How to use Scrum for the ISO 27001 implementation project

Scrum is a framework, based on the Agile method, mainly used in software development. Originally, it was developed for complex product development, and there are many companies in the world that currently use this framework for various projects.

Due to the three basic pillars of Scrum (i.e., transparency, inspection, and adaptation), Scrum provides an excellent foundation to implement any project relatively easily. Furthermore, Scrum enhances the personal relationships between team members, and promotes the motivation of personnel involved in the project, which implies that members can understand, can communicate, and can work together better. This leads to the team being more efficient, which also means that implementation times for the project can be reduced. So, I want to show you, from my point of view, how Scrum can be useful for an ISO 27001 project.

The Scrum process and the Sprints

The most important element in the Scrum process is the Sprint, because everything is focused on Sprints. Sprints are, basically, iterations for the development of the project. In each Sprint, or in each iteration, you can partially develop your project, finishing and delivering a part of the product to your customer.

For example: if you are writing a book using the Scrum process, your project can be divided into different iterations (Sprints), and in each one you can finish a part of the final product (for example, a section of the book). In the first Sprint, you can finish Section 1 and deliver it to your clients. In the second Sprint, complete Section 2, and so on.

Every Sprint is composed of the following events:

  • Sprint Planning: Planning of the activities that will be performed in each Sprint.
  • Daily Meeting: Team discusses what activities have been performed, what activities it wants to perform, and what obstacles exist that could impede the continuation of the work.
  • Sprint Review: Review of the product that has been completed during each Sprint, checking if it satisfies requirements.
  • Sprint Retrospective: The main objective of this meeting is to improve the operation of the people involved applying the Scrum method (it is to improve the Scrum process, not the product), which generally is very positive for the people and their work.

If you revise your implementation process of, e.g., one ISO 27001 control – don’t you see a match between the content of the Sprint and the implementation steps you took? See also: ISO 27001 implementation checklist.

Requirements and implementation of ISO 27001 and Scrum

The usual application of Scrum is in a complex project, i.e., a project where requirements often change during the project realization. ISO 27001 implementation projects are not that kind of project (i.e., the standard’s requirements don’t change), but Scrum can be useful for implementation of the standard.

Based on my experience as an international lead auditor for ISO 27001, there are many companies that have started their projects without knowing exactly what the requirements of the standard are (I mean, for example, the mandatory documents and records), and many of them finish the implementation without knowing these requirements. Using Scrum, an organization will perform as many Sprints as possible until the requirements are defined.

Once you define the requirements (in the form of the Statement of Applicability, as well as defined context and requirements of interested parties), the standard doesn’t say who implements these requirements, or how. These requirements are generic, which means that two persons can have two different views for the same requirement. But, usually these requirements are implemented by a single person like the CISO, or a similar person responsible for information security – but this is not the best way, because then ISO 27001 is implemented from a single point of view, instead of a consensus point of view. (See also: What is the job of Chief Information Security Officer (CISO) in ISO 27001?)

From my point of view, if the implementation of each requirement is discussed between the CISO, management, and other people involved in the ISO 27001 implementation (for example, an external consultant), the requirements will be more precise, and better suited to the organization’s requirements. Also, all people will be aligned with the requirements, and these requirements will be aligned with the business. So, based on this information, this type of project is perfectly suited to Scrum (i.e., a clearly defined team responsible for the implementation, responsibilities, and frequent meetings and discussions).

Basically, Scrum can help you with all that was mentioned above because, according to Scrum, there is a specific profile responsible for the requirements of the product: the product owner (could be the CISO). And, also, the Sprints (meetings, stepwise implementation of all requirements) are established for the development of specific requirements in several iterations.

This article may also help you: ISO 27001 project – How to make it work.

Scrum – For the benefit of your ISO 27001 implementation project

Scrum can be your best friend during an ISO 27001 implementation, because it establishes strong project organization where everyone knows his responsibilities, which can also help you to reduce implementation times, and provides clear definition of who is responsible for the requirements, and how to implement them.

Maybe you are implementing ISO 27001 using an implementation methodology that is rather similar to Scrum. So, Scrum gives you a clear framework and methodology to implement ISO 27001 without “reinventing the wheel.” The benefit? Certainly – efficiency for your organization, which influences your customers’ satisfaction, as well.

Use this free online training  ISO 27001:2013 Lead Implementer Course to learn more about requirements, and steps in the implementation.

Advisera Antonio Jose Segovia
Antonio Jose Segovia
Antonio Jose Segovia is an IT Engineer, and he has many professional certifications in the IT sector. He is also ISO 27001 IRCA and Lead Auditor qualified by BUREAU VERITAS in ISO 27001, ISO 20000, ISO 22301, ISO 27018, GDPR, and TISAX, as well as being an expert in information security, an ethical hacker, and a university professor in an online Master of Information Security program. With more than 10 years of experience in the IT sector, he has visited companies of all kinds in Spain, Portugal, Italy, France, United Kingdom, USA, Chile, Peru, and Costa Rica.