Académique Documents
Professionnel Documents
Culture Documents
The safeguards (or controls) that are to be implemented are usually in the form of policies,
procedures and technical implementation (e.g., software and equipment). However, in most cases
companies already have all the hardware and software in place, but they are using them in an
unsecure way therefore, the majority of the ISO 27001 implementation will be about setting the
organizational rules (i.e., writing documents) that are needed in order to prevent security breaches.
Since such implementation will require multiple policies, procedures, people, assets, etc. to be
managed, ISO 27001 has described how to fit all these elements together in the information security
management system (ISMS).
So, managing information security is not only about IT security (i.e., firewalls, anti-virus, etc.) it is
also about managing processes, legal protection, managing human resources, physical protection,
etc.
See also The basic logic of ISO 27001: How does information security work?
it encourages companies to write down their main processes (even those that are not securityrelated), enabling them to reduce the lost time of their employees.
See also Free Return on Security Investment Calculator.
To implement ISO 27001 in your company, you have to follow these 16 steps:
1) Get top management support
2) Use project management methodology
3) Define the ISMS scope
4) Write the top-level Information security policy
5) Define the Risk assessment methodology
6) Perform the risk assessment and risk treatment
7) Write the Statement of Applicability
8) Write the Risk treatment plan
9) Define how to measure the effectiveness of your controls and of your ISMS
10) Implement all applicable controls and procedures
11) Implement training and awareness programs
12) Perform all the daily operations prescribed by your ISMS documentation
13) Monitor and measure your ISMS
14) Perform internal audit
15) Perform management review
16) Implement corrective actions
For more detailed explanation of these steps, see ISO 27001 implementation checklist.
Mandatory documentation
ISO 27001 requires the following documentation to be written:
Logs of user activities, exceptions, and security events (clauses A.12.4.1 and
A.12.4.3)
Of course, a company may decide to write additional security documents if it finds it necessary.
To see more detailed explanation of each of these documents, download the free white paper
Checklist of Mandatory Documentation Required by ISO 27001 (2013 Revision).
Stage 1 audit (Documentation review) the auditors will review all the documentation.
Stage 2 audit (Main audit) the auditors will perform an on-site audit to check whether all
the activities in a company are compliant with ISO 27001 and with ISMS documentation.
Surveillance visits after the certificate is issued, during its 3-year validity, the auditors will
check whether the company maintains its ISMS.
See also Becoming ISO 27001 certified How to prepare for certification audit.
Individuals can go for several courses in order to obtain certificates the most popular are:
ISO 27001 Lead Auditor Course this 5-day course will teach you how to perform
certification audits and it is intended for auditors and consultants.
ISO 27001 Lead Implementer Course this 5-day course will teach you how to implement
the standard and is intended for information security practitioners and for consultants.
ISO 27001 Internal Auditor Course this 2- or 3-day course will teach you the basics of the
standard and how to perform an internal audit it is intended for beginners in this topic and
for internal auditors.
ISO 9001 defines the requirements for quality management systems although at first glance,
quality management and information security management do not have much in common, the fact is
that about 25% of the ISO 27001 and ISO 9001 requirements are the same: document control,
internal audit, management review, corrective actions, setting the objectives, and managing
competences. This means if a company has implemented ISO 9001, it will have a much easier job
implementing ISO 27001. Learn more about ISO 9001 here