https://iterasec.

com/blog/iso-27001-implementation-guide-for-it-companies/

ISO 27001: Implementation guide for IT

Companies
By: Igor Kantor. | May 6, 2021 | Compliance

Information Security or IS is among the most important aspects of running a business.

Ensuring your data is secure is vital for long-term success, and undergoing an IS
certification is one of the best ways to achieve this. While all businesses can agree on
that, not many understand what the ISO 27001 standard is about and what is needed to
implement it. We decided to answer the questions you might have on this topic.

In this guide, we provide an overview of how to implement ISO/IEC 27001:2013 for

companies that decided to proceed with this process. We will cover key implementation
milestones and challenges, along with some useful tips on how to avoid common traps.

What is ISO 27001?

ISO/IEC 27001:2013 is an international standard designed to help businesses create a

robust Information Security Management System (ISMS). An ISMS is a systematic
approach to managing sensitive company information so that it remains secure. It
encompasses people, processes, and IT systems by applying a risk management
process to daily data management workflows.

ISMS is a top-down approach ensuring the company has a transparent policy on who
can access what information and how they can use it. In addition, it introduces a
framework for data handling, which ensures that everyone from C-level to common staff
members knows what information they can (and cannot) access. Its main goal is to
ensure the CIA (Confidentiality, Integrity and Availability) of mission-critical sensitive
data, both during normal business operations and when under attack by hackers.
To that end, ISO/IEC 27001:2013 provides a comprehensive set of controls comprising
best practices in information security. The standard is applicable to any industry and
any company size. It can help small, medium, and large businesses in all sectors keep
information assets secure. It is also a basis for adopting enterprise-grade software like
Microsoft Active Directory.

More importantly, as an internationally recognized information security standard, ISO

27001 provides a distinct advantage for those businesses that implemented it and
obtained certification. The standard demonstrates the company’s ability to securely
handle information throughout all business operations and is often included as one of
the prerequisites for governmental tenders and corporate contracts. As of today, more
than 20,000 companies worldwide are already ISO/IEC 27001:2013 certified.

On top of that, many other certifications are based on ISO/IEC 27001:2013, including
SOC 1/2 and TISAX. Even GDPR and DPA’s technical requirements are quite well
matched with ISO 27001. So, the ISO 27001 implementation is a good foundation for a
company to be ready to respond to various IS (information security) requirements
according to the industry best practices.

Updated ISO 27001:2022 revision

ISO 27002 is a supporting standard which provides guidance on the implementation of
security controls listed in ISO 27001 Annex A. In February 2022, this standard was
updated, and the newest version as of now is ISO 27002:2022. It is also expected that
ISO 27001 will get a corresponding update toward the end of 2022.

Fundamental changes in the 2022 revision:

 First of all, the changes touch only security controls, not the body of the standards.
Only the security controls listed in ISO 27001 Annex A will be updated.

 The number of controls has decreased from 114 to 93, and controls are not
grouped in 4 sections instead of 14.

 There are 11 new controls, and some controls were merged.

Overall, these changes make the standard more logical and better applier to the modern
IT and software realities.

Concerning the preparation for the 2022 changes, there are a few things to keep in
mind:

 First of all, there will be (most probably) a two-year transition period starting from
the ISO 27001:2022 publication date. So there is definitely enough time to prepare.

 If you are already implementing ISO 27001 and have a certification roadmap, don’t
wait for the new standard and get certified (:2013).

 If you only plan to implement ISO 27001, it might be a good idea to address the
new version already from the beginning.

Contact our experts to get advice on the implementation roadmap for your company.
 Need help?
Contact our experts to get advice on the implementation roadmap for your company

CONTACT FORM

The business value of ISO 27001 implementation

Below we describe the business value delivered by four main sections of this standard
that form the ISMS core.

