top of page

THE ISO 27001 INITIATION PHASE

Updated: Sep 7

Get your project off to the best possible start.


Contents



 

 



Initiation Phase of ISO 27001 Implementation

The Initiation phase of ISO 27001 implementation is about laying a solid foundation for an Information Security Management System (ISMS).


The phase ensures that all necessary preparatory steps are taken to set up the ISMS effectively. It involves demonstrating an understanding of the organisational context, defining the scope, and ensuring leadership commitment.


In short, we are setting a scope and laying out the framework.


High-Level Summary of the Initiation Phase


The Initiation phase focuses on:


1.      Establishing a project plan.

2.      Assembling a steering group.

3.      Defining the ISMS.

4.      Developing an information security policy.

5.      Defining ISMS roles and responsibilities (R&Rs).

6.      Setting ISMS objectives.



Each step helps ensure a comprehensive and systematic ISMS implementation.


Let's take a look at each one in turn.



 

 

1. Establish a Project Plan


Overview


Failing to plan is planning to fail. Every complex delivery needs a project plan, and a move to ISO 27001 is no different.


The project plan outlines the approach, key resources, timelines, and milestones required for the ISMS implementation.


I've said I won't go into too much detail on project management techniques, but every project plan follows a similar approach.


I've posted many templates on my website, www.iseoblue.com and advice on running projects if you need it.

 

Implementation


Create a Detailed Project Charter

This document should include the scope, objectives, deliverables, timelines, resources, and stakeholders involved in the ISMS project.



Define Key Milestones

Break down the implementation into manageable phases with specific milestones to track progress.


Guess what – that's what this document helps with.


You're welcome.


Allocate Resources

Identify and allocate necessary resources, including personnel, budget, and tools required for the implementation.


At this stage, it can only be roughly what you think you'll need, but later, you'll build out the actual resources based on a more detailed evaluation of requirements.


Capture Project Risks

Develop a plan to identify potential challenges and mitigation strategies. All project plans should manage risk, and this is no different, but they could include;


  • Insufficient Resources – Use the plan as a basis, but clarify that requirements will unfold as the project is implemented. Make sure you have estimates for consultancy, auditing, etc.

  • Management commitment – If your senior executives are indifferent to the ISO 27001 process, you will likely not get essential support and traction on things when you need it most.

  • Lack of expertise – This guide is here to help, but you could overengineer things if you get caught up in the details or make an incorrect assumption.

  • Resistance to change – If you don't bring stakeholders with you and try to apply ISO 27001 and its controls to them without active engagement and listening, then brace yourself for pushback.

 

Define a Communication Plan

Establish a communication plan to ensure all stakeholders are informed and engaged throughout the implementation process.


A more detailed communication and awareness programme is needed, but this part of the project plan explains how you will keep your stakeholders informed of the progress of your move to ISO 27001, as opposed to how the ISMS needs to be applied, etc. For example, highlight reports, meetings, etc.

 


 

 

2. Assemble a Steering Group


Overview

Once you have an approved project plan (and please make sure your senior stakeholders approve it!) I recommend forming an Information Security Group (ISG) with defined terms of reference to oversee the implementation process, ensuring that all necessary expertise and leadership are represented.



The ISG can address two needs in a single place if you are able;


1)      Act as your project team/board

2)      Act as your ISMS governance

 

Implementation


Define the Terms of Reference

These outline the purpose and responsibilities of the Steering Group.


 

In the short term, it will act like a project team, but in the longer term, it'll become the management review body for the governance of your ISMS.


Select Attendees

Choose members from various departments, including IT, HR, legal, and senior management, to ensure diverse perspectives and expertise.


Leave people out at your peril, but don't invite the world and his mother; it never makes for good governance.


Define Roles and Responsibilities

Clearly outline the roles and responsibilities of each member to ensure accountability and effective decision-making.


Set Up Regular Meetings

Schedule regular meetings to review progress, discuss challenges, and adjust the implementation plan as needed.


Document Meetings

Maintain detailed records of steering group meetings, decisions, and action items to ensure transparency and accountability.


You’ll need these as evidence of management commitment later in the audit, so make sure you capture them.



Create the Information Security Statement

The ISMS must evidence senior support and commitment.


I recommend having an overarching statement that lays out the ISMS's stall and makes it clear to everyone what the expectations are, thus helping address Clause 5.1 (Leadership and Commitment).


It's not mandatory but recommended.



 

 


 

3. Define the ISMS


Overview

Scope definition time.


