IT GOVERNANCE | GREEN PAPER

Implementing an ISMS

The nine-step approach

Protec Protect Comply Thrive

IT GOVERNANCE GREEN PAPER | AUGUST 2019
Introduction
Information security is not just about antivirus software, implementing the latest
firewall or locking down your laptops and web servers – it is just as much about
addressing risks without compromising your business objectives. Because of this, the
overall approach to information security should be strategic as well as operational.
An information security management system (ISMS) is a systematic approach to
managing confidential or sensitive company information so that it remains secure.
The fact that it is systematic is possibly the most important facet of an ISMS: it
protects the organisation’s information by ensuring consistent, effective behaviours. If
an organisation knows how it needs to operate in order to keep information secure,
creating a system to ensure this happens is a key to success.
For an organisation to secure its information, it must approach the task from the
perspectives of people, processes and technologies. These are interlinked. In the
simplest sense, a technology needs a person to manage and maintain it, and that
person needs to follow defined processes in doing so. This is part of the
systematisation of information security: ensuring full coverage at any point that
information could be compromised.
Implementation is a project
While many organisations develop a range of security measures as they grow, and many
of those measures are effective, these information security regimes are often disjointed,
and gaps will inevitably be discovered – either by the organisation or by its enemies.
Developing a comprehensive, effective ISMS to secure your organisation’s information
assets is almost inevitably a large undertaking. It will require the organisation to treat
it as a major project, with all of the associated trappings, such as securing
management commitment, defining project governance, setting outcomes and
timescales, and ensuring adequate resources are available and earmarked.
2
Nine steps
The IT Governance nine-step approach to implementing an ISO 27001-compliant
ISMS takes all of this into account, and reflects the methodology used by our
consultants in hundreds of successful ISMS implementations around the world.
This paper cannot possibly cover all the possible issues you might encounter, or
spell out every incremental step, but it does describe what we consider the
essential implementation process.
The nine steps cover the full extent of the project, from initial discussions with
managers through to testing the completed project. It is as much about having the
board on your side as it is about implementing security controls.
It is important to remember that this process is not exhaustive. Each organisation
will come up against its own set of stumbling blocks and will need to consult other
sources of information.
While this approach is focused on achieving accredited certification, this is not
strictly necessary for an organisation to get significant value from its ISMS. To
realise maximum value, however – such as from improved business opportunities,
simpler compliance with legal and regulatory requirements, and so on –
certification should certainly be a consideration.
The nine-step process is described in more detail in Nine Steps to Success – An
ISO27001:2013 Implementation Overview.
IT GOVERNANCE GREEN PAPER | AUGUST 2019 3

Step 1: Project mandate

The first, obvious step is to start. Starting any project is a critical phase succinctly
explained with a cliché: well begun is half done.

The project leader will, at least initially, be the person who takes the initiative
and begins the push for the ISMS. They will be the person to whom everyone
else in the organisation looks for information and guidance on the project.

The project mandate itself is essentially a set of answers to the questions all
projects face in their early stages:

• What are we hoping to achieve?

• How long will it take?
• What will it cost?
• Does it have management support?

The last of these is proof that the first three have been clearly answered, and it
is absolutely essential. Success depends entirely on the project having real
support from the top of the organisation.

Developing the answers to these questions may involve a lot of research and
preparation – gap analyses, budgeting, reviewing case studies, and so on. This is
time well spent, though, because a failure to adequately prepare will likely mean
that you will be unable to meet your objectives.

