ISO/IEC 27001, commonly referred to as ISO 27001, is the most widely adopted international standard for managing data security and information security through an information security management system (ISMS).
The standard was first published in 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). ISO 27001:2013 is the latest revision to the standard.
ISO 27001 certification improves your organization’s reputation, as partners and customers can feel confident that you are handling their information assets, like sensitive data, through appropriate protection methods.
ISMS implementation is a resource-intensive process, involving many stages and stakeholders which can quickly complicate its execution. We’ve put together an ISO 27001 checklist to help your organization approach its implementation plan efficiently and prepare for certification.
1. Gain Understanding of ISO 27001
If you are already familiar with ISO 27001 and its clauses, skip ahead to the rest of the checklist.
The ISO 27001 standard provides requirements for developing an effective ISMS and consists of two parts:
Clauses 0-10: Clauses 0 to 3 introduce the ISO 27001 standard. Clauses 4-10 state mandatory requirements for compliance with ISO 27001, across the following areas:
- Clause 4 - Context of the Organization
- Clause 5 - Leadership
- Clause 6 - Planning
- Clause 7 - Support
- Clause 8 - Operation
- Clause 9 - Performance evaluation
- Clause 10 - Improvement
Annex A: Outlines the 114 security controls that support the ISO 27001’s mandatory requirements.
2. Form an Implementation Team
The implementation team needs to assign a leader to drive project management. The project leader should already be highly involved in your information security practices and possess leadership skills applicable to both the project team and across departments.
As with any organizational project, the implementation team should prepare a project mandate outlining its information security objectives, timeframe, costs, and level of executive support.
3. Perform a Gap Analysis
Performing a gap analysis gives your implementation team a clear overview of:
- Any existing information security provisions that meet ISO 27001 compliance requirements.
- Missing ISO 27001 compliance requirements.
Begin by outlining the context of your organization. The context of your organization involves understanding its internal and external context.
Internal context surrounds your organization’s products and services, customers, alongside their associated risks and any potential internal threats. This understanding allows you to develop an ISMS that covers relevant business areas and processes, with regards to digital risk management and asset protection.
External context is any relevant considerations or insights from outside your organization. This includes:
- Any applicable legislation, like GDPR, GLBA, FISMA, LGPD, and PIPEDA
- Identifying external threats, including cybersecurity threats
- Any risks, including cybersecurity risks. For example, who would potentially be interested in compromising your business’s cybersecurity? What information would threat actors potentially take? How would they take it?
Cross-check the existing risk management controls and processes surrounding your organization’s context against ISO 27001’s compliance requirements and note any gaps. You will address these gaps further during the risk treatment process.
4. Define the ISMS Scope
After performing an ISO 27001 gap analysis, you can now define the scope of your ISMS based on these results.
The scope should clearly outline which information and assets your ISMS aims to protect. Enter this information into a risk register.
A typical ISMS scope covers:
- Context of organization
- Your organization’s business objectives
- Your organization’s physical location/s
- Your organization’s structure
- Your organization’s digital footprint
- Devices that affect your organization’s network security, e.g., computers, mobile devices, servers
- The requirements of interested parties, such as third party vendors
Which business areas/processes/functions will be the focus of your scope? Remember, starting out with a smaller scope allows for faster implementation.
It may suit your organization to define a narrow scope initially and then broaden your focus once your ISMS is more established.
5. Create an Information Security Policy (ISP)
With your scope readily in place to provide a clear starting point for your implementation team, it’s time to develop an information security policy (ISP).
An ISMS policy stipulates rules, policies, and procedures that ensure your organization meets minimum IT security and data security requirements. It should also set out employees’ roles and responsibilities in enacting the policy, as well as continual improvement standards.
A successful ISO 27001 information security policy should enable top management to clearly understand your ISMS strategy and its objectives. Importantly, the information security policy should include the ISMS’ benefits — from both a security and commercial standpoint.
6. Choose the Risk Assessment Methodology
Your implementation team will have already identified risks affecting your organization during the gap analysis process (Step 3).
It’s now time to decide on which process you will use to assess each risk’s significance and carry out risk assessments. Just like defining your scope, the risk assessment methodology you apply during implementation does not need to be overly complicated. You can start off using a basic methodology that covers scenarios about potential attack vectors across the attack surface, and what techniques threat actors could use to exploit existing vulnerabilities in a cyber attack.
As your ISMS develops, you can begin using a more advanced risk assessment methodology to cover more sophisticated scenarios.
7. Conduct Risk Assessment and Complete Risk Documentation
Risk Assessment Plan
After deciding how you will assess the nature and severity of risks, you can begin the information security risk assessment. A clearly defined risk assessment methodology should make this process much less daunting.
Risk Treatment Process
Once the risk assessment is complete, your implementation team will need to design a risk treatment process. The risk treatment process outlines whether the level of risk the organization is facing is acceptable.
Determine if top management is comfortable with the current level of risk or if further action can be taken to reduce the risk to a more manageable level. You can complete the risk treatment process by referring to the controls outlined in Annex A and selecting which ones are applicable to your organization.
