Search in ISMS Guides


Tuesday, July 31, 2007

Key Strategies for Implementing ISO 27001 (1)


Implementing ISO 27001 can be an arduous task. Determining the scope of implementation, as well as the time and effort required for implementation to occur, can help organizations design a more effective IT compliance process.

By KK Mookhey, Chief Technology Officer, Network Intelligence India Pvt. Ltd.
Khushbu Jithra, Information Developer, Network Intelligence India Pvt. Ltd.

In 1995, the British Standard Institute (BSI) published British Standard (BS) 7799, a widely adopted set of best practices that help organizations implement effective information security management systems (ISMSs) and establish security controls for specific business areas. In October 2005, the standard was adopted by the International Organization for Standardization (ISO). As a result, implementing BS 7799 — now ISO 27001: 2005 — has become a major focus of attention for European-based companies and those working in the region.

Depending on the organization's size, the nature of its business, and the maturity of its processes, implementing ISO 27001 can involve a substantial investment of resources that requires the commitment of senior management. In addition, because of its emphasis on data security, many internal auditors perceive the standard to be focused solely on technology and often recommend that IT departments comply with the standard's requirements without understanding the amount of time and resources required for compliance. To ensure across-the-board acceptance and success, initial analyses and planning are vital. Because internal auditors are in the perfect position to add value to an organization's IT processes, they can help IT departments prepare the groundwork for an effective and efficient ISO 27001 implementation strategy during the initial planning phase. This will help companies ensure their IT processes are better aligned with the standard's requirements and ensure long-term compliance.


Implementing ISO 27001 can take time and consume unforeseen resources, especially if companies don't have an implementation plan early in the compliance process. To enhance compliance efforts, internal auditors can help companies identify their primary business objectives and implementation scope. Auditors should work with IT departments to determine current compliance maturity levels and analyze the compliance process' return on investment. These steps can be conducted by a team of staff members or external consultants who have prior experience implementing the standard. External consultants should work in collaboration with an internal team of representatives from the company's major business units. Below is a description of each recommendation.

Identify Business Objectives
Plans to adopt ISO 27001 must be supported by a concrete business analysis that involves listing the primary business objectives and ensuring a consensus is reached with key stakeholders. Business objectives can be derived from the company's mission, strategic plan, and existing IT goals and may include:

  • Ensuring effective risk management, such as identifying information assets and conducting accurate risk assessments.
  • Maintaining the company's competitive advantage, if the industry as a whole deals with sensitive information.
  • Preserving the organization's reputation and standing among industry leaders.
  • Providing assurance to customers and partners about the organization’s commitment to protecting data.
  • Increasing the company's revenue, profitability, and savings in areas where protective controls operate well.

The standard also emphasizes compliance with contractual obligations, which might be considered another key business objective. For instance, for an online banking division, implementing the standard would provide customers and partners greater assurance that risks stemming from the use of information systems are managed properly.

Key Strategies for Implementing ISO 27001 (1)
Key Strategies for Implementing ISO 27001 (2)
Key Strategies for Implementing ISO 27001 (3)
Key Strategies for Implementing ISO 27001 (4)

No comments: