ISO 27001

Agenda

What is ISO 27001

The PDCA Model

Steps to achieve ISO

27001Certification

PDCA Model

The "Plan-Do-Check-Act" (PDCA) model applies at different levels throughout the ISMS (cycles within cycles)

The diagram illustrates how an ISMS takes as input the information security requirements and expectations and through the PDCA cycle

produces managed information security outcomes that satisfy those requirements and expectations

Plan

Do

Check

Act

Information security requirementsand expectations

Managed information security

PDCA Model

Plan (establish the ISMS)

Establish ISMS policy, objectives, processes and procedures relevant to managing risk and improving information security to deliver results in

accordance with an organization’s overall policies and objectives

Do (implement and operate the ISMS)

Implement and operate the ISMS policy, controls, processes and procedures

Check (monitor and review the ISMS)

Assess and, where applicable, measure process performance against ISMS policy, objectives and practical experience and report the results

to management for review

Act (maintain and improve the ISMS)

Take corrective and preventive actions, based on the results of the internal ISMS audit and management review or other relevant information,

to achieve continual improvement of the ISMS

10 Steps to Achieve ISO 27001

Step 1: Decision

Senior management need to be behind the decision for ISO 27001 certification. There is definite value in communicating this internally,

it enforces the company’s aspiration to pursue best practice

What is needed? Concise and positive briefing to senior management outlining benefits and how it provides a platform for business

growth

Step 2: ISO Management Representative

The company appoints a responsible and knowledgeable manager to run the program and implementation. This person will become the

company’s ISO 27001 specialist, understanding the controls and milestones needed towards accreditation

What is needed? Selection of the right individual with a specific job description and knowledge of ISO and ISMS requirements

10 Steps to Achieve ISO 27001

Step 3: Gap Analysis and Risk Assessment

An assessment of risk or a gap analysis is conducted to find out what can go wrong and which threats endanger the Confidentiality, Integrity

and Availability of information. This is to understand the maturity of existing controls within the business and to determine the risk profile

What is needed? The gap analysis followed by a risk assessment of all in scope people, processes and technology performed by a qualified

auditor. Understanding the maturity of controls and risk profile

Step 4: Scope & Implementation Plan

The review of output from the gap analysis allows the business to validate the scope of implementation and the functional / operational

boundaries. For each risk identified, appropriate controls are set to manage the risk in a systematic way. This will ensure nothing important is

missed. Important milestones, time requirements, dates for any pre assessment and staged audits are set

What is needed? A step by step concise guide to explain the ISO 27001 process in sufficient detail

10 Steps to Achieve ISO 27001

Step 5: Employee Introduction

It is important to engage with employees from the beginning to ensure they buy in to the ISO 27001 certification process and respond

appropriately. Also to help them to understand the individual, company and client benefits

What is needed? A short and easy-to-understand ISO 27001 and security introduction briefing that focuses on how employees are affected

and their role in the successful implementation

Step 6: Documentation, documentation, documentation!

ISO 27001 certification requires extensive documentation addressing all relevant millstones and individual controls. This forms the criteria the

company is measured against to meet the ISO standard

What is needed? A set of policies, standards and procedures to ensure the business is adhering to all requirements in an efficient and

achievable manner

10 Steps to Achieve ISO 27001

Step 7: Realisation

With the gap analysis, scope and documentation ready, it is time to put new processes into ‘business as usual’ throughout the company to start

realising the many benefits of ISO 27001. At this stage it would be beneficial to conduct a pre assessment to ensure the company is on the

right track and validate the evidence

What is needed? Pre assessments forms, checklists and the gathering of evidence. Communication to staff about the revised processes, the

need to adopt them fully and report back on what isn’t working

Step 8: Internal ISO 27001 Audits

ISO 27001 requires an internal audit to assess where the company is at with the milestones and the implementation phase. An auditor will

complete documentation assessing the risk, noting controls and remediation to highlight the improvements required

What is needed? An experienced internal or external auditor. Audit tools that include forms, complete audit checklists and audit reports

10 Steps to Achieve ISO 27001

Step 9: ISO 27001 Certification

The most important step is to pass the ISO 27001 certification audit. An independent assessor will issue a certificate stating that the

business is meeting the ISO 27001 controls and requirements. The appointed internal representative needs to be confident with the

process they have followed and consider how to best interact with the assessor

What is needed? Employee preparation for the ISO 27001 certification including questions that may be asked and the areas the audit

will focus on. An independent assessor from a reputable company

Step 10: Maintaining the ISO 27001 Certification

It is important to keep the ISO management system working by its integration into daily operations. The business should focus on

continual improvement

What is needed? A reinforcement message to employees. Focus on maintaining the standards through an internal champion. Treat it as

integral component of the business processes and not a one off project

Question & Answer?