Risk assessment

The risk management process starts with identifying and quantifying the risks to the
company’s business assets present in the existing operations. Once quantified, such
risks form a risk profile that can be managed by applying specific security controls. This
allows companies to mitigate security risks by reducing them to acceptable levels for a
business based on its risk appetite.

Security policies

These policies are basically written instructions on the approach an organization should
take to deploy and manage the security controls. Defining these policies helps enforce
such controls consistently across the entire organization.

Organization of information security

This aspect of the process enables structuring the IS roles and responsibilities within
the organization, which is needed to properly manage and maintain the ISMS. As a part
of this process, adequate information security training and periodic skill checks are
introduced, along with risk profile reviews and implementation process steering
meetings.

Asset management

This ISMS component aims to compose and manage a list of assets (any information of
business value, like the employee personal details, CRM data, intellectual property,
etc.). Maintaining such a list helps organizations better control the information whose
CIA must not be compromised. As mentioned above, the risks to digital assets must be
identified and quantified, appropriate security controls must be deployed, and the risk
levels should thus be reduced to the degree that the organization feels comfortable with.

The above sections form the core of the ISMS and provide the most business value to
every company. The rest of the standard’s sections contain instructions on how to
ensure watertight information management security. They cover the workflow for the
identification, management, and resolution of security incidents. On top of that, other
sections contain business continuity plans and critical recommendations for controlling
physical access to key elements of the organization’s ISMS.

After implementing these instructions, your company will benefit from a robust IS
management framework, streamlined data security workflows, and industry-leading best
practices for incident resolution.

How to implement ISO 27001

Many consider a gap analysis to be a good start for ISMS implementation workflow. It
allows organizations to understand the level of operational maturity and readiness for
ISO 27001. But, in our experience, a gap analysis doesn’t make much sense unless a
company has a dedicated IS department. The reason is the lack of skills required to
identify the challenges. That’s why it’s better to dive straight into implementation and
solve the issues as they arise.
General overview

Typically, the ISMS is organized in the PDCA (plan–do–check–act or plan–do–check–

adjust) cycles. PDCA, also known as the Deming circle/cycle/wheel, is an iterative four-
step management method used in business to control and continuously improve
processes and products.

For ISO 27001, ISMS goes in year-long PDCA cycles. Here is what each stage
encompasses:

Phase What has to be done T

Plan - Define ISMS objectives and goals 1

- Organisation of information security
- Implement risk management framework

Do - Develop key policies (BYOD, HR, Physical security, Encryption, etc.) 3

- Implement Annex A controls to mitigate risks
- Perform activities and create periodic records required by the policies

Check - Accomplish internal ISMS audit 1

- Perform monitoring, measurement, analysis, and evaluation

Act - Fix issues and non-conformities identified during the internal audit 1

The most heavyweight phases are Plan and Do. Check and Act are meant to verify and
correct what has been done.
After successfully completing one cycle, a company can apply to become ISO 27001
certified. While normally the PDCA cycles are one year long, the initial cycle can be
shortened to speed up the certification process.

Companies can implement ISO 27001 entirely on their own or get implementation
guidance from certified professionals.

Timeline

On average, expect the ISO implementation to take 6-12 months. The exact timeline
depends on many factors: company size, readiness level, management focus,
resources, etc. Some companies do it faster, e.g., in a few months, but they are cutting
corners instead of practically working on the system. It is not advisable, as you can
create technical debt that you will have to pay off with a project on your hands, and the
cost of failure can be rather high.

Treating ISMS as a project

To make ISMS implementation efficient and to meet the set deadlines, you need to treat
this process as a separate project. It means:

 Having a dedicated PM (Project Manager) or IS manager who has expertise in

organizing things and documentation

 Using a project management system like Jira, Youtrack, Trello, Asana, or others to
assign the tasks and oversee their completion

 Having a project plan in place and following it

 Performing regular check-ins to ensure the team does not digress.

