ISO 27001 is an Information Security Management System (ISMS), which defines a process that allows organisations to identify their most valuable information assets and to protect them as required. In so doing, organisations can focus on key areas and allocate resources accordingly in a cost effective manner.
There are several key stages that businesses should follow in setting up and developing an ISMS:
1. Define your scope
The scope of the ISMS covers the functions, teams, business locations and services that you are looking to protect. For service providers, the scope is often an opportunity to identify key offerings that customers may be interested in.
2. Identify and Value Assets
A company’s assets should always be at the core of a good risk assessment. Put simply, if you don’t know what you are trying to protect, how can you expect to anticipate the risks. When identifying assets, it’s always good to keep to a high level and value according to confidentiality, integrity and availability requirements. The assets should also be identified by key stakeholders from across the scope.
3. Define Risk Methodology/Acceptance Criteria
Risk methodologies should always be documented and the acceptance criteria should be defined and agreed. A risk assessment should be a standard repeatable process, which does not depend on one individual. With this in mind, it is advisable to remove all calculations that are based on an individual’s interpretation or assessment, and define hard criteria to assess and accept risk. A good example of a risk methodology can be found in ISO 27005.
4. Perform Risk Assessment
Once you have identified your assets and defined your risk methodology/acceptance criteria, you are ready to perform a risk assessment. Start with the asset you wish to protect and identify threats and vulnerabilities, ensuring that you are to drawing from experience and previous incidents!
5. Create a Risk Treatment Plan
A populated risk register will identify the key risks within the scope. This can then be used to identify controls. Controls should be chosen from a cost/management perspective and modelled against the risk register in order to forecast the effect on the risk level. These controls will include:
- Risk Treatment – Implement control in order to reduce a vulnerability and protect against a threat
- Risk Toleration – Accept whether it will be financially viable to treat the risk
- Risk Transfer – Consider outsourcing the risk to a third party, or obtaining insurances
- Risk Termination – Cease doing whatever is causing the risk
When identifying the controls to be implemented, you should also document a way of measuring the effectiveness of the control. Measurement techniques will include internal audits and monitoring of ongoing incidents.
6. Document Statement of Applicability
The Statement of Applicability is a document unique to ISO 27001. It lists all of the controls detailed in appendix A of the standard and you must justify which controls you are implementing and which you do not feel are applicable.
7. Implement Controls
A populated Risk Treatment plan and Statement of Applicability will define exactly what controls are required for the ISMS. It is important to seek a holistic approach when implementing controls and consider both defence in depth and 360 degree security. Dependency on one control could be catastrophic in the event of a single failure.
8. Monitor Controls
Finally, monitoring controls is essential to understand if your investment is working. This can be achieved by testing, internal audits, by monitoring incidents, management reviews and through external audits.
To contact Nettitude's editor, email firstname.lastname@example.org.