Top 10 Tips for a Lean ISO 27001 Implementation

Are you contemplating ISO 27001 implementation but concerned about the time and management resources that will be needed?

Many modern businesses operate in a lean and agile way and this is often seen as contradictory to the traditionally bureaucratic processes associated with ISO 27001. Some even believe it may restrict the way they run their business.

We’re here to dispel those myths and give you some tips on how to achieve a lean ISO 27001 implementation:

  1. Gain board level support: An information management system will only be effective with the full and active support of the board. Prepare your argument in terms of costs, return on investment, risks, threats and opportunities and give the confidence that your ISMS will include the metrics by which you, and the board, can easily measure its success.
  1. Consider applicable legislation: Ensure you establish and align your ISMS to any relevant statutory laws and regulations. For example, EU GDPR will have an impact on how you shape your information security policies and controls. Consider a system that enables you to cross-reference policies across multiple regulations and compliances, using hyperlinking, to prevent duplication and repetition.
  1. Start with a GAP analysis: Screen your existing policies for applicability and compliance. Whilst in some cases they may not meet the standard, updating them is quicker than starting from scratch. There are over 140 activities that will need addressing so a software tool that gives you the repository to slot in your policies, against the relevant requirements of the standard, will reduce your set-up time significantly. You will need a project approach with the ability to see instantly what’s been completed, what’s in progress and what still needs action, allowing you to keep focused.
  1. Set realistic timescales: once you have your gap analysis you can see the size of the beast. As with any project, setting challenging timescales which are achievable will ensure you don’t lose momentum. Whilst it may be tempting to allow a long lead time, to ensure it doesn’t impact negatively on your day-to-day operation, the commitment and impetus can be lost if execution is too slow. Assigning tasks with due dates will help everyone stay on track and being able to view progress against your timelines will help you manage the project successfully.
  1. Use lean and agile implementation methods: Board commitment to ISO 27001 certification will rely significantly on the level of resource and management time needed. Simplifying and streamlining the process using ISO 27001 management software will dramatically reduce the resource needed, not just in implementation but also in ongoing, management and reporting.

ISO 27001

  1. Avoid standardised ISO 27001 policy templates: Every organisation has its own unique profile and individual security conditions. Whilst document toolkits may promise cost and time savings, they are unlikely to reflect the unique way you run your business. We know this from personal experience! The expensive toolkit we purchased had no relevance to the lean and agile way we run our business.
  1. Beware of pre-populated risk assessment software: As with policy templates, there is a danger in using someone else’s evaluation of risk. Risk management software is purely a tool that should simplify and improve the process, allowing you to apply your unique set of criteria to securing all of your information assets. Many tools on the market still address risk in turns of physical assets and not information assets as called for in the 2013 standard.
  1. Live the ISMS: If it’s all about the certificate you are doomed to failure. ISO 27001 implementation is just the start – a living, breathing entity that will equip you to adapt to the ever-changing digital landscape. There is little value in the certificate itself, more in the information security strategy and processes it engenders. With the correct set of tools, arriving at your own set of policies and methods of managing risk will ensure your ISMS becomes a seamless and integral part of your business processes and not a bureaucratic manual that restricts normal business activities.
  1. Ensure a broad understanding of information security throughout the organisation: An effective ISMS relies on awareness and acceptance across all parties within the organisation. How you communicate your policies and controls will be key. Consider one, secure online environment where all policies and controls can be easily maintained and relevant communication, tasking for compliance and training can be evidenced.
  1. Create a culture of continuous improvement: The ISO 27001:2013 standard incorporates the concept of continual improvement Involving staff in the process of continually improving information security promotes engagement. Again, having a software system that helps to facilitate this keeps you operating in that lean and agile way!

Modern business need a modern solution for achieving a cost-effective and streamlined ISO 27001 implementation and there are several software tools on the market to help with individual elements. Look for one which brings everything together in one place for a fully integrated and effective information security management system that is easy to maintain and improve.

Julia Heron: http://www.informationsecuritybuzz.com/articles/top-10-tips-lean-iso-27001-implementation/