Where to start from with ISO 27001

Author: Dejan Kosutic

If you’re just starting to learn about ISO 27001, or you were given the task to implement this cybersecurity standard and you do not have much experience, you’re probably wondering what to do first.

To help you get around, we created this list of useful materials from 27001Academy, which will enable you to learn what needs to be done.

Materials to get you started

Here are a few materials that will help you understand what ISO 27001 is all about, and give you some simple tips on where to start:

• Article What is ISO 27001 – this article explains the most basic facts about the standard
• Article ISO 27001 implementation checklist – rather short article that describes the main steps your company needs to take to become compliant with ISO 27001
• Free download Clause-by-clause explanation of ISO 27001 – a more detailed explanation on what the standard requires
• Free webinar ISO 27001: An overview of ISMS implementation process – one-hour webinar that explains the steps in the implementation and answers the most common questions from people doing this for the first time
• Free online training ISO 27001 Foundations Course – excellent overview of all the requirements and the steps in the implementation in this one-day course
• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own – for those who want to learn more, this book is very comprehensive and provides more details than the other mentioned materials
• Set of templates ISO 27001 Documentation Toolkit – if you are just starting the implementation, you’ll find this set of templates with all the policies and procedures quite useful, taking you step-by-step through the whole project

Risk management materials

If you have already started your implementation, you probably realized that the most complex step in the implementation is the risk assessment and treatment. Here are a few materials you’ll find useful:

• Article ISO 27001 risk assessment & treatment – 6 basic steps
• Article ISO 27001 risk assessment: How to match assets, threats and vulnerabilities
• Article How to assess consequences and likelihood in ISO 27001 risk analysis
• Article 4 mitigation options in risk treatment according to ISO 27001
• Free download Step-by-step explanation of ISO 27001 risk management
• Free download Diagram of ISO 27001:2013 Risk Assessment and Treatment process
• Free webinar The basics of risk assessment and treatment according to ISO 27001
• Book ISO 27001 Risk Management in Plain English
• Set of templates ISO 27001 Risk Assessment Toolkit

Security controls (safeguards)

Although ISO 27001 is not a technical standard, it does provide a catalogue of 114 controls that you should consider implementing to mitigate potential incidents – here are some materials that will give you more insight into these controls:

• Article The basic logic of ISO 27001: How does information security work?
• Article Overview of ISO 27001:2013 Annex A
• Article ISO 27001 vs. ISO 27002
• Book ISO 27001 Annex A Controls in Plain English

Writing the documentation

Writing policies and procedures is usually the hardest thing for most people – here are a few materials that will help you get started:

• Article 8 criteria to decide which ISO 27001 policies and procedures to write
• Article Seven steps for implementing policies and procedures
• Article One Information Security Policy, or several policies?
• Article How to structure the documents for ISO 27001 Annex A controls
• Article Document management in ISO 27001
• Free download Checklist of mandatory documentation required by ISO 27001 (2013 Revision)
• Free webinar How to use a Documentation Toolkit for the implementation of ISO 27001
• Book Managing ISO Documentation: A Plain English Guide

Setting up an ISO 27001 project

Because ISO 27001 is a rather complex standard, you need to make sure that you can complete the project successfully – here are a few materials on how to prepare and organize the implementation project:

• Article Four key benefits of ISO 27001 implementation
• Article ISO 27001 project – How to make it work
• Article Who should be your project manager for ISO 27001/ISO 22301?
• Article 5 ways to avoid overhead with ISO 27001 (and keep the costs down)
• Free download ISO 27001 Project Plan
• Free download How to budget an ISO 27001 implementation project
• Free download Implementing ISO 27001 with a consultant vs. DIY approach
• Free download Project checklist for ISO 27001 implementation
• Book Preparing for the ISO Implementation Project: A Plain English Guide

So, yes, ISO 27001 probably sounds pretty complex at first glance – I hope we managed to clarify most of your doubts with these materials. Let us know in the comments below if you feel some other materials are needed.

Probably the best overview of ISO 27001 is in this free online training: ISO 27001:2013 Foundations Course.

About the author:

Dejan holds a number of certifications, including Certified Management Consultant, ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, and Associate Business Continuity Professional. Dejan leads our team in managing several websites that specialize in supporting ISO and IT professionals in their understanding and successful implementation of top international standards. Dejan earned his MBA from Henley Management College, and has extensive experience in investment, insurance, and banking. He is renowned for his expertise in international standards for business continuity and information security – ISO 22301 & ISO 27001 – and for authoring several related web tutorials, documentation toolkits, and books.