Good information security is embedded in the way a company operates. Standards frameworks such as ISO 27001 help with this. But how does implementing this standard work? In this article, we will take you through the world of ISO 27001, the ISMS, the benefits, the investment and how to maintain an ISMS.
What is ISO 27001?
ISO 27001 is the standard for information security. The ISO 27001 standards framework has an annex called ANNEX A or ISO 27002. ISO 27002 is a set of 114 management measures that provide an in-depth look at ISO 27001. Are you implementing ISO 27001? Then you always use ISO 27002 for this purpose.
The standard consists of a collection of 114 control measures that allow an organization to get a better grip on key risks. These risks are made transparent with a risk analysis. For the biggest threats, processes are modified to ensure information security. This can affect, for example, the following:
- Physical security of your office
- Stated requirements for a supplier
- Recruitment of new staff
- Authorizations
- Change Management
- Patch management
- Opportunity for hackers to enter your systems
ISO 27001 implementation
An ISO 27001 implementation is a major investment and has an impact on your organization. The lead time of an ISO 27001 implementation depends on the scale and available resources of your organization. As a rough estimate, the process takes about three to six months. In this time frame, you will describe your processes and write them down in the form of policies and procedures. Some of the benefits of an ISO 27001 implementation are:
- Inventory your critical data and systems
- Security of these data or systems
- Internationally recognized and certifiable
- Evidence of professionalism to stakeholders and customers
Information Security Management System (ISMS).
Whereas the ISO 27001 standards framework provides control measures, an Information Security Management System (ISMS) consists of activities. Both the control measures and the ISMS are subject to the Plan, Do Check, Act (PDCA) cycle. The ISMS activities are performed through a mostly annual interval. The control measures are governed by the PDCA cycle. Plan, Do, Check and Act realize continuous improvement of the ISMS.
Below is an overall roadmap of ISMS activities:
By following these process steps, you will be optimally prepared for the next step: the external audit. An external auditor visits your ISMS in two phases to test its conformity with the standard. In phase 1, the basic structure of your ISMS is checked and in phase 2 the interpretation of the ANNEX A/ISO 27002 subjects is checked. After the audit, you are given homework in the form of deficiencies, after which you must draw up improvement plans and cause analyses. When these issues are delivered to the external auditor, the ISO 27001 certificate will follow upon approval. It is not possible to obtain a certificate for ISO 27002 because this is an annex to ISO 27001.
PDCA cycle
The steps described above are subject to the Plan, Do, Check (PDCA) cycle. This iterative cycle ensures that activities are continually repeated and thus information security remains under constant scrutiny and development. Also, the PDCA cycle provides assurance of results so that after each step there is verification that the results are in line with expectations.
Plan
Establish a plan in which the end goals are clearly written down. Formulate these goals as specific, measurable, acceptable, realistic and time-bound (SMART) in accordance with the interests of various stakeholders. Clearly indicate available resources and preconditions.
Do
Implement the established plan. Activities and performance are continuously recorded and reviewed.
Check
Compare the results obtained with the desired results. Evaluate the differences and conduct a cause analysis. To complete the cause analysis, you can use the five times why method. You ask the why question five times to get to the root cause of the problem.
Act
Based on the result differences, management takes action and measures are taken to still achieve the desired results.
After these steps, the cycle repeats itself and your ISMS is continuously improved!
Maintaining your ISO 27001 certification
Your ISO 27001 certification is valid for three years. Therefore, it is important that you continue to maintain the ISMS. We do this through ISO 27001 management. For a fixed amount per month we perform audits, solve security incidents and are available for all your questions. More information can be found on the page about ISO 27001.