Having a good project plan in place is extremely important! This is what we normally do
as one of the first steps when guiding clients to implement ISO 27001. You can come
up with your own or use the Excel template we provide:

Assembling a team

Of course, the team can vary from company to company based on your industry, size,
level of operational maturity, and other factors. But here’re the approximate team
structure and roles you would need:

Role Function

PM/IS manager ISMS implementer. This person should be skilled in IS and understand what the ISO st
Some ISMS implementers might be less experienced in ISO 27001 specifically. If this
they should be backed up with external experts.

Main responsibilities: orchestrating the project, managing/writing most of the documen

keeping track of the project status, etc.
 Role Function

IT and system Lots of ISMS activities depend on the IT department in one way or another. So, good c
administration and dedication from IT are required.

C-level support ISO standard implementation requires making many company-wide decisions, so a who
buy-in from C-level executives is a must. Somebody with the authority to make decisio
supply a budget must oversee the project.

Departments heads SO 27001 touches different areas of the company, so all the key stakeholders (e.g., hea
engineering, head of PM, head of recruitment/HR) should be onboard.

Expert ISO 27001 or In case you don’t have an experienced ISO 27001 implementer with dozens of projects
Virtual CISO external experts will save you from mistakes, point you to important gaps, and prepare
audit in general.

Internal auditor It’s often an underestimated role. An internal auditor is needed to make an independent
evaluation of the ISMS readiness level and identify any gaps.

Be ready to allocate enough capacity for these resources; otherwise, it will drag the
project away from timelines.

How to get certified

Certification involves the organization’s ISMS being assessed for compliance with ISO
27001 by the certification body. Normally, it’s an on-site visit by an auditor that consists
of several days (up to one week) of interviews. If everything is successful, a company
gets a certificate valid for three years.

Finding an auditor is the task for an organization that needs to get a certification. We
recommend contacting your local vendors to get quotes since it’s always easier to do it
with local providers. It’s preferable to work with certification bodies accredited by one of
the IAF members as it’s a guarantee that their certificate will be recognized without any
issues.

It’s also important to get in touch at the beginning of the project so that auditors keep
your organization in mind and set the audit date in advance. Waiting until the last minute
is a bad idea as auditors may be booked in, and your certification can be delayed.

Remember that auditors are humans, too. So it’s your task to help them understand
what you’ve done, explain the processes, and talk through everything.

Tips and FAQ for making the most of ISO 27001

implementation

Based on Iterasec’s extensive cybersecurity expertise, ISO implementation is a complex

process. And there are certain things to keep an eye out for. So here are some expert
tips:

Tip #1. Properly implement the following policies and controls:

 Risk management

 Device/laptop and BYOD policies

 Access control

 Physical security

 Information classification and protection

 Incident management: reporting and incident recovery

From experience, these controls are especially significant for IT companies hence to
make ISO 27001 practically useful, we recommend not cutting corners when
implementing them.
Tip #2: Create clear and concise documentation

For an average employee, there will be quite a lot of documents to get familiar with,
which can be overwhelming. To help your personnel learn new rules, create something
more distilled, with your key IS rules outlined in 1-2 pages.

Tip #3: Make documents easy to access and navigate

People will not remember everything and will have to look things up. Store the key ISMS
policies and documents on a corporate Google drive or equivalent secure cloud storage.
Ensure your ISMS provides easy-to-access information on where to report incidents and
how to reach out to IS people, etc.

Tip #4: Invest enough in training your staff

Make it practical and useful, not just pro forma. For the ISO to provide actual business
value, all the participants must be on board. Everyone should clearly understand what
happens and why it is done this way and not the other.

FAQ #1: Can I implement another ISO at the same time?

Yes, you can. Popular combinations are ISO 27001+22301 or ISO 27001+9001, as they
have a lot in common. Another combination could be ISO 27001+27701 as ISO 27701
is basically the GDPR translated to the language of ISO standards.

