6 simple steps to adopt ISMS under ISO 27001 standard

According to Wikipedia, Management Systems Information Security (ISMS) are:

Information Security Management always correlates to the implementation of an Information Security Management Systems (ISMS).

Any kind of management within an organization, which deals with security-related issues should incorporate an Information Security Management System (ISMS) in order to secure business information and to maintain the information environment. Organisations which adapt the holistic approach of management information security obtain an advantage due to the fact that (ISMS) assure the trustworthiness of an organization’s information security arrangement by other organizations.

An ISMS comprehends design; implementation and maintenance of a set of processes to efficiently manage the accessibility of information. It also comprehends confidentiality, integrity and availability of information while minimizing security risks of information.

As you may notice by now, every company needs a plan for their ISMS, and of course, this plan needs to meet protocols and standards internationally accepted. Among them, one of the mostly accepted is the 27001 standard.

Why ISO 27001 to implement ISMS?

While there are many international standards to evaluate risks and implement controls in order to mitigate or eliminate them; the ISO 27001 standard is one of the most widely accepted to ensure the integrity of your computer data due to:

  • Confidentiality. Grants secure access to information only to authorized agents.
  • Integrity. Directly related to the previous point, ISO 27001 ensures that both processes and information related to your security systems are complete and accurate.
  • Availability. Your authorized agents can access to the information whenever they need it.
  • Prestige. ISO 27001 extends its good name to any company that adopts their standards. As it is a global benchmark, companies that implement their standards are synonym of good practices and better results.
  • Accessibility. It works for all types of business of all sectors. Experts adopt more easily to its principles, which at the end is more convenient at operational cost.

Now, let’s check those 6 easy steps to implement our ISMS under ISO 27001 standard.

6 simple steps to implement ISMS under ISO 27001 standard

1. Evaluation

First of all, you need to diagnose and evaluate your currents information systems and infrastructure.  Of course, your digital security will always depend on the information security maturity and in similar measure; the infrastructure model you you count on.

Then, this diagnosis will indicate both, the stage and corrective measures to take in order to correct to pave the way for the implementation of your ISMS under ISO 27001 standards.

2. Planning

Second, once you know for sure what are you missing or what are you needing to tune up your systems with ISO 27001 standards; you need to plan and study your options for actually implementing the ISMS. So you have these options:

  1. Self-management. This is the Do-It-Yourself alternative. It’s worthy to adopt if you count on both, technical staff and necessary documentation to mitigate the impact of change. In other words; it works better for companies in Level 3 or higher regarding their Security Maturity. So, if this is your case, then this option will help you to save time and money.
  2. ISMSHiring a consultant. This alternative is the most recommended for companies at Level 1 regarding their Security Maturity. When hiring a consultant, you give all the power to an expert who necessarily will provide you with all the answers you need for the implementation; same as guaranteeing all related certifications.
  3. Mixed option. It combines the best of the both options above described. It  best works on companies diagnosed with Level 2 regarding their Security Maturity and gets the most of your strengths and the security expert consultant’s. This option may include tutorials, online help and similar supports.

As you can see, all the options offer advantages and disadvantages you need to carefully measure. At this point, the best practice consists in collecting a SWOT matrix to evaluate:

    • Overall spending.
    • Time/Cost ratio.
    • Documentation integrity.
    • Knowledge Transfer.
    • Certifications.

Each one of these variables gathers tasks and activities ranging from choosing technical personnel manager; to the implementation and deployment of the ISMS.

 3. Documentation + Gantt

SGSINext, the third step is gathering all the relevant documentation to feed the knowledge base; and group them by activities and logical tasks in a given time.  

With this step, the project begins to materialize based upon the planning.

4. Organization

Following, the fourth step consists in organizing the documentation by execution and organization. This is the reason why you need a Gantt for the implementation phase: It’s the clock that sets the pace for the project which, undoubtedly, must be under the command of Project Leaders.

Also, at this point you need to compile all the manuals and related documents to be used as support when you begin the awareness-raising campaigns related to the SGSI implementation.

5. Presentation

Fifth, we move on towards the integration of every single piece of documentation and knowledge collected in the previous steps to present them in a feasible project. Such project will be presented to the Board and those involved in the implementation itself.

The presentation will include scope of ISO 27001; justification and policies; the results of the evaluation phase; the processing of the identified risks and applicability of the controls; the reasons supporting the decision and the application form.

Also; it will be shown the results of the effectiveness of controls to give a complete overview of the total scope of the standard.

6. Deployment

Finally, the sixth and last step begins with the approval of the Board. Once their members give their OK, the awareness campaigns begin and deployment has place. This demands implementing controls, standards, procedures and training programs linked to awareness.

After all these activities, the ISMS will be full part of your working days with issuing records that will keep informed to auditors and authorized agents about the real performance of the company, your employees and the successful implementation of the Standard 27001 for your ISMS.

Whether you choose option b or c during the Planning phase, you have in us an ideal ally to carry out your ISMS implementation under standard 27001. Contact us here to start with your 6-steps plan.

To see the credits of the images, Here