Annex A Controls
The 114 Annex A controls help you identify where your organization needs to make improvements to its information security and are split into 14 categories:
- Information security policies
- Organization of information security
- Human resources security
- Asset management
- Access control
- Physical and environmental security
- Operational security
- Communications security
- System acquisition, development, and maintenance
- Supplier relationships
- Information security incident management
- Information security aspects of business continuity management
Risk Assessment Report
Your team now needs to outline important information from the risk assessment and risk treatment processes in a Risk Assessment Report. The report should include existing risks, accepted risks, any controls from Annex A that are already in place, and those which will be put in place.
You must submit the Risk Assessment report with documented information and approval of residual risks (this can be included in the Statement of Applicability (SOA)).
Statement of Applicability (SOA)
After identifying your required information security controls, it’s time to write the Statement of Applicability. The SOA is usually in spreadsheet format and states which controls you are and aren’t using and the reasons why.
If you aren’t using certain controls, it is crucial to provide solid justification as to why it is not required for ISMS implementation.
To determine which controls you need to include in your SOA, consider the following:
- Does the control help manage an existing risk?
- Are you legally required to implement the control? For example, data privacy is a GDPR requirement.
- Is the control linked to a regulatory requirement? For example, processing credit card data would require PCI DSS compliance.
- Is the control bound by a contractual agreement with a third party, e.g. vendor, customer, partner?
Your organization likely already has some of the controls in place — these are known as baseline controls.
Risk Treatment Plan
Only after completing the SOA can you start the Risk Treatment Plan. The SOA defines which information security controls to apply. The Risk Treatment Plan outlines how these controls will be implemented. It essentially brings to life the surrounding risk documentation. For example, who is responsible for executing the plan, the timeframe, and the budget.
8. Decide How to Measure Effectiveness of ISMS
After completing the required risk documentation, your implementation team must now specify how to measure the effectiveness of the ISMS, its policies, processes, and controls.
It’s essential that you create clear guidelines for measurement to ensure you can track objectives, like security metrics, efficiently. These guidelines will also help you report progress to all stakeholders.
Before deciding how you will measure these components, you firstly need to ensure your objectives are measurable. Objectives should be clearly defined, realistic, attainable, and have a set timeframe.
9. Implement the ISMS Policy and Controls
Once your team has completed all risk documents and developed risk measurement guidelines, you’re now ready to implement the ISMS policy and its controls.
Closely reference ISO 27001 clauses 4-10 and the Annex A controls to ensure you have covered all requirements.
10. Initiate Employee Awareness Programs
With the new ISMS in action, it’s time to engage your organization with the policies and procedures. All employees should receive regular compliance training and be made aware of cyber security best practices within the organization.
Awareness programs are particularly important as human error is one of the leading causes of data breaches, particularly by falling prey to social engineering attacks like phishing and email spoofing.
Lack of cyber security awareness is also a major contributing factor to ISMS failure, so it is even more important to ensure your organization has education and awareness programs in place.
11. Conduct Internal Audit and Management Review
After raising awareness of the ISMS and its policies and procedures, you will need to conduct an internal audit and management review. These procedures help to ensure objectives are still relevant and to identify any necessary changes to the ISMS.
The audit must be conducted independently, i.e. by someone who was not involved in the implementation process. The smaller the scope of the ISMS, the faster the audit process is.
Ensure that the auditor is competent and experienced — an ISO 270001 Lead Auditor would be the most qualified to perform the job.
Internal audits should occur on at least an annual basis, if possible, otherwise, at least once every three years.
Having your executive team on board with the ISMS is crucial. If a security incident occurs or there are any other related problems, top management will be responsible for signing off on any financial or policy decisions. This process is much more streamlined if they are already up to speed on the ISMS’ policies, procedures, and latest updates and revisions through ongoing management reviews.
An automated monitoring solution can help log any security incidents, the type of incident, and other useful reporting information to further simplify audits and reviews.
12. Take Corrective Actions and Make Continual Improvements
Following all internal audits and management reviews, the implementation team should address any issues (non-conformities) through corrective actions and improvements. Your organization should aim to put preventative measures in place to ensure any non-conformities do not repeat themselves.
The most effective way of addressing non-conformities is to dig deeper than the visible problem by identifying and resolving the root cause of the issue. Making continual improvements to existing policies, processes, and procedures ensures your ISMS remains relevant and effective.
13. Complete Certification Audit
If your organization seeks ISO 27001 certification, you will need to partake in an external audit.
You should only allow an organization from a national certification body that is also a member of the International Accreditation Forum (IAF) to perform the audit to ensure you are receiving authorized certification.
Once you receive certification, it’s important to maintain a long-term strategy, continue to perform regular internal audits and management reviews, and practice continual improvement to remain ISO 27001 compliant.
Achieve and Maintain ISO/IEC 27001 Compliance with UpGuard
UpGuard is an intelligent attack surface monitoring solution that allows you to assess both internal and third-party compliance against ISO 27001 and other recognized security standards.
Using UpGuard’s built-in security questionnaire templates, you can clearly map your vendors’ ISO 27001 questionnaire results against compliance requirements.
The platform also uses automated scanning to detect additional risks that could affect your or your vendors’ ISO 27001 compliance. These risks are mapped to specific sections of the compliance framework, allowing you to quickly identify areas needing improvement.