ISO 27001/ISO 27002 implementation and certification journey can be divided into the following key phases:
1. Context Assessment – This phases assess your business, and correlates what is the most important that needs to be protected.
2. Scope definition – Based on the context, scope helps you define the physical and logical boundary. The decision so taken will impact all the subsequent tasks.
3. Asset identification – asset is what you are seeking to protect, therefore determining organisation assets is the critical first step. If you don’t identify all the assets, it is highly likely that you will miss the asset under the scope of protection.
4. Risk assessment – the next and one of the most comprehensive tasks is to evaluate assets and their risks. This would typically involve asset verification, valuation, as well quantifying an assets’ threat, impact, vulnerability, probability analysis resulting in risk valuation for each asset, and one hand, and listing down asset-wise weakness on the other.
5. Gap analysis against 114 controls – ISO 27001 controls provides a comprehensive (however not exhaustive) controls, and it is important to conduct ‘as-is’ verification of controls that you don’t have. This contributes to the next set of weaknesses.
6. Vulnerability Assessment/Penetration Testing of your technology infrastructure which includes applications/networks services and associated infrastructure.
7. Implementation – having identified gaps from the previous three assessments exercise(4,5&6), the journey of implementation should begin. The implementation journey involves decision, direction and documentation of security gaps, and implementation through policy, personnel, procedural and technical controls. The implementation journey involves publishing key organization specific information security policies at the apex level and implementation of each identified control requirement through documented procedures. Documentation also involved writing and publishing ISMS Manuals.
8. Performance Dashboard or Measurement – You have implemented, alright! What is the proof? This phase involves a measurement framework to be in place that defined a target for each identified control. Management wants return on investment and only by measurement one can show the true benefits. ISO 27001 Clause 6.2 and Clause 9.2 demands performance of ISMS processes.
9. Internal audit – Final verification of control implementation by an independent team, this phase not only checks control implementation but also lifecycle changes.
10. Final CB certification – This is where the final certification body arrives and the phase is divided into two major phases – Stage 1 – documentation and stage 2 – implementation audit.
The whole process can take anywhere between 2-3 months for a smaller organisation (1 location less than 100 people), to 4+ months for a larger organisation. In our experience the delay is not due to size but policy implementation and communication. Also note that this is a management system, so in each phase should be ‘ideally’ signed off by management to track status and progress because for many organisations it is major ‘change-management’ program.
Coral eSecure has successful implementation methodology which can help organisation of any size and location reach compliance faster, and more comprehensively.