Pulling it all together.
Contents
Implementation Phase of ISO 27001
The Implementation Phase is a critical stage in the ISO 27001 certification journey. It involves putting into practice the policies, procedures, and controls defined during the planning phase.
The success of the phase hinges on the thoroughness of the planning and the commitment of the organization’s staff. Implementation transforms theoretical frameworks into operational realities, ensuring that information security measures are effective and integrated into daily operations.
This phase encompasses several key activities, including the deployment of security controls, training of staff, and monitoring and measuring the effectiveness of these controls. Each activity must be documented and executed to ensure compliance with ISO 27001 standards.
In this phase, the focus shifts from planning to action. It is where the organization begins to see tangible changes in its security posture.
Successful implementation requires continuous communication, proper resource allocation, and a culture of security awareness across the organisation.
High-Level Summary of the Implementation Phase
The Implementation phase focuses on:
1. Create a Resource Plan
2. Document Policies & Procedures
3. Implement Controls
4. Conduct an Awareness Campaign
5. Provide Training
Each step is crucial in ensuring a comprehensive and systematic ISMS implementation. Let's take a look at each one in turn.
Create a Resource Plan
Overview
Things should start to become clearer in terms of the resources we need to maintain our ISMS, and implement the changes we want to see in the Risk Treatment Plans.
Earlier in the Initiation Phase, we talked about the high-level resources needed to get the project going, but now we need to zero in on what we need to deliver change.
Creating a resource plan is important for outlining the necessary resources—such as personnel, budget, tools, and time—needed to establish, implement, maintain, and improve the Information Security Management System (ISMS).
A resource plan is not a mandatory document in 27001, but the requirements in section 7.1 require you to provide evidence that you have considered sufficient resources for your ISMS. Creating one is just good project management and ensures that the ISMS implementation process is well-supported and can proceed without resource-related interruptions.
Implementation
Identify Resource Needs
Using the ISMS Objectives, Risk Treatment Plans & Statement of Applicability, we need to assess the organisation's current resources and identify additional resources required to meet the ISMS objectives.
It might well be that you can deliver what you need without additional resources, and it’s okay to cut your cloth accordingly, but you do need to outline the resources needed for the ISMS.
And it’s not just people, consider human resources (e.g., security specialists, IT staff), financial resources (budget for tools and training), technological resources (software, hardware), and informational resources (policies, procedures).
Develop the Resource Plan
Next, we need to create the resource plan itself, and document what we need and where it will come from.
Draft a comprehensive resource plan that details the allocation of identified resources, their roles, responsibilities, and the timeline for their deployment.
Include considerations for any potential constraints and how they will be managed.
Approval and Communication
Present the resource plan to top management / ISG for approval to ensure there is a commitment to providing the necessary resources.
Communicate the approved resource plan to all relevant stakeholders to ensure everyone is aware of their roles and responsibilities.
Document Policies & Procedures
Overview
Sorry, but you can’t get away with just one Information Security policy in 2700, well not unless you combine all sub policies into it, which I wouldn’t recommend. Who’d want to read that?
Documenting policies and procedures involves creating detailed documentation for the management and operation of the ISMS.
This ensures consistency, compliance, and clarity across all information security practices within the organisation.
Policy | Clause |
|---|---|
Information Security Policy | 5.2 Policy |
“Topic-Specific” Policies | Annex A 5.1 |
Access Control Policy | Annex A 5.18, 8.5, 8.11 |
Backup Policy | Annex A 8.13 |
Acceptable Use Policy | Annex A 5.10 |
Procedure | Clause |
|---|---|
“Topic-Specific” Procedures | Annex A 5.4 |
Information Labelling Procedure (or policy) | Annex A 5.13 |
Information Transfer Procedure (or policy) | Annex A 5.14 |
Supplier Management Procedure (or policy) | Annex A 5.19, 5.21 |
Incident Response Procedure | Annex A 5.26 |
Collection of Evidence Procedure | Annex A 5.28 |
Protection of Intellectual Property Rights | Annex A 5.32 |
Operating Procedures | Annex A 5.37 |
Secure Authentication | Annex A 8.5 |
Installation of Software on Operational Systems | Annex A 8.19 |
Change Management Procedure | Annex A 8.32 |
Some of the documents can be combined, some might be both policy and procedure (that’s quite possible), some might be a policy and others a procedure. There is room for interpretation here, but how you apply it is for you to defend in your audit.