Furthermore, there are other non-ISO frameworks and standards, such as SOC
2 or TISAX, which have a lot in common with ISO 27001.

FAQ #2: Where can I get document templates?

Good templates will save you a lot of effort, especially if you are new to ISO 27001.
There are several options in the market, for example, Advisera.
When guiding our clients, we normally provide our own pre-filled set of templates.

FAQ #3: Does ISO 27001 mean my company won’t be hacked?

The answer is no. While ISO 27001 does require some strong security controls, it’s a
management and organisational framework in the first place. At the same time, if
implemented properly and with enough attention (not just creating documents but
actually putting them into practice, organizing good training for employees, etc.), it really
increases company resilience, especially when a company is new to IS or the ISO
27001 implementation.

FAQ #4: Is a pentest needed before the audit?

It really depends on the product or company to be certified. In practice, it is not always

needed. The standard requires that the technical audit should be performed, but it
doesn’t necessarily have to be an external pentest or security assessment. At the same
time, pentesting is an extremely useful exercise to validate your real security level. Our
company offers a wide range of such services: for applications, networks and clouds.

Conclusion

Yes, implementing ISO 27001 in IT requires quite a lot of resources, but it’s definitely
worth it. First of all, you will be sure that you have watertight data security. Secondly,
being ISO-certified shows the high-quality level of your services to customers, partners,
and contractors.

Should you have any additional questions, feel free to contact us and get a consultation
from our experts!

*******************
12 Steps to implementing an ISMS with ISO 27001

Step 1 – Define objectives

Implementing an ISMS with ISO 27001 is a lot of work. Make sure everyone is clear about what
you want to achieve with the implementation; and make sure there’s a champion at top level
supporting those objectives.

Step 2 - Define your scope

What information are you trying to protect exactly? What information would your clients,
shareholders, trustees or other interested parties like you to protect? It’s useful to start by
considering all your business processes when determining the scope.

Very high-level process maps will make it clear where the information you want to protect is
held, in which systems and networks it resides, who is responsible for it and who has access to
it .

Step 3 – Make an inventory of assets

This is an inventory of the information you want to protect and the other assets associated with it
(e.g. hardware, software, databases, physical locations). Again, it’s useful to do this using a
process map for the business processes in scope.
Step 4 - Define your risk management framework

This standard is about managing the risks to the confidentiality, integrity and availability of the
information. This is a crucial part of your implementation. While the framework isn’t prescribed
explicitly, you do need to put in place a framework that includes a risk assessment process that
produces consistent scores no matter who does the assessment. The framework also needs to
produce risk treatment options that take into consideration the results of the risk assessment.

Step 5 - Identify the risks and score them

ISO 27001 is part of a “family” of standards, the ISO 27000 series. ISO 27005 is the part that
provides guidelines for information security risk management. It proposes two approaches to
identify and score risks:

1. Scenario based approach: risks are identified by considering events and scored by assessing their
consequences. In other words, you try and think of everything that could go wrong (events) and
determine what impact (consequences) this would have on the confidentiality, integrity and
availability of the information in your scope.
2. Asset-threat-vulnerability approach: risks are identified using the inventory of assets as the
starting point. For each category of assets (e.g. laptops, servers, networks) the threats (theft,
human error, malware, etc) to those assets, their vulnerabilities (e.g. lack of relevant employee
security training) and their value to the organisation (monetary or other) are considered and
scored accordingly.

While in theory the scenario-based approach seems simpler and more attractive, in practice I
have observed that unless the people doing the risk assessment are very knowledgeable about
information security, they quickly run out of steam. It’s often a case of “you don’t know what
you don’t know!”. For that reason I tend to prefer the Asset-Threat-Vulnerability approach.

