• (0)

    ISO 27001 & ISO 22301 Blog

    ISO 27001 project – How to make it work

    Many companies don’t realize this, but setting the ISO 27001 project properly at the beginning of the implementation is one of the most important elements if you want to implement ISMS in an acceptable time and budget.

    Don’t try this without management support

    Management commitment must come before anything else – if your top executives don’t see real benefit in increasing the level of security by setting clear rules, you would better invest your energy in something else.

    But this cannot happen in a short time, let alone in one meeting with a PowerPoint presentation. This is a process where you need to play an active role – first you need to recognize the applicable benefits for your business, and then consistently push this message toward the decision makers. See also: Four key benefits of ISO 27001 implementation.

    Get the knowledge

    Unless you’ve already implemented ISO 27001 a couple of times, you’ll need to learn how it is done. ISO 27001 implementation is way too complex to understand only by reading the standard.

    In essence, you have three options:

    a) With your own employees only – in this case, you have to train yourself and your colleagues so that you get all the required knowledge for the implementation. This is the best option if you don’t want outsiders in your company, and if you want the highest learning curve for your employees. Sending your employees for trainings, and getting some other tools (e.g. templates, tutorials) will drastically decrease the implementation time.

    b) Combination of your employees & outside help – this where you choose to implement the standard yourself (by performing all the analysis, interviews, writing the documentation, etc.), but an outside expert (e.g. a consultant) is leading you step by step in the whole process. This is a good option if you want to learn a lot about the implementation and have someone make sure you don’t do anything wrong in the process.

    c) Consultant is doing most of the job – this is the option where you hire a consultant to do the whole job. This should be the quickest option for implementing the standard, and requires the least amount of effort. Read also 5 criteria for choosing an ISO 22301 / ISO 27001 consultant.

    How to choose a project manager

    Of course, the ISO 27001 implementation should be structured as a project – without defining exactly who is responsible for what, and in which time frame, chances are good that your implementation would never finish.

    The most natural person to lead the project should be a person who is in charge of information security in your company – there are different titles for this job: Chief Information Security Officer (CISO), Information Security Officer (ISO), Security Manager, etc. See also: Chief Information Security Officer (CISO) – where does he belong in an org chart?

    Some larger companies have corporate rules/structures for managing projects, so in such case a professional project manager would lead the project, whereas an information security expert would be a member of the project team.

    Project phases

    Normally, you should divide your project into two phases:

    1. Analysis and planning – this is where you need to define the objectives of your project, analyze the existing situation, and determine what needs to be done. In other words, you need to complete all the steps from the Plan phase (clause 4.2.1 of the standard) including setting up the ISMS scope, ISMS Policy and objectives, performing risk assessment and treatment, and producing the Statement of Applicability.
    2. Implementation of safeguards – unfortunately, you cannot know which security controls you need to implement before you finish the previous phase in the project. So the detailed implementation roadmap will be known only after the first phase is finished – basically, in the implementation phase you need to implement all the policies, procedures, technology, and other things that will help your information become safer.

    And when you implement all the controls you have planned for, your project is finished. But remember – this is when the most important (and most difficult) job begins – including your security activities in day-to-day operations.

    Click here to download an ISO 27001 Project Plan template.

    To find a list of implementation steps, check out the ISO 27001 implementation checklist.

    Advisera Dejan Kosutic
    Dejan Kosutic
    Dejan holds a number of certifications, including Certified Management Consultant, ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, and Associate Business Continuity Professional. Dejan leads our team in managing several websites that specialize in supporting ISO and IT professionals in their understanding and successful implementation of top international standards. Dejan earned his MBA from Henley Management College, and has extensive experience in investment, insurance, and banking. He is renowned for his expertise in international standards for business continuity and information security – ISO 22301 & ISO 27001 – and for authoring several related web tutorials, documentation toolkits, and books.