We need to identify and document an asset inventory and understand statutory, regulatory, and contractual requirements to establish the boundaries and applicability of the ISMS, all of which will influence its scope.



Implementation


Conduct an Asset Inventory

Identify all information assets, including hardware, software, data, and personnel, and document their importance to the organisation.



Depending on your organisation, this may be relatively easy or very hard. I recommend starting by capturing things at a high level and then going down in levels of detail.


You will ultimately need a detailed list of every information asset (who owns it, where it is, etc). But at this point, it might be easier to capture the various types of asset that will fall into the scope of your ISMS.


So, for example, start with acknowledging laptops/desktops, databases, and systems as asset groups, then catalogue them in a little more detail or point to where an asset register is maintained, i.e. any automated hardware inventory system.


Understand Legal and Regulatory Requirements

Identify applicable statutory, regulatory, and contractual requirements that affect information security.


 

I've documented some to get you started based on EU/UK law, but they'll be unique to your organisation, customers and locale. E.g.


  • GDPR (EU / UK)

  • Australian Privacy Act (1988)

  • HIPAA health data legislation, USA

  • PCI DSS Payment card protection

 

Define & Document the ISMS Scope

Define the boundaries of the ISMS, considering the organisation's context, internal and external issues, and interested parties' expectations.



I've created a document to walk you through this, but my advice is simple:


KEEP THE SCOPE AS TIGHT AS POSSIBLE TO START.


You can always build it out later. Look at what is most important to protect and start there, such as customer-facing services and data.


Ensure that the ISMS scope is documented, agreed and communicated to all relevant stakeholders.


 


 

4. Develop an Information Security Policy

Overview

Next up is a hugely important piece of the puzzle, and every auditor will ask for it within the first five minutes of an audit after finding the coffee machine and the toilets; an Information Security Policy. 


We need to draft an initial information security policy that aligns with the organisation's objectives and regulatory requirements, setting the groundwork for security practices.

 

Implementation


Policy Drafting

Develop a comprehensive information security policy that includes the organisation's commitment to information security, objectives, and principles.



This will likely become a document that needs to be revisited as you build up sub-policies that detail some aspects in more detail but only for specific groups or areas.


I strongly advise making the policy as easy to read and digest as possible. Our main objective is getting compliance, not creating a stick to beat people. Avoid overwhelming readers with legal wording and confusing phrases like 'notwithstanding'.


An information security policy is not a legal document, so don't word it like one. Sure, it can have legal implications if someone fails to adhere to it, but that makes it even more critical to make it readable and in plain English.


Also, the policy should be worded positively rather than negatively. Say what you want people to do, not what you don't want them to do. E.g.


"Always lock your computer when stepping away from your desk to ensure data security."

 

Rather than

 

"Do not leave your computer unlocked when you are away from your desk."


Approval and Communication

Get the policy approved by senior management and communicate it to all employees.


Regular Review

Establish a process for regular review and updates to the policy to ensure it remains relevant and effective.


 

 

5. Define ISMS Roles and Responsibilities (R&Rs)

Overview

Next, we need to clearly define and document roles and responsibilities related to information security to ensure accountability and effective implementation.


To some extent, we've already done some of this in the ISG (Information Security Group) terms of reference, but we need to expand it across the ISMS.

 

Implementation


Identify & Document Key Roles & Responsibilities

Determine the necessary roles for ISMS implementation, including information security officer, risk manager, compliance officer, and other relevant positions.



In smaller organisations, there might be fewer roles, and a person can potentially wear multiple hats (recognising a role is not necessarily the same as a job).


Clearly outline the responsibilities of each role, ensuring they cover all aspects of the ISMS implementation and ongoing management.


Assign these roles to individuals based on their expertise and organisational responsibilities.


Communicate R&Rs

You can’t tuck the roles & responsibilities away in a corner; it’s important to communicate them so people know what is expected and can identify any gaps in cover and skills.


Training and Support

Provide the necessary training and support to individuals to enable them to fulfil their roles effectively.


You'll need to determine the best time to do this. Some people may need training early (for example, if they need to know more about ISO 27001 and its structure), while others may need it later as part of the awareness and communication campaign.


At this stage, focus on what people need to know to get your ISMS off the ground.


 


 

6. Set ISMS Objectives

Overview

Establish specific, measurable, attainable, relevant, and time-bound (SMART) objectives for the ISMS to guide subsequent implementation phases and provide clear goals for security improvements.


