👉 9 STEPS OUTLINE for ISO 27001 implementation and getting certified
🧵 This thread provides a skeleton plan for your ISO 27001 project.
Before we kick off, I'll take 3 tweets to illustrate the benefits, and explain the structure of #iso27001 ...
#infosec #cybersecurity
Benefits of ISO 27001 certification are:
1) Easier sales of your product/service in B2B markets 💶
2) Raised #infosec maturity – from incident driven to continual improvement 📈
3) Increased #CyberResilience 🦾
4) Improved accountability and responsibility 🕊️
#cybersecurity
#iso27001 consists of 2 parts:
1) a PROCESS to manage information security risks, called the Information Security Management System (or ISMS)
2) a list of CONTROLS to mitigate (or control) the risks you've identified, called "Annex A"
#infosec #cybersecurity #isms
The #ISMS risk mgt process looks like this:
1) Identify and Analyse Risks
2) Select and Implement Controls
3) Monitor execution of Controls
4) Evaluate effectiveness
5) Re-analyse Risks and Adjust Controls
👉 NEXT: Start implementing ...
#infosec #cybersecurity #iso27001
👉 STEP 1: Get senior management on board.
#iso27001 places responsibility on top mgt to:
• Show leadership and commitment
• Set information security objectives
• Implement #infosec policies
• Define roles and responsibilities
• Provide resources and support
👉 STEP 2: Establish the context of the ISMS.
Identify:
• Macro-environmental factors
• Strategy and culture
• Strengths and weaknesses
• Stakeholders
• Laws and regulations
• Business processes
... and define the Scope of your #isms.
#infosec #cybersecurity #iso27001
👉 STEP 3: Initiate the ISMS process.
1) Establish the Information Security Team;
2) Have regular team meetings;
3) Iterate through the risk mgt process to
achieve continuous improvement.
#infosec #cybersecurity #iso27001
👉 STEP 4: Identify Information Assets.
1) Create an Asset Inventory;
2) Identify the impact of compromise of each asset;
3) Classify information assets by required Confidentiality, Integrity and Availability;
4) Label assets accordingly.
#infosec #cybersecurity #iso27001
👉 STEP 5: Analyse Risks and Select Treatment.
1) Identify Risks for loss of Confidentiality, Integrity and Availability;
2) Appoint risk owners;
3) Calculate Risk Scores as Probability x Impact to set priorities;
4) Choose to Control, Transfer, Avoid or Accept the risk.
👉 STEP 6: Select and Implement Controls.
1) Identify all controls from Annex A necessary for the chosen risk treatment;
2) Draft a 'Statement of Applicability' for the Annex A controls;
3) Plan the implementation ('risk treatment plan').
#infosec #cybersecurity #iso27001
👉 STEP 7: Document the ISMS activities.
• Write #infosec policies
• Record risk analyses and treatment decisions
• Register incidents and non-conformities
• Collect log files, measurements, and evaluation reports
• Plan implementation, evaluations, and audits.
#iso27001
👉 STEP 8: Conduct Management Reviews.
Review:
• Status of actions
• External and Internal Changes
• Feedback from Stakeholders
• Risk assessment results and Treatment plans
• Effectiveness of the ISMS
• Decisions on changes and improvements.
#cybersecurity #iso27001
👉 STEP 9: Get Certified. 💯
• Stage 1:
Document review
• Stage 2:
Records of activities, observations and interviews
• Audit report:
Observations, Minor and Major non-conformities
• Period of 90 days to resolve issues
The #iso27001 Certificate is valid for 3 years.
I hope this thread will give you a head start on your path to #iso27001 certification.
Contact me with any questions you may have.
Stay safe and secure! – @richardk
#cybersecurity #infosec