ISO 27001 project – How to make it work
Many companies don’t realize this, but setting the ISO 27001 project properly at the beginning of the implementation is one of the most important elements if you want to implement ISMS in an acceptable time and budget.
Don’t try this without management support
Management commitment must come before anything else – if your top executives don’t see real benefit in increasing the level of security by setting clear rules, you would better invest your energy in something else.
But this cannot happen in a short time, let alone in one meeting with a PowerPoint presentation. This is a process where you need to play an active role – first you need to recognize the applicable benefits for your business, and then consistently push this message toward the decision makers. See also: Four key benefits of ISO 27001 implementation.
Get the knowledge
Unless you’ve already implemented ISO 27001 a couple of times, you’ll need to learn how it is done. ISO 27001 implementation is way too complex to understand only by reading the standard.
In essence, you have three options:
a) With your own employees only – in this case, you have to train yourself and your colleagues so that you get all the required knowledge for the implementation. This is the best option if you don’t want outsiders in your company, and if you want the highest learning curve for your employees. Sending your employees for trainings, and getting some other tools (e.g. templates, tutorials) will drastically decrease the implementation time.
b) Combination of your employees & outside help – this where you choose to implement the standard yourself (by performing all the analysis, interviews, writing the documentation, etc.), but an outside expert (e.g. a consultant) is leading you step by step in the whole process. This is a good option if you want to learn a lot about the implementation and have someone make sure you don’t do anything wrong in the process.
c) Consultant is doing most of the job – this is the option where you hire a consultant to do the whole job. This should be the quickest option for implementing the standard, and requires the least amount of effort. Read also 5 criteria for choosing an ISO 22301 / ISO 27001 consultant.
How to choose a project manager
Of course, the ISO 27001 implementation should be structured as a project – without defining exactly who is responsible for what, and in which time frame, chances are good that your implementation would never finish.
The most natural person to lead the project should be a person who is in charge of information security in your company – there are different titles for this job: Chief Information Security Officer (CISO), Information Security Officer (ISO), Security Manager, etc. See also: Chief Information Security Officer (CISO) – where does he belong in an org chart?
Some larger companies have corporate rules/structures for managing projects, so in such case a professional project manager would lead the project, whereas an information security expert would be a member of the project team.
Normally, you should divide your project into two phases:
- Analysis and planning – this is where you need to define the objectives of your project, analyze the existing situation, and determine what needs to be done. In other words, you need to complete all the steps from the Plan phase (clause 4.2.1 of the standard) including setting up the ISMS scope, ISMS Policy and objectives, performing risk assessment and treatment, and producing the Statement of Applicability.
- Implementation of safeguards – unfortunately, you cannot know which security controls you need to implement before you finish the previous phase in the project. So the detailed implementation roadmap will be known only after the first phase is finished – basically, in the implementation phase you need to implement all the policies, procedures, technology, and other things that will help your information become safer.
And when you implement all the controls you have planned for, your project is finished. But remember – this is when the most important (and most difficult) job begins – including your security activities in day-to-day operations.
Click here to download a free preview of ISO 27001 Project Plan template.