Implementing ISO 27001 - Part 1

Implementation Phases

An organization needs to have the detailed understanding of PDCA implementation phases to manage the costs of the project. Software development companies adopt PDCA cycle to implement international standards. Cycle of the PDCA is consistent with all auditable international standards: ISO 18001, 9001 and 14001. ISO/IEC 27001:2005 gives the following PDCA steps for an organization to follow:

• Define an ISMS policy
• Define the scope of the ISMS
• Perform a security risk assessment
• Manage the identified risk
• Select the controls to be implemented and applied
• Prepare an SOA

Phase 1—Identify Business Objectives

Stakeholders must buy in; identifying and prioritizing objectives is the step that will gain management support. The primary objectives can be derived from the company’s mission, the strategic plan and IT goals. The objectives are:

• Increased marketing potential
• Complete assurance to the business partners of the organization’s status with respect to information security
• Both Increased revenue and profitability by providing the highest level of security for customers’ sensitive data
• Identification of the information assets & effective risk assessments
• Compliance with industry regulations

Phase 2—Obtain Management Support

Management must make a commitment to the establishment, planning, the implementation, the operation, monitoring, review, improvement and maintenance of the ISMS. The commitment must also include activities such as ensuring that the proper resources are available to work on the ISMS and that all employees affected by the ISMS have the proper training, competency and also awareness. The following activities/initiatives show management support:

• An information security policy
• The information security objectives & the plans
• The roles & responsibilities for the information security or a segregation of duties (SoD) matrix that shows the list of the roles related to information security
• Sufficient resources for managing, developing, maintaining and implementing the ISMS
• The determination of acceptable level of risk
• The management reviews of the ISMS at planned intervals
• Assurance that personnel affected is also affected by the ISMS are provided with training
• Appointment of the competent people for the roles and responsibilities that they are assigned to fulfill

Phase 3—Select Proper Scope of Implementation

ISO 27001 states that any scope of implementation may cover all or part of an organization. According to it for the software company or any other company the scope of the ISMS, the processes, business units, external vendors or contractors falling within the scope of implementation must be specified for certification to occur.

The standard also thus requires companies to list any scope exclusions and the reasons why they were excluded.

Identifying the scope of implementation can save the organization time, money. The following points should be considered:

• Selected scope helps to achieve all the identified business objectives.
• The organization’s over all scale of operations is an integral parameter needed to determine the compliance process’s complexity level.
• To find out appropriate scale of operations, organizations need to consider the number of employees, business processes, work locations, and products or services offered.

Phase 4—Define the appropriate Method of Risk Assessment

To meet the requirements of ISO/IEC 27001, the companies need to define & document the method of risk assessment. The ISO/IEC 27001 standards do not specify the risk assessment method that can be used. The following all points should be considered:

• The method that can be used that can assess the risk to identified information assets
• Which risks are intolerable therefore, that need to be mitigated
• Managing the residual risks through carefully considered policies, the procedures and controls
• Choosing a risk assessment method is one of the most important parts of establishing the ISMS and use of the following will be helpful:
• NIST Special Publication (SP) 800-30 Risk Management Guide for Information Technology Systems
• Sarbanes-Oxley IT risk assessment
• Asset classification, data classification documents (determined by the organization)
• ISO 27001 needs risk evaluations based on levels of confidentiality, integrity and availability (CIA):
• Confidentiality—Clause 3.3: Ensuring that information is accessible only to those authorized to have access
• Integrity—Clause 3.8: Safeguarding the accuracy and completeness of information and processing methods
• Availability—Clause 3.9: Ensuring that authorized users have access to information and associated assets when required

Conclusion

The true success of ISO 27001 is its alignment with the business objectives and effectiveness in realizing those objectives. For any software development company, IT & the other departments play an important role in implementing the ISO 27001. Implementation of ISO 27001 is an exercise toward better understanding an existing inventory of IT initiatives & the information availability and ISMS implementation phases. The organization also needs to have the detailed understanding of PDCA implementation phases. 

Without a well-defined and well-developed ISO 27001 project plan & implementing ISO 27001 would be a time- and cost-consuming exercise & to achieve the planned return on investment (ROI), the implementation plan has to be developed with an end goal in mind. Training and internal audit are major parts of ISO 27001 implementation. ISO 27001 certification should help assure most business partners of an organization’s status with respect to information security without the necessity of conducting their own security reviews. 

Author Signature: Shreyans Agrawal (ifour.shreyans.agrawal@gmail.com)