Implementation is the first phase of the ISO/IEC 27001 certification process, and arguably the most critical (and vastly time-consuming) phase in the journey.
You can check here for our post on the different phases of the ISO27001 journey (in case you missed it).
Before embarking on savagely implementing policies and controls, preparation and understanding will come as a time-saving step.
Start by understanding the ISO standard
Ok, you have an implementation manager, or project manager (either internal or external), now what?
We strongly recommend that you go and purchase the ISO27001 standard from the ISO body, or from any local certification body/accredited resellers. The standard is only 30 pages long 😱, nonetheless it can be confusing and hard to digest, so do allocate some time to read it together with your project team members.
Why? This will help you to understand the structure and rationale behind the controls that go into your ISMS.
The clauses are the "main headers" of the standard. Think of the standard as you think of a book, each clause represents a chapter (or one knowledge area to cover). Several of the clauses are mostly introductory, but the ones you should care about are clauses 4 to 10 (in the latest edition - the 2013 one).
Requirements are included within each of the clauses. Think of requirements as the sub-chapters of “the book” (mentioned above). Requirements usually come as paragraphs or sections within clauses that say something along the lines of “people working in the organization shall know…” or “the organization’s ISMS shall include…”, whenever you read a similar sentence, it means that this is something you should implement and have evidence of.
The ‘fearsome’ Annex A
Controls are regarded as the most daunting part by many, these are included in something called “Annex A”.
When you see Annex A for the first time (after reading through the clauses) you will feel it’s longer than that receipt at the grocery store you wish you threw away. Annex A contains several controls and control objectives (all of them have a naming convention that starts with A and some numbers: like “A.5.1.1").
Many of these controls are things that you’ll have to monitor and establish a procedure for (e.g. set-up a password management system, restrictions on software installations).
The more controls you implement, the more you need to monitor, and well… doing that manually might turn out to be a nightmare.
But let us give you a secret tip 🤐, you don’t have to implement them all.
The ISMS you implement should work for your organization, and not the other way around. Some controls may not be necessary or applicable to you.
How do I know which controls to implement? Well, first you need to define the scope of your ISMS and the requirements to your organisation (e.g. laws and regulations that apply to you, contracts you signed) and perform a risk assessment (we’ll talk about this in future posts as it’s a key element of your ISMS).
After you have completed the above, you then go on to create something that is called: “Statement of Applicability (SOA)”, which is a document that says which controls of Annex A you decided to implement with a justification of why it was or was not included, it’s as easy as that.
As previously mentioned, the implementation phase is the longest phase of the certification journey. It is going to take time to draft/write your policies, select controls, implement them, communicate everything to the rest of the organization, and gather evidence to back everything up in an audit.
With multiple workflows taking place, a project manager or project owner is recommended to oversee this project (👌🏼this person doesn’t have to be 100% full-time on it, provided they’re sufficiently empowered and the time they spend is dependent on how fast you want to move).
Implementing or revamping your ISMS would require organization-wide awareness of your controls. The human factor is DEFINITELY going to correlate to the success of your ISMS, and you have to manage it accordingly. We’ve seen that persuading employees and stakeholders to change their behaviours requires understanding their business needs and tailoring cyber controls to empower their business processes (not the other way around).
It’s usually helpful to run some interviews prior to building your ISMS (to get initial buy-in and drive awareness).
Once you have completed the implementation, you will need to allocate time for proper evidence compilation and filing. Not doing this properly will frustrate you and the auditors and could unnecessarily extend the time it takes you to achieve compliance.
You may stumble multiple times while implementing your ISMS, and that is normal. Fortunately, all these learnings will be fruitful for your organization. Not only will you be better protected, but you will be able to ensure to your customers and partners that you have ample measures put in place to protect customer’s data and guard business continuity.
Ready for ISO 27001?
A certification can greatly boost the confidence your partners and customers have in your business. With a better understanding of ISO 27001, we hope you can start planning the roadmap and ISMS for your organization. Get in touch with us if you have more questions about security or you would like help getting certified.