Skip to Main Content
Have library access? Log in through your library
Nine Steps to Success

Nine Steps to Success: An ISO27001:2013 Implementation Overview

Copyright Date: 2013
Edition: 2
Published by: IT Governance Publishing
Pages: 98
  • Cite this Item
  • Book Info
    Nine Steps to Success
    Book Description:

    Completely up to date with ISO27001:2013, this is the new edition of the original no-nonsense guide to successful ISO27001 certification. Ideal for anyone tackling ISO27001 for the first time, Nine Steps to Success outlines the Nine essential steps to an effective ISMS implementation. Nine critical steps that mean the difference between project success and abject failure.

    eISBN: 978-1-84928-511-7
    Subjects: Technology

Table of Contents

    (pp. 8-14)

    The International Standard ISO/IEC 27001:2013 Information technology – Security techniques – Information security management systems – Requirements has now replaced the earlier 2005 version. Information security has always been an international issue, and this new version of the Standard reflects eight years of improvements in the understanding of effective information security management. It also takes account of the evolution in the cyber threat landscape over that period, and allows for a new range of best practice controls.

    Information security is also a management issue, a governance responsibility. The design and implementation of an Information Security Management System (‘ISMS’) is a management role, not...

    (pp. 15-24)

    It may be something of a cliché but, for ISMS projects, it is certainly true to say that ‘well begun is half-way done’. The person charged with leading an ISO/IEC 27001:2013 ISMS project has to reduce something that looks potentially complex, time and resource consuming, and difficult, to something that everyone believes can be achieved in the time-frame allocated, and with the resources allowed. Then you have to make sure that it is actually delivered!

    What this actually means is that the ISMS project leader has to set the project up in such a way that it is adequately resourced,...

    (pp. 25-34)

    Information security is both a management and a governance issue. Successful implementation of an ISMS depends absolutely on the project having real support from the top of the organisation. With it, you have a real chance of success; without it, none at all. Securing real top management support – not mere lip service – is the second key to ISO27001 success. In this context, I’m not necessarily talking about the CEO of a large, multi-subsidiary organisation; I’m talking about the person who is accountable for the business success, or failure, of the trading entity (see Chapter Three, which deals with scope) that...

    (pp. 35-43)

    Scoping is one of the nine keys to project success. It is key, both because you need to know the boundaries of what you are planning to implement, and because the Standard itself requires it.

    Clause 5.2 of ISO27001 clearly sets out the requirements in respect of the ISMS policy. The policy must be approved by the Board. The policy must provide an overall sense of information security direction for the organisation, as well as including information security objectives. It must include meeting information security requirements (which might be business, contractual or regulatory in nature), and it must also contain...

    (pp. 44-61)

    Planning has, for a long time, been seen as an essential pre-cursor to project success. Of course, while it is necessary, it is not sufficient – a well-planned project can still fail for any one of a number of reasons. At the highest level, ISMS project planning means dealing successfully with all the issues identified in this book; each of the nine keys is also a critical component of a successful ISMS project plan. At a more practical level, planning is, in its own right, one of the nine keys to ISO27001 success. For the purposes of an ISMS implementation, ‘planning’...

    (pp. 62-66)

    The same rule that once applied to voting in elections, also applies to communication in change programmes: ‘communicate early and communicate often’. Communication is so important that it is one of the nine keys to ISO27001 project success. Underlying every successful change management programme, and especially necessary for the successful roll out of an ISMS, is a well-designed and effectively implemented internal communications plan. Compliance with ISO27001 and common sense suggests that key components of this plan must include:

    Top-down communication of the information security vision – why the ISMS is necessary, what the organisation’s legal responsibilities are, what the business...

    (pp. 67-75)

    Risk assessment is at the heart of the ISMS. Understanding its significance to the overall process is critical, and is one of the keys to project success. The Board adopts an information security policy because there are a number of significant risks to the availability, confidentiality and integrity of the organisation’s information, and it mandates the design and deployment of an ISMS in order to ensure that its policy is systematically and comprehensively implemented. The policy must, therefore, reflect the Board’s assessment of information security risks and opportunities. This doesn’t mean the Board needs to carry out a detailed risk...

    (pp. 76-81)

    The risk assessment is at the heart of the ISMS. The controls adopted by the organisation will form a significant part of the ISMS. The reality is that the bulk of the project time will be invested in designing, deploying, testing and revising appropriate controls that are intended to meet the identified risks. It is therefore important to have an overview of controls.

    The concepts of risks and controls are linked and are fundamental to Information Security Management Systems. Risk might be defined as ‘the combination of the probability of an event and its consequences’. Control is defined, in ISO/IEC...

    (pp. 82-87)

    Your risk assessment process determines the controls that have to be deployed in your ISMS, and your statement of applicability identifies the controls that you are deploying in the light of your approach to risk management. Every one of those controls, together with your approach to identifying and managing risk, your management structure, your decision-making processes, and every other component of your Information Security Management System, has to be documented, as a point of reference, as the basis for ensuring that there is consistent application over time, and to enable continuous improvement.

    Documentation will be the most time-consuming part of...

    (pp. 88-90)

    The ninth and final key to a successful ISMS implementation is testing – and testing everything to destruction. The principle is a simple one; so simple, in fact, that this will be the shortest of all the chapters in this book.

    Your ISMS has to work in the real world. You’ve identified risks, you’ve deployed what appear to be appropriate controls, and you want to be sure of two things: first, that the controls work as intended and, second, that when they are overwhelmed (as, sooner or later, they will be) your emergency countermeasures also work. Your management system, including each...

    (pp. 91-94)

    While your selection of certification body should have no impact on your success in achieving certification, there are a couple of issues you should consider in making your selection – which isn’t necessary until you have already made considerable progress toward readiness for certification. You will, of course, want to ensure that there is a cultural fit between yourself and your supplier of certification services, and that pricing, etc. is acceptable.

    There are two other key issues that do need to be taken into account when making this selection: the first is relevant to organisations that already have one or more...