For example, if you combine the Incident Response Procedure with the Collection of Evidence Procedure (if it feels a natural fit), then you can tick off both at the same time.
Equally, you may have a Supplier Management Procedure (with step-by-step instructions), or you may choose to have a Supplier Management Policy (with guidance and instructions), or both.
ISO 27001 is flexible enough for you to work out what is best for your organisation, but you may have to explain your approach in an audit.
I’ve provided a number of policies below. You can take them all, use your own, or adapt some to suite your needs.
Downloadable Policy Templates
The following policies are free to download and use for personal use, as per terms and conditions on www.iseoblue.com/terms
Alternatively, register with the members area and download the entire kit with all policies, processes, procedures and guidance for free in one go. Easy.
Implementation
Develop and Document Policies
Create comprehensive policies that outline the organization's approach to information security, including general security policies, access control policies, and incident management policies.
Ensure policies align with the organization's goals and regulatory requirements.
Develop and Document Procedures
Create detailed procedures that support the implementation of policies. These should include step-by-step instructions for various security processes such as data handling, incident response, and system access controls.
Remember: Some Policies & Procedures are Mandatory, please see above.
Approval and Dissemination
Submit the documented policies and procedures to top management for review and approval.
Distribute the approved policies and procedures to all relevant employees and stakeholders to ensure they are aware of and understand them. I’ve created a comms plan to help you do this in a later section, so you can hold off on the communication aspect for now, equally, there’s nothing stopping you from communicating things to those that need to know as they come off the production line.
Implement Controls
Overview
Implementing controls involves putting in place the necessary measures from your risk treatment plans in the previous stage, in order to manage and mitigate identified information security risks.
This ensures that the organization's information assets are adequately protected and that the ISMS operates effectively.
For example; you may have identified a need to implement a more secure password policy as a result of reviewing the Statement of Applicability and your risks, so here is where you would take that action.
Implementation
Identify Necessary Controls
Determine the specific controls required to address the identified risks and to comply with the established policies and procedures. There are a number of sources, but really they should be coming from your risk treatment plan(s).
Implement the Controls
Develop and deploy the identified controls. This could include technical controls (e.g., firewalls, encryption), administrative controls (e.g., security policies, training), and physical controls (e.g., secure access points).
Document Control Implementation
Maintain detailed records of the implemented controls, including descriptions, locations, responsible personnel, and effectiveness. Depending on your system, you could do this in the risk register, change control or elsewhere.
Monitor and Review Controls
Regularly monitor the effectiveness of the implemented controls. This involves ongoing assessments, audits, and reviews to ensure controls are functioning as intended.
Make necessary adjustments based on monitoring results to improve control effectiveness. Update your risk register and treatment plans regularly.
Update Risk Assessment and Treatment
Based on the monitoring results, update the risk assessment and treatment plans to reflect any changes in the risk environment or control effectiveness.
Conduct Awareness Campaign
Overview
So, you’ve made changes, and now you need to make sure people understand what you’ve done and why you’ve done it.
Conducting an awareness campaign ensures that all employees understand the importance of information security and their roles within the ISMS.
Implementation
Develop Awareness Materials
Create materials to educate employees about the ISMS, security policies, procedures, and their responsibilities. This can include posters, newsletters, emails, and presentations.
I’ve created 21 generic communications for you, which you are free to use if they suite your purposes, but you may wish to create your own.
Contents of File
The next download contains lots of links to resources and other material to support your communication efforts.
Plan the Awareness Campaign
Create a plan to outline the objectives, target audience, and schedule for the awareness activities.
My advice is to plan it out in quarterly or half-year intervals. There should always be an active communication plan as part of your ISMS, but it doesn’t stipulate how far out it needs to be for.
Also, try not to overwhelm people. The greatest level of compliance comes from the simplest messages.
Conduct Training Sessions
You may wish to supplement your written communications with workshops, seminars, and online courses to educate employees on information security principles, the ISMS, and their specific roles in maintaining security.
Disseminate Awareness Materials
Distribute the created materials through various channels such as email, intranet, and physical postings within the office.
I personally would recommend putting things out via multiple channels, such as email, and then maintain posts on the Intranet. The posts may then become part of the induction materials for new starters.
