Key Strategies for Implementing ISO 27001 (3) : Information Security Management System

PUBLISHED BY THE INSTITUTE OF INTERNAL AUDITORS

Determine ISO 27001 Maturity Levels
When assessing the organization’s compliance maturity level, auditors should determine whether or not the implementation team is able to answer the following questions:

Does a document exist that specifies the scope of compliance?
According to ISO 27001, a scope document is required when planning the standard's implementation. The document must list all the business processes, facilities, and technologies available within the organization, along with the types of information within the ISMS. When identifying the scope of compliance, companies must clearly define the dependencies and interfaces between the organization and external entities.
Are business processes and information flows clearly defined and documented?
Answering this question helps to determine the information assets within the scope of compliance and their importance, as well as to design a proper set of controls to protect information as it is stored, processed, and transmitted across various departments and business units.
Does a list of information assets exist? Is it current?
All assets that may affect the organization's security should be included in an information asset list. Information assets typically include software, hardware, documents, reports, databases, applications, and application owners. A structured list must be maintained that includes individual assets or asset groups available within the company, their location, use, and owner. The list should be updated regularly to ensure accurate information is reviewed during the compliance certification process.
How are information assets classified?
Information assets must be classified based on their importance to the organization and level of impact, and whether their confidentiality, availability, and integrity could be compromised.
Is a high-level security policy in place?
Critical to implementing an information security standard is a detailed security policy. The policy must clearly convey management's commitment to protecting information and establish the business' overall security framework and sense of direction. It should also identify all security risks, how they will be managed, and the criteria needed to evaluate risks.
Has the organization implemented a risk assessment process?
A thorough risk assessment exercise must be conducted that takes into account the value and vulnerabilities of corporate IT assets, the internal processes and external threats that could exploit these vulnerabilities, and the probability of each threat. If a risk assessment methodology is in place, the standard recommends that organizations continue using this methodology.
Is a controls' list available?
Necessary controls should be identified based on risk assessment information and the organization's overall approach for mitigating risk. Selected controls should then be mapped to Annex A of the standard — which identifies 133 controls divided in 11 domains — to complete a statement of applicability (SOA) form. A full review of Annex A acts as a monitoring mechanism to identify whether any control areas have been missed in the compliance planning process.
Are security procedures documented and implemented?
Steps must be taken to maintain a structured set of documents detailing all IT security procedures, which must be documented and monitored to ensure they are implemented according to established security policies.
Is there a business continuity (BC) management process in place?
A management process must be in place that defines the company's overall BC framework. A detailed business impact analysis based on the BC plan should be drafted and tested and updated periodically.
Has the company implemented a security awareness program?
Planning and documentation efforts should be accompanied by a proper IT security awareness program so that all employees receive training on information security requirements.
Was an internal audit conducted?
An internal audit must be conducted to ensure compliance with the standard and adherence to the organization’s security policies and procedures.
Was a gap analysis conducted?
Another important parameter to determine is the organization's level of compliance with the 133 controls in the standard. A gap analysis helps organizations link appropriate controls with the relevant business unit and can take place during any stage of the compliance process. Many organizations conduct the gap analysis at the beginning of the compliance process to determine the company's maturity level.
Were corrective and preventive actions identified and implemented?
The standard adheres to the Plan-Do-Check-Act" (PDCA) cycle (PDF, 62KB) to help the organization know how far and how well it has progressed along this cycle. This directly influences the time and cost estimates to achieve compliance. To complete the PDCA cycle, the gaps identified in the internal audit must be addressed by identifying the corrective and preventive controls needed and the company's compliance based on the gap analysis.
Are there mechanisms in place to measure control effectiveness?
Measuring control effectiveness is one of the latest changes to the standard. According to ISO 27001, organizations must institute metrics to measure the effectiveness of the controls and produce comparable and reproducible results.
Is there a management review of the risk assessment and risk treatment plans?
Risk assessments and risk treatment plans must be reviewed at planned intervals at least annually as part of the organization's ISMS management review.