ISO 27001 implementation checklist
If you are starting to implement ISO 27001, you are probably looking for an easy way to implement it. Let me disappoint you: there is no easy way to do it. However, I’ll try to make your job easier – here is the list of sixteen steps you have to go through if you want to achieve ISO 27001 certification:
1. Obtain management support
This one may seem rather obvious, and it is usually not taken seriously enough. But in my experience, this is the main reason why ISO 27001 projects fail – management is not providing enough people to work on the project or not enough money. (Read the article Four key benefits of ISO 27001 implementation for ideas how to present the case to management.)
2. Treat it as a project
As already said, ISO 27001 implementation is a complex issue involving various activities, lots of people, lasting several months (or more than a year). If you do not define clearly what is to be done, who is going to do it and in what time frame (i.e. apply project management), you might as well never finish the job. (Read the article ISO 27001 project – How to make it work for more about developing a successful ISO 27001 project.)
3. Define the scope
If you are a larger organization, it probably makes sense to implement ISO 27001 only in one part of your organization, thus significantly lowering your project risk. (Learn more about defining the scope in the article How to define the ISMS scope).
4. Write an Information Security Policy
The Information Security Policy (or ISMS Policy) is the highest-level document in your ISMS – it shouldn’t be very detailed, but it should define some basic issues for information security in your organization. But what is its purpose if it is not detailed? The purpose is for management to define what it wants to achieve, and how to control it. (Learn more in the article What should you write in your Information Security Policy according to ISO 27001?)
5. Define the Risk Assessment methodology
Risk assessment is the most complex task in the ISO 27001 project – the point is to define the rules for identifying the assets, vulnerabilities, threats, impacts and likelihood, and to define the acceptable level of risk. If those rules were not clearly defined, you might find yourself in a situation where you get unusable results. (For more, read the article How to write ISO 27001 risk assessment methodology).
6. Perform the risk assessment & risk treatment
Here you have to implement the risk assessment you defined in the previous step – it might take several months for larger organizations, so you should coordinate such an effort with great care. The point is to get a comprehensive picture of the dangers to your organization’s information. (For more, read the article ISO 27001 risk assessment: How to match assets, threats and vulnerabilities).
The purpose of the risk treatment process is to decrease the risks which are not acceptable – this is usually done by planning to use the controls from Annex A. (Learn more in the article 4 mitigation options in risk treatment according to ISO 27001).
In this step a Risk Assessment Report has to be written, which documents all the steps taken during risk assessment and risk treatment process. Also an approval of residual risks must be obtained – either as a separate document, or as part of the Statement of Applicability.
7. Write the Statement of Applicability
Once you finished your risk treatment process, you will know exactly which controls from Annex you need (there are a total of 114 controls but you probably wouldn’t need them all). The purpose of this document (frequently referred to as SoA) is to list all controls and to define which are applicable and which are not, and the reasons for such a decision, the objectives to be achieved with the controls and a description of how they are implemented.
The Statement of Applicability is also the most suitable document to obtain management authorization for the implementation of ISMS. (Read the article The importance of Statement of Applicability for ISO 27001 to learn more).
8. Write the Risk Treatment Plan
Just when you thought you resolved all the risk-related documents, here comes another one – the purpose of the Risk Treatment Plan is to define exactly how the controls from SoA are to be implemented – who is going to do it, when, with what budget etc. This document is actually an implementation plan focused on your controls, without which you wouldn’t be able to coordinate further steps in the project. . (Read the article Risk Treatment Plan and risk treatment process – What’s the difference? for more details on the Risk Treatment Plan).
9. Define how to measure the effectiveness of controls
Another task that is usually underestimated. The point here is – if you can’t measure what you’ve done, how can you be sure you have fulfilled the purpose? Therefore, be sure to define how you are going to measure the fulfilment of objectives you have set both for the whole ISMS, and for each applicable control in the Statement of Applicability. (Read more in the article ISO 27001 control objectives – Why are they important?)
10. Implement the controls & mandatory procedures
Easier said than done. This is where you have to implement the four mandatory procedures and the applicable controls from Annex A. For more about Annex A, read the article How to structure the documents for ISO 27001 Annex A controls.
This is usually the most risky task in your project – it usually means the application of new technology, but above all – implementation of new behaviour in your organization. Often new policies and procedures are needed (meaning that change is needed), and people usually resist change – this is why the next task (training and awareness) is crucial for avoiding that risk.
11. Implement training and awareness programs
If you want your personnel to implement all the new policies and procedures, first you have to explain to them why they are necessary, and train your people to be able to perform as expected. The absence of these activities is the second most common reason for ISO 27001 project failure. (For more about training and awareness, read the article How to perform training & awareness for ISO 27001 and ISO 22301).
12. Operate the ISMS
This is the part where ISO 27001 becomes an everyday routine in your organization. The crucial word here is: “records”. Auditors love records – without records you will find it very hard to prove that some activity has really been done. But records should help you in the first place – using them you can monitor what is happening – you will actually know with certainty whether your employees (and suppliers) are performing their tasks as required. (Read more in the article Records management in ISO 27001 and ISO 22301).
13. Monitor the ISMS
What is happening in your ISMS? How many incidents do you have, of what type? Are all the procedures carried out properly?
This is where the objectives for your controls and measurement methodology come together – you have to check whether the results you obtain are achieving what you have set in your objectives. If not, you know something is wrong – you have to perform corrective and/or preventive actions. (Learn more in the article How to perform monitoring and measurement in ISO 27001).
14. Internal audit
Very often people are not aware they are doing something wrong (on the other hand they sometimes are, but they don’t want anyone to find out about it). But being unaware of existing or potential problems can hurt your organization – you have to perform internal audit in order to find out such things. The point here is not to initiate disciplinary actions, but to take corrective and/or preventive actions. (Read the article How to prepare for an ISO 27001 internal audit for more details.)
15. Management review
Management does not have to configure your firewall, but it must know what is going on in the ISMS, i.e. if everyone performed his or her duties, if the ISMS is achieving desired results etc. Based on that, the management must make some crucial decisions. (Learn more in the article Why is management review important for ISO 27001 and ISO 22301?).
16. Corrective and preventive actions
The purpose of the management system is to ensure that everything that is wrong (so-called “non-conformities”) is corrected, or hopefully prevented. Therefore, ISO 27001 requires that corrective and preventive actions are done systematically, which means that the root cause of a non-conformity must be identified, and then resolved and verified. (Read the article Practical use of corrective actions for ISO 27001 and ISO 22301).
Hopefully this article clarified what needs to be done – although ISO 27001 is not an easy task, it is not necessarily a complicated one. You just have to plan each step carefully, and don’t worry – you’ll get your certificate.
To find a more detailed list of implementation steps, check out Conformio compliance software.
Here you can download a Diagram of the ISO 27001 implementation process showing all these steps, together with the required documentation.