Get your project off to the best possible start.
Contents
Initiation Phase of ISO 27001 Implementation
The Initiation phase of ISO 27001 implementation is about laying a solid foundation for an Information Security Management System (ISMS).
The phase ensures that all necessary preparatory steps are taken to set up the ISMS effectively. It involves demonstrating an understanding of the organisational context, defining the scope, and ensuring leadership commitment.
In short, we are setting a scope and laying out the framework.
High-Level Summary of the Initiation Phase
The Initiation phase focuses on:
1. Establishing a project plan.
2. Assembling a steering group.
3. Defining the ISMS.
4. Developing an information security policy.
5. Defining ISMS roles and responsibilities (R&Rs).
6. Setting ISMS objectives.
Each step helps ensure a comprehensive and systematic ISMS implementation.
Let's take a look at each one in turn.
1. Establish a Project Plan
Overview
Failing to plan is planning to fail. Every complex delivery needs a project plan, and a move to ISO 27001 is no different.
The project plan outlines the approach, key resources, timelines, and milestones required for the ISMS implementation.
I've said I won't go into too much detail on project management techniques, but every project plan follows a similar approach.
I've posted many templates on my website, www.iseoblue.com and advice on running projects if you need it.
Implementation
Create a Detailed Project Charter
This document should include the scope, objectives, deliverables, timelines, resources, and stakeholders involved in the ISMS project.
Define Key Milestones
Break down the implementation into manageable phases with specific milestones to track progress.
Guess what – that's what this document helps with.
You're welcome.
Allocate Resources
Identify and allocate necessary resources, including personnel, budget, and tools required for the implementation.
At this stage, it can only be roughly what you think you'll need, but later, you'll build out the actual resources based on a more detailed evaluation of requirements.
Capture Project Risks
Develop a plan to identify potential challenges and mitigation strategies. All project plans should manage risk, and this is no different, but they could include;
Insufficient Resources – Use the plan as a basis, but clarify that requirements will unfold as the project is implemented. Make sure you have estimates for consultancy, auditing, etc.
Management commitment – If your senior executives are indifferent to the ISO 27001 process, you will likely not get essential support and traction on things when you need it most.
Lack of expertise – This guide is here to help, but you could overengineer things if you get caught up in the details or make an incorrect assumption.
Resistance to change – If you don't bring stakeholders with you and try to apply ISO 27001 and its controls to them without active engagement and listening, then brace yourself for pushback.
Define a Communication Plan
Establish a communication plan to ensure all stakeholders are informed and engaged throughout the implementation process.
A more detailed communication and awareness programme is needed, but this part of the project plan explains how you will keep your stakeholders informed of the progress of your move to ISO 27001, as opposed to how the ISMS needs to be applied, etc. For example, highlight reports, meetings, etc.
2. Assemble a Steering Group
Overview
Once you have an approved project plan (and please make sure your senior stakeholders approve it!) I recommend forming an Information Security Group (ISG) with defined terms of reference to oversee the implementation process, ensuring that all necessary expertise and leadership are represented.
The ISG can address two needs in a single place if you are able;
1) Act as your project team/board
2) Act as your ISMS governance
Implementation
Define the Terms of Reference
These outline the purpose and responsibilities of the Steering Group.
In the short term, it will act like a project team, but in the longer term, it'll become the management review body for the governance of your ISMS.
Select Attendees
Choose members from various departments, including IT, HR, legal, and senior management, to ensure diverse perspectives and expertise.
Leave people out at your peril, but don't invite the world and his mother; it never makes for good governance.
Define Roles and Responsibilities
Clearly outline the roles and responsibilities of each member to ensure accountability and effective decision-making.
Set Up Regular Meetings
Schedule regular meetings to review progress, discuss challenges, and adjust the implementation plan as needed.
Document Meetings
Maintain detailed records of steering group meetings, decisions, and action items to ensure transparency and accountability.
You’ll need these as evidence of management commitment later in the audit, so make sure you capture them.
Create the Information Security Statement
The ISMS must evidence senior support and commitment.
I recommend having an overarching statement that lays out the ISMS's stall and makes it clear to everyone what the expectations are, thus helping address Clause 5.1 (Leadership and Commitment).