A deliverable for this step will be a set of documents laying out the project.
A project initiation document (PID) would be an ideal format for the mandate to
take.
IT GOVERNANCE GREEN PAPER | AUGUST 2019
Step 2: Project initiation
With the mandate in place, the next step is to set up the project and the project
governance structure, as described in Nine Steps to Success. This is essentially an
extension of what is contained in the PID, comprising:
• Information security objectives;
• The project team;
• A project plan; and
• A project risk register.
The information security objectives are more granular and specific than the project
objectives set in the previous step. They will feed into the information security policy
and really shape how the ISMS is applied. Because these are ‘policy-level’ objectives,
they should include a time-bound statement about whether the organisation is
seeking certification or just compliance with the Standard.
The project team should represent the interests of every part of the organisation and
various levels of seniority. You should also draw up a RACI matrix at this point,
identifying who is responsible, accountable, consulted and informed regarding the key
decisions relating to the project.
4
A key role is that of the information security manager. In addition to having a central
role in the implementation project, they will eventually be responsible for the day-to-
day functioning of the ISMS.
The project plan is part of the process of gradually drilling down into what will actually
be done in implementing ISO 27001, and should include critical project data such as
review dates. Additional resources and information may be necessary to make sure
that the plan is comprehensive and suitably detailed.
The risk register should account for risks to the project itself. These might be
budgetary (will the organisation continue to fund the project?), cultural (will staff
resist the change?), lack of management commitment (will senior management
openly support the project?), legal (are there specific legal obligations that might be at
risk?), and so on. Each risk included in the register should have an assigned owner and
a mitigation plan, and should be reviewed regularly throughout the project.
IT GOVERNANCE GREEN PAPER | AUGUST 2019
Step 3: ISMS initiation
ISO 27000 (the overview for the ISO information security standards) recognises that
a “process approach” to continual improvement is the most effective model for
managing information security – each process has a set of inputs and outputs, and
the outputs may become inputs for further processes. In a broad sense, this can be
cyclical, as in continual improvement methodologies like PDCA (Plan-Do-Check-Act).
ISO 27001 does not specify a particular continual improvement methodology,
preferring instead to allow organisations to use whatever method they choose, or to
use a model they already have in place. If your organisation does not yet have a
preferred methodology, Nine Steps to Success discusses the merits of each of the
most popular models.
As part of the ISMS initiation, you will need to establish your documentation
structure. We recommend a four-tier approach:
1. Policies at the very top, defining the organisation’s position and requirements.
2. Procedures to enact the policies’ requirements.
3. Work instructions describing the detail for the employees who enact elements
of the procedures.
4. Records tracking the procedures and work instructions, providing evidence that
they have been followed correctly and consistently.
This structure is simple enough for anyone to grasp quickly, while also providing an
effective way of ensuring policies are implemented at each level of the organisation.
A great deal can be said about documentation, but there are two key points:
1. Documentation should be controlled to ensure the latest versions are approved
and identifiable.
2. Documentation should be adequate and not excessive, enabling each process to
be systematically communicated, understood, executed and effective.
5
Step 4: Management framework
At this stage, the ISMS needs a broader sense of the actual framework. ISO 27001
addresses this in Clauses 4 and 5, requiring the organisation to define the context for
the ISMS, and the roles that the organisation’s leadership plays.
The context of the organisation is really about identifying the range of interests that
need to be taken into account. The organisation, clearly, has interests in information
security, as do clients, partners, legal and regulatory authorities, and so on. You began
examining these interests with the risk register in step 2.
As you might gather, this phase is especially important as it defines what the ISMS will
eventually become. From this perspective, it is obviously important that you recognise
all relevant interests so that the ISMS can meet your organisation’s needs.
Part of this will involve identifying the scope of the ISMS, which will heavily depend on
the context. The scope also needs to ensure it takes into account mobile devices and
teleworkers – the organisation’s logical perimeter that might be mobile, and might
include devices that employees own.
The management framework also needs to set the groundwork for the rest of the
implementation, so you will need to formalise some key arrangements:
• The information security policy.
• The resources necessary to meet your objectives.
• Your communication strategy and/or policy (both internal and external
communications).
• Competence requirements.
IT GOVERNANCE GREEN PAPER | AUGUST 2019
Step 5: Baseline security criteria
The baseline security criteria are the core security requirements that the organisation
has identified. These are the requirements and corresponding measures or controls
that the organisation must have in place to do business. For example, a business may
have a legal requirement to retain certain records; another organisation may be
contractually obliged to provide a minimum level of security to a key customer’s
information assets.
This step is generally straightforward, because it operates on the basis that you have
already done much of this work. You need only identify the practices you already have
in place, assess their effectiveness, and ensure that they continue under the control of
the eventual ISMS – potentially in an improved state.
You should, of course, ensure that you are currently meeting your obligations. Tools
and databases exist that track legal requirements for information security (such as
Vigilant Software’s Compliance Manager), and you should ensure that this process
covers all the necessary jurisdictions.
6
Step 6: Risk management
Information security risk management is at the heart of the ISMS. On the basis of
regular risk assessments, your ISMS will adapt to meet new and evolving challenges,
and ensure that the risks to information security are adequately and appropriately
mitigated. Risk management will need to become a core competence for any
organisation implementing ISO 27001.
The Standard allows the organisation to broadly define its own risk management
processes. Common methods focus on looking at either risks to specific assets or risks
presented by specific scenarios. There are pros and cons to each, which are discussed
in Nine Steps to Success, and some organisations will be considerably more suited to
one method than the other.
There are five important steps in an ISO 27001 information security risk assessment:
1. Establish a risk assessment framework
2. Identify risks
3. Analyse risks
4. Evaluate risks
5. Select risk management options
The risk assessment framework needs a person(s) to be responsible for the risk
assessment. Without someone who is capable of performing the assessment, the
whole exercise will fail.
You will also need to define your risk acceptance criteria, which involves
understanding your risk appetite and the level of risk that the organisation can
tolerate.
IT GOVERNANCE GREEN PAPER | AUGUST 2019 7