Step 6 - Risk treatment plan(s)

For each risk identified, you need to decide on a treatment. The note to the definition of risk
treatment in BS EN ISO/IEC 27000:2017 gives seven options:

1. avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk
2. taking or increasing the risk in order to pursue an opportunity
3. removing the risk source
4. changing the likelihood
5. changing the consequences
6. sharing the risk with another party or parties (including contracts and risk financing)
7. retaining the risk by informed choice

Excepting option 2 and 7, all the other options imply that you either change the likelihood of a
risk occurring and/or change the severity of the consequences if it does occur. In both cases, this
is done through a “control”. For example, you might decide that to avoid the risk of losing a
laptop that contains sensitive customer data, you will not allow that data to be on the laptop in
the first place. To make sure people don’t store customer data on their laptop, there needs to be
something that prevents loading the information or detects that it has been transferred so it can be
removed. Those are the controls. Generally speaking, the combined controls become the
Treatment Plan – but you could have multiple Treatment Plans. Personally, I like to call this the
Risk Action Plan because it’s the basis for the actions you decide to take.

“The knowledge transfer between Elisabeth and Jorge and I was easy,
starting each meeting with questions so we could get a better understanding
of that particular step in the process. Elisabeth also helped us become
independent by providing us with templates we could use to write our
documentation.”
Simon Franc - CEO of Kulpa

Read the Kulpa case study

Step 7 – Verify risk treatment plan against the Annex A controls

To help make sure that no necessary controls are overlooked in your ISMS, ISO 27001 proposes
a list of 114 controls, each of which must be considered, and their inclusion or exclusion
justified. This list of what you include or not and the justifications form the Statement of
Applicability.

This list of controls is where ISO 27001 is both very useful and potentially harmful to your
project. I have seen organisations start with this list of controls, without first assessing their risks
and using the result of this assessment to prioritise their action plan. They go down the list and
find the best technology and procedures to implement each one of the controls. They inevitably
end up with endless internal arguments, spending far more time and money than they anticipated
and have no clear sense of priorities. If you take anything away from this article, please DON’T
start with Annex A!

Step 8 - Write documentation

At this point you will have a clear view of what your risks are and what you need to do to
manage them. This is when you will be most efficient at writing the documentation, i.e. the
policies and procedures describing how you will operate your ISMS.

Note that it’s not a requirement for all procedures to be formally documented. However if it’s a
process that isn’t done very frequently or if it’s complex with several steps, it’s probably best to
document it to minimise human error.
Step 9 – (at same time as step 8) – Implement technical risk mitigating solutions

It is more than likely that you’ll need to implement technical solutions. Whether it’s tightening
up security groups on your on-premise Active Directory, implementing a Directory-as-a-Service
solution, changing the anti-malware software in place or implementing information classification
and data retention functionality in your document management system, technology-based
changes are afoot.

Step 10 - Manage the change

Although this comes in at step 10 – all good business analysts and change managers will tell you
that changing the way people work needs to start at the very beginning of a project. Don’t forget
that people will probably need to be trained on new procedures and/or systems. ISO 27001
impacts people – it is a business transformation project, not an IT project.

Step 11 – Operate your ISMS – internal audits, measures, monitoring and management reviews

You are now in the “Check” and “Act” sections of the PDCA diagram above. Regular internal
audits, measurements (e.g. key performance indicators) and monitoring will help you verify
whether the policies and procedures are indeed managing risks, if people are following them and
if technology solutions are working.

Relevant people or groups in your governance structure will review the outcomes of audits,
measures and monitoring and make decisions to keep the same controls in place or amend.

Step 12 - Continuous improvement

Steps 1 to 11 become a “business-as-usual” cycle and you have an ISMS!

Don’t forget that implementing an ISMS is a major business project which will likely change the
way people work. It may even turn into a programme with multiple underpinning projects. The
usual critical success factors for any project therefore apply: backing from the senior team is
required, a budget must be approved and resources allocated, a senior executive appointed as
accountable lead, a project manager appointed, etc. Although not an IT project, many
components are IT based and therefore you might find our IT Project Processes article useful.