As a prescriptive regulatory framework, ISO 27001 lays out exactly what controls need to be implemented and functioning for a certification. In our last post, we went into the requirements and controls for ISO 27001. Now, we’ll cover how to implement them, execute an internal audit, and prepare for the external audit resulting in certification.
To recap the last post in this series, ISO 27001 has 114 controls listed in Annex A of the standard, and 7 clauses that define the requirements for an ISMS. Before implementation, businesses need to determine the scope of their ISO 27001 program and execute a gap analysis to identify opportunities to fill gaps in their infosec posture.
Implementing ISO 27001
While ISO 27001 is fairly straightforward in terms of control implementation, our compliance architects have some tips on what to tackle first.
First, take the time to confirm the scope of your ISMS and determine the policies you already have. This should be part of your gap analysis and scoping, but it’s good to revisit your plan before diving into implementation. By identifying existing policies, your team can determine which ones require enhancing and those that still need to be authored.
After highlighting the missing policies, tackle ISO 27001 implementation with project management best practices. That means starting with roles and responsibilities. You’ll need to tackle tasks like access management, change management, disaster recovery, and endpoint protection. For each control area, you should first think about:
- Who is the stakeholder?
- Who has to be involved?
- How much time will it take?
- Who can QA this work?
Importantly, your team needs to show that each policy has been established with corresponding proof of the policy in action. After all the controls and requirements have been addressed and implemented, it’s time to perform a risk assessment.
Executing a Risk Assessment
Our compliance architects like to perform risk assessments for our customers as implementation wraps up. This is a good indicator of the risks you are ready to accept or those you want to treat prior to the internal audit.
What is an ISO 27001 risk assessment?
A risk assessment identifies, documents, and rates information security and privacy risk. For each of the findings, a remediation plan and timelines consistent with the risk ratings must be documented.
Your compliance team should define security objectives before jumping into the assessment. With those objectives in mind, you can identify risks outside of the controls that have been established during implementation to determine the risk treatment plan to address those risks. The risk assessment also helps mold and update the Statement of Applicability (SoA) which was discussed in the prior blog post. If you’re more familiar with SOC 2, the risk assessment for ISO 27001 looks similar.
ISO 27001 Risk Assessment Themes
When considering risks, look beyond the scope of your ISMS. Think about your hopes and dreams for the business, and what worries keep you up at night. This process should be a discussion with your management team, heads of departments, and your compliance team.
When “zooming out” to examine all types of risk vectors, consider what the scope of your ISMS will be in 5 years. What risk needs to be mitigated now to prepare for the future?
Stage-appropriate compliance is our bread-and-butter. We don’t think that you need to install a compliance program meant for enterprises when you have a 10-person startup. Your risk assessment should also reflect your stage and size.
ISO 27001 Internal Audit
Next up, management plans for the internal audit of its ISMS against ISO 27001.
This mini-audit requires an independent team to execute it, however, it is not a certification process and doesn’t need a certified ISO 27001 auditor to perform it.
This audit can be performed by a team at the company that was not involved in the implementation process. Many startups do not have a large pool of employees to choose from and decide to hire a team of consultants instead. If you are a Laika customer, our compliance architects can do the internal audit.
Scope the audit
First, go over the documents and policies that were established while setting up your ISMS. By identifying the boundaries of the audit within the scope of your ISMS, you can tackle the audit process like you would a project.
Fieldwork is the meat of the audit. You’ll need to test the controls that have been implemented against their respective policies, and document the results. Review the ISMS documents and policies, and validate evidence as it is gathered.
Report to management
Finally, deliver a report to management after the fieldwork tests have been completed. This report should include the scope of the audit, a summary of the tests, and key findings.
Management will need to track remediation of nonconformities found during the audit in conjunction with management and determine if updates to the ISMS are required.
After the internal audit is complete, it’s finally time to engage a certified auditor to perform the formal ISO 27001 audit! Stay tuned for our next post where we’ll cover the audit and certification process.