operation, the suggested time to implement the standard would be a period with a lower workload which allows for suitable planning and, if necessary, the recruitment of new personnel to focus on this task.
We recommend that the time spent on the management system should not exceed a period of one year from the completion of the first cycle, for various reasons including the constant change in risks, change in management priorities regarding the protection of company assets, the emergence of new threats, and so on.
This analysis also enables an estimation of the financial resources required to reach the desired level in information security in compliance with ISO 27001. We also have to keep in mind that during implementation, resources will have to be allocated to carrying out technical, physical and administrative controls in accordance with the results of a risk assessment.
Meanwhile, the organization must find the ideal person to carry out the technical and administrative actions related to the management system, and might choose to train existing staff or hire the services of external personnel to work towards the objectives proposed in the ISMS.
6. Review of security standards
Another useful activity to carry out before implementing an ISMS is to gain an understanding of the content and structure of the ISO/IEC 27001 standard, as well as the standards making up the 27000 series. More specifically, it is necessary to know all about ISO/IEC 27000, enabling an understanding of the principles underpinning ISMS implementation.
ISO/IEC 27000 contains a glossary of all the terms used in the 27000 series, as well as a general summary of this group of standards and an introduction to ISMS. This standard has become more relevant because it is the only regulation referenced in the new version of ISO/IEC 27001.
Towards ISMS implementation, operation, review and improvement
Of course, each implementation is different, depending on the conditions, requirements and resources of the organization, but these elements can be applied on a general basis since the standards define what has to be done, not the way to do it.
These elements may be fundamental to the success of a project for operating and maintaining an ISMS in a company, with the aim of protecting information and other assets through a work framework defined by industry best practices and the advice of specialists in the field.
In future posts, we will discuss other factors that need to be taken into account in the planning, implementation, review and improvement of an Information Security Management System.
And in the meantime, check out the main concepts all summarized in this illustration:
Author Miguel Ángel Mendoza, ESET