Risk levels are typically calculated as a factor of the impact of a risk and its likelihood. The key outputs of an ISO 27001 risk assessment are the Statement of Applicability
Risk managers often present this in a simple matrix: (SoA) and the risk treatment plan.
Figure 1: Simple risk matrix
The SoA is a document that contains the “necessary controls” you have selected,
justifications for their inclusion, whether or not they have been implemented, and
justification for excluding any controls from Annex A of ISO 27001. It essentially
proves that you have done due diligence by considering all the reference controls, and
is especially important if you are seeking to certify your ISMS.
Impact

The risk treatment plan, meanwhile, shows the results of the risk assessment – that is,
for each identified risk that requires treatment, what the organisation intends to do.
This should include other essential information such as responsibility for the risk and
deadlines for completion.
Likelihood

The results of risk analysis can be evaluated against your risk acceptance criteria to
determine how you respond to the risk. Generally speaking, there are four ways of
responding to a risk:

1. Tolerate the risk.

2. Treat it by applying controls.
3. Terminate the risk by avoiding it entirely.
4. Transfer the risk, such as through insurance or agreements with other parties.

For instance, your organisation might decide that anything in the green area is an
acceptable risk; that you will apply controls to anything orange or yellow; and
anything in the red area should be terminated. You might choose to transfer some
risks on a case-by-case basis.
IT GOVERNANCE GREEN PAPER | AUGUST 2019 8

Step 7: Implementation Step 8: Measure, monitor and review

While we call this the ‘implementation’ phase, what we really refer to is the For the ISMS to be effective, it must meet its information security objectives. To know
implementation of the management system processes and the risk treatment plan. whether it is doing so, you need to measure, monitor and review its performance.
This is the process of building the actual processes and security controls that will
protect your organisation’s information assets. ISO 27001 requires the organisation to establish a series of processes that feed into
the continual improvement cycle (established in step 3 – ISMS initiation):
In order to ensure these are completely effective, you will need to make sure that
• Monitoring, measurement, analysis and evaluation
staff are appropriately competent to operate or interact with the controls, and that
they are aware of their information security obligations. • Internal audit
• Management review
You will need to develop a process to manage the competences necessary to achieve
You will need to identify metrics or other methods of gauging the effectiveness and
your ISMS objectives. Competence should take into account not only the specific skills
implementation of your processes and controls. Remember that you should not just
and knowledge needed for the relevant controls but also a strong understanding of
be looking at the results, but also at elements like how often a control is used. The
ISO 27001 and how the ISMS should operate. A small number of staff may need to
results should then be analysed and evaluated to determine how effective the control
acquire appropriate qualifications, focusing particularly on areas such as
actually is.
implementing and auditing information security, risk management, business
continuity, and so on.
Internal audits should be scheduled at planned intervals and should cover the whole
of the ISMS. It should go without saying that internal auditors need to be competent
The Standard also requires staff, contractors and other types of employee to be aware
(which may require specialised training for staff, or outsourcing of the task), and that
of the information security policy, how they contribute to effective information
they need to demonstrate impartiality and objectivity when auditing.
security management, and the implications of failing to conform to the requirements
of the ISMS.
Results from ongoing measurement and evaluation, and from internal audits form
part of the input for the management review, alongside information about any
Staff are almost always the organisation’s weakest point, so ensuring they know how
nonconformities and corrective actions. The outputs of the review, as mentioned
they contribute to information security is critical. Like other processes, your staff
earlier, will be fed into the continual improvement process, allowing the organisation
awareness programme should be systematic and maintained over time.
to make corrections and adjustments to the ISMS.
And, of course, all of this will need to be documented. This will fall into the
documentation framework you developed in the initiation phase.

This is a large and highly detailed phase of the whole implementation project; it would
be wise to read up on the process and what will be required in detail.
IT GOVERNANCE GREEN PAPER | AUGUST 2019 9

Step 9: Certification
The final step is, obviously, to have your ISMS examined and certified by an Make sure your staff are open and honest with the auditors, and that they know how
independent external body. There are several certification bodies, and the one you to answer the auditors’ questions. This should include ensuring appropriate staff have
select should meet a couple of conditions: a thorough knowledge of the areas of information security they are responsible for.
Management should be fully involved in the certification audit. It may be useful to
• They should be accredited by your national accreditation body, which should be
rehearse with them the sorts of questions they may be asked, and to review the
a member of the International Accreditation Forum (IAF).
formal, management-level policies and declarations.
• They should have an approach to assessment that takes each organisation’s
circumstances into account. An ISMS is unique to its organisation, and the For many organisations, this will be one of the most critical stages: proving that the
certification audit, therefore, should not simply be a mechanical comparison of implementation programme was effective and being able to show that to partners,
the ISMS against the Standard. customers and other stakeholders. To maximise your chances of getting to this stage,
read Nine Steps to Success.
If you already have a certified management system, such as a quality or business
continuity management systems (QMS, BCMS) based on an ISO standard, you should
consider the value of an integrated certification service to minimise disruption and
costs.

