27001 is an information security standard, part of the ISO 27000 family of standards, of which the last version was published in 2013, with a few minor updates since then. It is published by the International Organization for Standardization (ISO).

ISO 27001 specifies a management system that is intended to bring information security under management control and gives specific requirements. Organizations that meet the requirements may be certified by an accredited certification body following successful completion of an audit.

Most organizations have several information security controls. However, without an information security management system (ISMS), controls tend to be somewhat disorganized and disjointed, having been implemented often as point solutions to specific situations or simply as a matter of convention. Security controls in operation typically address certain aspects of IT or data security specifically; leaving non-IT information assets (such as paperwork and proprietary knowledge) less protected overall. Moreover, business continuity planning and physical security may be managed quite independently of IT or information security while Human Resources practices may make little reference to the need to define and assign information security roles and responsibilities throughout the organization.

ISO/IEC 27001 requires that management:

Systematically examine the organization's information security risks, taking account of the threats, vulnerabilities, and impacts;

Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and

Adopt an overarching management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.

Note that ISO 27001 is designed to cover much more than just IT.

What controls will be tested as part of certification to ISO 27001 is dependent on the certification auditor. This can include any controls that the organization has deemed to be within the scope of the ISMS and this testing can be to any depth or extent as assessed by the auditor as needed to test that the control has been implemented and is operating effectively. Management determines the scope of the ISMS for certification purposes and may limit it to, say, a single business unit or location. The ISO 27001 certificate does not necessarily mean the remainder of the organization, outside the scoped area, has an adequate approach to information security management.

• Information security policy - management direction

• Organization of information security - management framework for implementation

• Asset management – assessment, classification and protection of valuable information assets

• HR security – security for joiners, movers and leavers

• Physical & environmental security - prevents unauthorised access, theft, compromise, damage to information and computing facilities, power cuts

• Communications & operations management - ensures the correct and secure operation of IT

• Access control – restrict unauthorized access to information assets

• Information systems acquisition, development & maintenance – build security into systems

• Information security incident management – deal sensibly with security incidents that arise

• Business continuity management – maintain essential business processes and restore any that fail

• Compliance - avoid breaching laws, regulations, policies and other security obligations

Step 1 – Obtain Management Support and Define the Scope of the ISO Implementation.

Step 2 – Write the ISMS Policy – K2 will assist you in developing this policy, which should define the high-level standards of information security in your organization. The purpose is for management to define what it wants to achieve, and how to control it.

Step 3 – Define the Risk Assessment Methodology - Risk assessment is the most complex task in the ISO 27001 project – the point is to define the rules for identifying the assets, vulnerabilities, threats, impacts and likelihood, and to define the acceptable level of risk.

Step 4 – Perform the Risk Assessment and Risk Treatment - In this step a Risk Assessment Report must be written, which documents all the steps taken during risk assessment and risk treatment process. Also, an approval of residual risks must be obtained – either as a separate document, or as part of the Statement of Applicability.

Step 5 – Write the Statement of Applicability - Once K2 completes your risk treatment process, you will know exactly which controls from the Annex repository you need (there are a total of 114 controls but not all are used). The purpose of this document (frequently referred to as SoA) is to list all controls and to define which are applicable and which are not, and the reasons for such a decision, the objectives to be achieved with the controls and a description of how they are implemented. The Statement of Applicability is also the most suitable document to obtain management authorization for the implementation of ISMS.

Step 6 – Write the Risk Treatment Plan - the purpose of the Risk Treatment Plan is to define exactly how the controls from SoA are to be implemented – who is going to do it, when, with what budget etc. This document is an implementation plan focused on your controls, without which you wouldn’t be able to coordinate further steps in the project.

Step 7 – Implement the Security Controls and Mandatory Procedures – K2 will assist you in implementing these controls, which usually means the application of new technology, but above all – implementation of new behavior in your organization. Often new policies and procedures are needed (meaning that change is needed), and people usually resist change – therefore the next task (training and awareness) is crucial for avoiding that risk.

Step 8 – Implement Training and Awareness Programs – K2 will assist your personnel to implement all the new policies and procedures, first we will explain to them why they are necessary and train your people to be able to perform as expected.

Step 9 – Operate the ISMS - This is the part where ISO 27001 becomes an everyday routine in your organization. The crucial word here is: “records”. Auditors love records – without records you will find it very hard to prove that some activity has really been done. But records should help you in the first place – using them you can monitor what is happening – you will know with certainty whether your employees (and suppliers) are performing their tasks as required.

Step 10 – Monitor the ISMS – K2 will show management what is happening in your ISMS? How many incidents do you have, of what type? Are all the procedures carried out properly? This is where the objectives for your controls and measurement methodology come together – you must check whether the results you obtain are achieving what you have set in your objectives. If not, you know something is wrong – you must perform corrective and/or preventive actions.

Step 11 – Internal Audit – During this step, K2 will perform a comprehensive internal audit to determine if controls are designed and operating effectively, and that the ISO 27001 Standards have been implemented across the organization.

Step 12 – Corrective and Preventive Actions - ISO 27001 requires that corrective and preventive actions are done systematically, which means that the root cause of a non-conformity must be identified, and then resolved and verified. K2 will assist management in this step by providing comprehensive support.

Step 13 – Management Review

Please contact us for more information about our ISO 27001 assessment and implementation services.