It's not mandatory but recommended.
3. Define the ISMS
Overview
Scope definition time.
We need to identify and document an asset inventory and understand statutory, regulatory, and contractual requirements to establish the boundaries and applicability of the ISMS, all of which will influence its scope.
Implementation
Conduct an Asset Inventory
Identify all information assets, including hardware, software, data, and personnel, and document their importance to the organisation.
Depending on your organisation, this may be relatively easy or very hard. I recommend starting by capturing things at a high level and then going down in levels of detail.
You will ultimately need a detailed list of every information asset (who owns it, where it is, etc). But at this point, it might be easier to capture the various types of asset that will fall into the scope of your ISMS.
So, for example, start with acknowledging laptops/desktops, databases, and systems as asset groups, then catalogue them in a little more detail or point to where an asset register is maintained, i.e. any automated hardware inventory system.
Understand Legal and Regulatory Requirements
Identify applicable statutory, regulatory, and contractual requirements that affect information security.
I've documented some to get you started based on EU/UK law, but they'll be unique to your organisation, customers and locale. E.g.
GDPR (EU / UK)
Australian Privacy Act (1988)
HIPAA health data legislation, USA
PCI DSS Payment card protection
Define & Document the ISMS Scope
Define the boundaries of the ISMS, considering the organisation's context, internal and external issues, and interested parties' expectations.
I've created a document to walk you through this, but my advice is simple:
KEEP THE SCOPE AS TIGHT AS POSSIBLE TO START.
You can always build it out later. Look at what is most important to protect and start there, such as customer-facing services and data.
Ensure that the ISMS scope is documented, agreed and communicated to all relevant stakeholders.
4. Develop an Information Security Policy
Overview
Next up is a hugely important piece of the puzzle, and every auditor will ask for it within the first five minutes of an audit after finding the coffee machine and the toilets; an Information Security Policy.
We need to draft an initial information security policy that aligns with the organisation's objectives and regulatory requirements, setting the groundwork for security practices.
Implementation
Policy Drafting
Develop a comprehensive information security policy that includes the organisation's commitment to information security, objectives, and principles.
This will likely become a document that needs to be revisited as you build up sub-policies that detail some aspects in more detail but only for specific groups or areas.
I strongly advise making the policy as easy to read and digest as possible. Our main objective is getting compliance, not creating a stick to beat people. Avoid overwhelming readers with legal wording and confusing phrases like 'notwithstanding'.
An information security policy is not a legal document, so don't word it like one. Sure, it can have legal implications if someone fails to adhere to it, but that makes it even more critical to make it readable and in plain English.
Also, the policy should be worded positively rather than negatively. Say what you want people to do, not what you don't want them to do. E.g.
"Always lock your computer when stepping away from your desk to ensure data security."
Rather than
"Do not leave your computer unlocked when you are away from your desk."
Approval and Communication
Get the policy approved by senior management and communicate it to all employees.
Regular Review
Establish a process for regular review and updates to the policy to ensure it remains relevant and effective.
5. Define ISMS Roles and Responsibilities (R&Rs)
Overview
Next, we need to clearly define and document roles and responsibilities related to information security to ensure accountability and effective implementation.
To some extent, we've already done some of this in the ISG (Information Security Group) terms of reference, but we need to expand it across the ISMS.
Implementation
Identify & Document Key Roles & Responsibilities
Determine the necessary roles for ISMS implementation, including information security officer, risk manager, compliance officer, and other relevant positions.
In smaller organisations, there might be fewer roles, and a person can potentially wear multiple hats (recognising a role is not necessarily the same as a job).
Clearly outline the responsibilities of each role, ensuring they cover all aspects of the ISMS implementation and ongoing management.
Assign these roles to individuals based on their expertise and organisational responsibilities.
Communicate R&Rs
You can’t tuck the roles & responsibilities away in a corner; it’s important to communicate them so people know what is expected and can identify any gaps in cover and skills.
Training and Support
Provide the necessary training and support to individuals to enable them to fulfil their roles effectively.