Clause 6.2 requires the ISMS to have documented objectives. I think defining the objectives as part of the initiation phase fits naturally here, so you broadly know where you are heading.


Implementation


Identify Objectives

Based on the organisational goals, identify specific objectives for the ISMS. These might include improving data protection measures, achieving regulatory compliance, or enhancing incident response capabilities.


Assuming it's your initial venture, setting objectives early can define your project more successfully. They could be pretty basic, such as setting up an ISO 27001-compliant ISMS by the end of the quarter, etc.

 


However, to get you thinking, here are some suggestions;


Objective 1: Enhance Information Security Awareness

  1. Conduct information security training sessions for 100% of employees by the end of Q4.

  2. Achieve a 90% or higher score on post-training assessments for all employees.

  3. Distribute monthly security newsletters and achieve a 75% open rate.


Objective 2: Improve Risk Management Process

  1. Identify and document 100% of critical information assets by the end of Q2.

  2. Complete a risk assessment for all identified critical assets by the end of Q3.

  3. Implement risk treatment plans for the top 5 identified risks by the end of Q4.


Objective 3: Strengthen Access Control Measures

  1. Implement multi-factor authentication (MFA) for all employees by the end of Q3.

  2. Ensure 100% compliance with the new access control policy by the end of Q4.

  3. Conduct quarterly access reviews to ensure proper access rights and achieve a 95% accuracy rate.


Objective 4: Enhance Incident Response Capability

  1. Develop and approve an incident response plan by the end of Q1.

  2. Conduct two incident response drills by the end of Q3, achieving a 100% participation rate.

  3. Reduce the average incident response time by 20% by the end of Q4.


Objective 5: Achieve Compliance with ISO 27001:2022 Requirements

  1. Complete a gap analysis against ISO 27001:2022 by the end of Q2.

  2. Implement corrective actions for identified gaps, achieving 100% closure by the end of Q3.

  3. Successfully pass the ISO 27001:2022 certification audit by the end of Q4.


Communicate Objectives

Once ready, communicate the objectives to all relevant stakeholders to ensure everyone knows the goals and their role in achieving them.


Monitor and Review

Establish processes for monitoring progress towards these objectives and review them regularly to ensure they align with the organisational goals and ISMS requirements.

 


 

Alignment with ISO 27001:2022 Clauses 4 & 5

Let's examine briefly how these steps align with clauses 4 (Context of the Organisation) and 5 (Leadership).


Clause 4: Context of the Organisation

So, clause 4 determines what needs to shape your ISMS and response to scope, policies, procedures, controls, etc.


Here’s how we go about ticking it off;


  • Understanding the Organisation and Its Context (4.1): We’ve documented the context as part of our scope.

  • Understanding the Needs and Expectations of Interested Parties (4.2): We’ve captured our interested parties in our scope.

  • Determining the Scope of the ISMS (4.3): We’ve documented and shared our scope, clarifying our ISMS boundaries.

  • Information Security Management System (4.4): We’ve started to establish, implement the ISMS per the requirements of ISO 27001.

 

Clause 5: Leadership

Clause 5 ensures we have top-down direction so everyone understands where we are heading and what part they must play.


We do that by addressing the following parts;


  • Leadership and Commitment (5.1): Ensure top management demonstrates leadership and commitment to the ISMS through the Information Security Statement, the ISG Steering Group, and sponsorship of the resources and project plan for ISO 27001.

  • Information Security Policy (5.2): We’ve developed and communicated an information security policy.

  • Organisational Roles, Responsibilities, and Authorities (5.3): We have assigned, documented and communicated the ISMS roles and responsibilities.

 

Hopefully, you can see the clear correlation between this phase's activities and meeting the clauses' requirements in the standard.


Next up?


Planning: exploring risk and our responses to it.

 


 

Important Notice

This document is provided for personal use only. Commercial or consultative use requires a licence. For detailed terms of use, please visit https://www.iseoblue.com/terms.

 

Comments


Never miss another article.

About the author

Alan Parker is an IT consultant and project manager who specialises in IT governance, process implementation, and project delivery. With over 30 years of experience in the industry, Alan believes that simplifying complex challenges and avoiding pitfalls are key to successful IT management. He has led various IT teams and projects across multiple organisations, continually honing his expertise in ITIL and PRINCE2 methodologies. Alan holds a degree in Information Systems and has been recognised for his ability to deliver reliable and effective IT solutions. He lives in Berkshire, UK, with his family.

bottom of page