The certification audit will determine whether the ISMS is worthy of certification.
There are several things you can do to maximise the likelihood of passing certification
at the first attempt.

Ensure your documentation is complete, comprehensive and available for the auditors
to inspect. This should be in place before the actual certification audit, as the auditors
may want to review your documentation before the visit.

Ensure that you have records of internal audits, process and control operation, and
testing. These provide evidence that your ISMS is an active management system
rather than just a set of documents, and may also demonstrate your corrective
actions and continual improvement in action. Speak to an expert
IT GOVERNANCE GREEN PAPER | AUGUST 2019 10
10

Useful ISMS resources

IT Governance offers a unique range of information security products and services, including books, standards, pocket guides, training courses and professional
consultancy services.

ISO/IEC 27001:2013 Standard Certified ISO 27001 ISMS Lead Implementer

ISO 27001 sets out the specification for an
effective ISMS. Independently audited
certification to the Standard is recognised around
the world as an indication of a best-practice
approach to securing your information assets.
Training Course
If you are involved in information security
management, writing information security policies
or implementing ISO 27001, this course covers all
the key steps in preparing for and achieving ISMS
certification first time.

Nine Steps to Success – An ISO 27001:2013 vsRisk

Implementation Overview
Fully aligned with ISO 27001, vsRisk streamlines
Now in its third edition, this must-have guide has the risk assessment process and helps you
been completely updated to align with IT produce robust risk assessments. It saves 80% of
Governance’s implementation methodology, used your time and significantly cuts the consultancy
by our consultants in hundreds of successful ISMS costs that are typically associated with tackling a
implementations around the world. risk assessment.

ISO 27001 Toolkit

Fulfil your ISO 27001 documentation obligations
with customisable templates and implementation View all our ISO 27001
guidance from ISO 27001 auditors. Ensure total
coverage of your project with this complete set of
products and services
mandatory and supporting documentation.
IT GOVERNANCE GREEN PAPER | AUGUST 2019 11
11

Other papers you may be interested in

IT GOVERNANCE | GREEN PAPER IT GOVERNANCE | GREEN PAPER

Risk Assessment and ISMS Measurement

ISO 27001

February 2019 Metrics made easy

Protect Comply Thrive Protect Comply Thrive

Risk Assessment and ISO 27001 ISMS Measurement – Metrics made easy 
IT GOVERNANCE GREEN PAPER | AUGUST 2019
IT Governance solutions
IT Governance is your one-stop shop for cyber security and IT governance, risk
management and compliance (GRC) information, books, tools, training and
consultancy.
Our products and services are designed to work harmoniously together so you can
benefit from them individually or use different elements to build something bigger
and better.
Books
We sell sought-after publications covering all areas of corporate and IT governance.
Our publishing team also manages a growing collection of titles that provide practical
advice for staff taking part in IT governance projects, suitable for all levels of
knowledge, responsibility and experience.
Visit www.itgovernance.co.uk/shop/category/itgp-books to view our full catalogue.
Toolkits
Our unique documentation toolkits are designed to help organisations adapt quickly
and adopt best practice using customisable template policies, procedures, forms and
records.
Visit www.itgovernance.co.uk/documentation-toolkits to view our toolkits.
12
12
Training
We offer training courses from staff awareness and foundation courses, through to
advanced programmes for IT practitioners and certified lead implementers and
auditors.
Our training team organises and runs in-house and public training courses all year
round, as well as instructor-led and self-paced online training courses, covering a
growing number of IT GRC topics.
Visit www.itgovernance.co.uk/training for more information.
Consultancy
We are an acknowledged world leader in our field. Our experienced consultants, with
multi-sector and multi-standard knowledge and experience, can help you accelerate
your IT GRC projects.
Visit www.itgovernance.co.uk/consulting for more information.
Software
Our industry-leading software tools, developed with your needs and requirements in
mind, make information security risk and compliance management straightforward
and affordable for all, enabling organisations worldwide to be ISO 27001-compliant.
Visit www.itgovernance.co.uk/shop/category/software for more information.
 IT Governance is the one-stop shop for cyber security, cyber risk
and privacy management solutions. Contact us if you require
consultancy, books, toolkits, training or software.

t: +44 (0)333 800 7000

e: [email protected]
w: www.itgovernance.co.uk

A GRC International Group plc subsidiary

Unit 3, Clive Court, Bartholomew’s Walk

Cambridgeshire Business Park, Ely
Cambs., CB7 4EA, United Kingdom

IT Governance Ltd

@ITGovernance

/it-governance

/ITGovernanceLtd

© 2003–2020 IT Governance Ltd | Acknowledgement of Copyrights | IT Governance Trademark Ownership Notification