Monitor and Evaluate Campaign Effectiveness:
Gather feedback from employees to assess the effectiveness of the awareness campaign using surveys, quizzes, and feedback forms to measure understanding and engagement.
Update Training and Awareness Materials:
Based on the feedback and evaluation over time, update the training and awareness materials to address any gaps or areas for improvement.
Provide Training
Overview
Providing training ensures that all personnel have the necessary knowledge and skills to perform their roles effectively within the ISMS.
This step is crucial for building competence and maintaining a high level of information security awareness throughout the organization.
You might be questioning why we have training and a communication plan. The truth is there is an amount of overlap, but consider the communication plan short, sharp communications potentially to all staff about what they need to know about the ISMS; the policies, procedures, etc.
Training is slightly more involved and potentially tailored to individuals depdning upon their roles in the organisation. So, for example, if you are a developer, you might need to undertake a course on static code analysis, or something similar.
Implementation
Identify Training Needs
Assess the training needs of employees based on their roles and responsibilities within the ISMS. Consider areas such as information security policies, risk management, incident response, and specific technical skills.
Develop a Training Plan
Create a detailed training plan that outlines the training objectives, content, delivery methods, schedule, and target audience.
Conduct Training Sessions
Organize and deliver training sessions using various formats such as workshops, online courses, seminars, and on-the-job training.
Ensure that the training covers all necessary aspects of the ISMS and is tailored to the needs of different employee groups.
Evaluate Training Effectiveness & Adjust
Over time, collect evidence of the effectiveness of your training using assessments, quizzes, and feedback forms to evaluate the effectiveness of the training sessions. This helps to ensure that the training objectives are met and that employees have understood the content.
Maintain Training Documentation
Keep detailed records of all training activities, including attendance, content, and evaluation results. This documentation is essential for demonstrating compliance and continuous improvement.
These records should include any relevant training someone has brought to the organisation with them.
Think of it from an auditing point of view; and auditor may ask “What does Bob need to know for his role in the IT Helpdesk?”, “How can you evidence that Bob has had sufficient training?”.
Output: Training Records (Mandatory)
Meeting Clauses 7 & 8 of ISO 27001:2022
The implementation phase is the heaviest part of 27001. It directly addresses Clauses 7 and 8 "Support" and "Operation" respectively.
Here’s a summary of how the implementation activities align with and support these clauses:
Clause 7: Support
7.1 Resources
Created a Resource Plan: We identified and allocated the necessary resources (human, financial, technological) to establish, implement, maintain, and continually improve the ISMS. This ensures that the organisation has the necessary support to achieve its information security objectives.
7.2 Competence
Provided Training: We ensured that employees have the necessary competence to perform their roles effectively through training programs are developed based on identified needs, and training records are maintained to document competence.
7.3 Awareness
Conducted Awareness Campaign: We’ve educated employees about the ISMS, their roles, and the importance of information security. Awareness materials and campaigns ensure that all personnel are informed and engaged.
7.4 Communication
Develop a Communications Plan (as part of the Awareness Campaign): Establishes clear communication strategies to ensure that relevant information regarding the ISMS is shared with all stakeholders. This includes internal and external communication as necessary.
7.5 Documented Information
Documented Policies & Procedures: We developed comprehensive documentation for ISMS policies, procedures, and controls to ensure that all necessary information is documented, controlled, and available as needed. This includes creating, updating, and controlling documented information itself.
Clause 8: Operation
8.1 Operational Planning and Control
Implemented Controls: We put in place necessary controls to manage and mitigate risks identified during the risk assessment process so that the processes needed to meet ISMS requirements are implemented, controlled, and maintained.
Monitored and Review Controls: We’ve clarified the need for continuous monitoring and regular review of controls to ensure they are effective and aligned with the ISMS objectives. This involves assessing the performance and making adjustments as necessary. It’ll be important in the next stage.
8.2 Information Security Risk Assessment
Updated Risk Assessments: We will have updated the risk assessment based on the implementation and monitoring of controls and will ensure that the organization continually identifies and evaluates information security risks.
8.3 Information Security Risk Treatment
Updated Risk Treatment(s): Developed and implemented the risk treatment plans to address identified risks. Appropriate controls are selected and applied to mitigate risks, and these are documented and updated as necessary.
Important Notice
This document is provided for personal use only. Commercial or consultative use requires a licence. For detailed terms of use, please visit https://www.iseoblue.com/terms.
Comments