You'll need to determine the best time to do this. Some people may need training early (for example, if they need to know more about ISO 27001 and its structure), while others may need it later as part of the awareness and communication campaign.
At this stage, focus on what people need to know to get your ISMS off the ground.
6. Set ISMS Objectives
Overview
Establish specific, measurable, attainable, relevant, and time-bound (SMART) objectives for the ISMS to guide subsequent implementation phases and provide clear goals for security improvements.
Clause 6.2 requires the ISMS to have documented objectives. I think defining the objectives as part of the initiation phase fits naturally here, so you broadly know where you are heading.
Implementation
Identify Objectives
Based on the organisational goals, identify specific objectives for the ISMS. These might include improving data protection measures, achieving regulatory compliance, or enhancing incident response capabilities.
Assuming it's your initial venture, setting objectives early can define your project more successfully. They could be pretty basic, such as setting up an ISO 27001-compliant ISMS by the end of the quarter, etc.
However, to get you thinking, here are some suggestions;
Objective 1: Enhance Information Security Awareness
Conduct information security training sessions for 100% of employees by the end of Q4.
Achieve a 90% or higher score on post-training assessments for all employees.
Distribute monthly security newsletters and achieve a 75% open rate.
Objective 2: Improve Risk Management Process
Identify and document 100% of critical information assets by the end of Q2.
Complete a risk assessment for all identified critical assets by the end of Q3.
Implement risk treatment plans for the top 5 identified risks by the end of Q4.
Objective 3: Strengthen Access Control Measures
Implement multi-factor authentication (MFA) for all employees by the end of Q3.
Ensure 100% compliance with the new access control policy by the end of Q4.
Conduct quarterly access reviews to ensure proper access rights and achieve a 95% accuracy rate.
Objective 4: Enhance Incident Response Capability
Develop and approve an incident response plan by the end of Q1.
Conduct two incident response drills by the end of Q3, achieving a 100% participation rate.
Reduce the average incident response time by 20% by the end of Q4.
Objective 5: Achieve Compliance with ISO 27001:2022 Requirements
Complete a gap analysis against ISO 27001:2022 by the end of Q2.
Implement corrective actions for identified gaps, achieving 100% closure by the end of Q3.
Successfully pass the ISO 27001:2022 certification audit by the end of Q4.
Communicate Objectives
Once ready, communicate the objectives to all relevant stakeholders to ensure everyone knows the goals and their role in achieving them.
Monitor and Review
Establish processes for monitoring progress towards these objectives and review them regularly to ensure they align with the organisational goals and ISMS requirements.
Alignment with ISO 27001:2022 Clauses 4 & 5
Let's examine briefly how these steps align with clauses 4 (Context of the Organisation) and 5 (Leadership).
Clause 4: Context of the Organisation
So, clause 4 determines what needs to shape your ISMS and response to scope, policies, procedures, controls, etc.
Here’s how we go about ticking it off;
Understanding the Organisation and Its Context (4.1): We’ve documented the context as part of our scope.
Understanding the Needs and Expectations of Interested Parties (4.2): We’ve captured our interested parties in our scope.
Determining the Scope of the ISMS (4.3): We’ve documented and shared our scope, clarifying our ISMS boundaries.
Information Security Management System (4.4): We’ve started to establish, implement the ISMS per the requirements of ISO 27001.
Clause 5: Leadership
Clause 5 ensures we have top-down direction so everyone understands where we are heading and what part they must play.
We do that by addressing the following parts;
Leadership and Commitment (5.1): Ensure top management demonstrates leadership and commitment to the ISMS through the Information Security Statement, the ISG Steering Group, and sponsorship of the resources and project plan for ISO 27001.
Information Security Policy (5.2): We’ve developed and communicated an information security policy.
Organisational Roles, Responsibilities, and Authorities (5.3): We have assigned, documented and communicated the ISMS roles and responsibilities.
Hopefully, you can see the clear correlation between this phase's activities and meeting the clauses' requirements in the standard.
Next up?
Planning: exploring risk and our responses to it.
Important Notice
This document is provided for personal use only. Commercial or consultative use requires a licence. For detailed terms of use, please visit https://www.iseoblue.com/terms.
Comments