ISO 27001 is one of the standards that help organisations keep information assets secure. Those information can vary from financial information, intellectual property, employee details, customer personal data and any other information entrusted to you by a third party.
Implementing ISO 27001 regulations has to be treated as a big project in order to be successful so get enough people on it and follow the step by step guide to help you get through the process without unnecessary trouble.
Write an ISMS Policy
This is the highest-level document in your ISMS. It doesn’t have to be very detailed, but it need to define some basic issues for information security in your company. The purpose of ISMS Policy is defining what the management wants to achieve with ISO 27001 and how to control it the regulations once they’re implemented.
It’s the most complex part of ISO 27001 implementation. First, you need to define your methodology – point out the rules for identifying the assets, vulnerabilities, threats, impacts and the acceptable level of risk. After that’s all set and discussed, it’s time to implement all those points.
Risk assessment is necessary for you to get a comprehensive picture of the dangers that threat your company’s information and data.
It’s also done for the sake of decreasing the risks that are not acceptable. This step is finished by a report documenting all the steps of the risk assessment and risk treatment processes.
Statement of Applicability
Often referred to as SoA, this document lists all controls from the Annex A and define which of them are applicable to your company and why so. It also notes all the objectives to be achieved with the controls and the description of how will they be implemented. The effectiveness of controls has to be measurable, so take it into consideration and define how you are going to check that the controls have fulfilled their purpose.
Implementing controls and working with ISO 27001
Here is the point where all the preparations have been done and it’s time to implement all the mandatory procedures and the applicable controls from Annex A. This is the most difficult task of them all as it requires the application of new technology and process in the company as well as adjusting to new behaviour system in your company. People may resist the change, but if there was the need to implement new procedures to comply to ISO 27001, there is the need to change everything that may affect the company’s performance.