We would like to pro­vi­de valuable tips for the imple­men­ta­ti­on of ISO 27001 for all com­pa­nies that are aiming for cer­ti­fi­ca­ti­on. The ISO 27001 stan­dard descri­bes the requi­re­ments of an infor­ma­ti­on secu­ri­ty manage­ment sys­tem (ISMS), which also includes having a per­son respon­si­ble for infor­ma­ti­on secu­ri­ty. This per­son is often cal­led the infor­ma­ti­on secu­ri­ty offi­cer or chief infor­ma­ti­on secu­ri­ty offi­cer (CISO). The prac­ti­cal tips we have com­pi­led are based on our expe­ri­ence with 27001 cer­ti­fi­ca­ti­ons over the past few years, which SEC4YOU has had the pri­vi­le­ge of sup­port­ing. The tips are inten­ded to help smal­ler com­pa­nies in par­ti­cu­lar to achie­ve ISO 27001 cer­ti­fi­ca­ti­on as quick­ly and cost-effec­tively as possible.

#1 Secu­re sup­port from the top

Bey­ond divi­ne sup­port, which is always important, secu­re the full sup­port of your seni­or manage­ment. For 27001 cer­ti­fi­ca­ti­on, you also need a “pro­ject spon­sor” to pro­vi­de the neces­sa­ry resour­ces, back up and remo­ve poten­ti­al hurdles.

Top-Management

Pro­jects whe­re manage­ment sup­port is not ful­ly in place beco­me dif­fi­cult to imple­ment and the imple­men­ted ISMS can­not gene­ra­te the expec­ted bene­fits. In some cases, we also found that the effec­ti­ve­ness of the ISMS was jeo­par­di­zed as a result.  Such pro­jects are usual­ly tedious and not much fun for anyo­ne involved.

Who can beco­me a pro­ject sponsor?

  • Only top manage­ment can beco­me a pro­ject spon­sor, as they are respon­si­ble for the ISMS. The CISO also reports regu­lar­ly to the top management.
  • Howe­ver, the IT mana­ger can­not beco­me the spon­sor, as the imple­men­ta­ti­on of an ISMS is not an IT pro­ject. The ISMS affects the enti­re com­pa­ny, from the human resour­ces depart­ment to purcha­sing, inclu­ding risk manage­ment and other departments.

Tip: The com­pa­ny manage­ment bears the over­all respon­si­bi­li­ty for the effec­ti­ve­ness of the ISMS and its con­ti­nuous impro­ve­ment. The­r­e­fo­re, manage­ment sup­port is essen­ti­al to moti­va­te all depart­ments to com­ple­te their tasks.

#2 Use appro­pria­te ISO 27001 templates

The­re are many offers for ISMS tem­pla­tes on the mar­ket. The­re are some good packa­ges, but also a lot of too com­plex and ela­bo­ra­te tem­pla­tes. Most ISMS packa­ges pro­mi­se easy pro­ces­sing and imple­men­ta­ti­on: just enter com­pa­ny name, logo and respon­si­ble per­sons, done!

This is not so! By using ISMS tem­pla­tes you do not save the neces­sa­ry adapt­a­ti­on of the docu­ments to your own com­pa­ny. All tem­pla­tes usual­ly have to be adapt­ed con­sider­a­b­ly, sin­ce the final ISMS docu­ments have to fit the com­pa­ny and not vice ver­sa. Tem­pla­tes also can­not replace inten­si­ve work on ISMS con­tent. The point is not to sim­ply have gui­de­lines, but to app­ly sui­ta­ble spe­ci­fi­ca­ti­ons in the company.

Appli­ca­ti­on of tem­pla­tes in practice:

  • Tem­pla­tes have up to 7 roles in infor­ma­ti­on secu­ri­ty manage­ment, this is whe­re smal­ler com­pa­nies need to mer­ge roles and sim­pli­fy respon­si­bi­li­ties.
  • Good tem­pla­tes can also give you valuable con­tent for your own documents.
  • Tem­pla­tes are not a sub­sti­tu­te for pro­fes­sio­nal advice and in very few cases increase the com­pe­tence of the Info­Sec officer

Tip: Do not trust the cer­ti­fi­ca­ti­on pro­mi­se of tem­pla­tes! All tem­pla­tes need a not to be unde­re­sti­ma­ted pro­ces­sing to imple­ment them.

#3 Crea­te few and com­pact ISMS documents

27001 Dokumente

Espe­ci­al­ly for small com­pa­nies, it is recom­men­ded to imple­ment the gui­de­lines and ISMS docu­ments in a few and as com­pact as pos­si­ble docu­ments. Often, tem­p­la­te packa­ges come with 40–50 indi­vi­du­al docu­ments, but they are all requi­red and valid for cer­ti­fi­ca­ti­on. Do you know an employee who can remem­ber such a com­plex structure?

  • Con­sider a simp­le docu­ment struc­tu­re at the out­set, pre­fer­a­b­ly in the fol­lo­wing hierarchy 
    1. Poli­ci­es
    2. Pro­ce­du­ral instructions/work instructions/processes
    3. Forms of evidence
  • Less is more! Try to work with few gui­de­lines and not with a bund­le of dozens of lin­ked indi­vi­du­al guidelines.
  • In the indi­vi­du­al chap­ters of the gui­de­lines, defi­ne the tar­get groups that the regu­la­ti­ons affect, e.g. in Appen­dix A of 27001 for per­son­nel secu­ri­ty, “Tar­get group: Human resour­ces department”

Tip: We recom­mend that smal­ler com­pa­nies have a gene­ral Info­Sec poli­cy for the tar­get group IT depart­ment and other depart­ments of around 40–50 pages, as well as a user poli­cy direc­ted at employees of around 8–10 pages. The con­tent of the user poli­cy, along with other con­tent, is com­mu­ni­ca­ted to all per­sons in the annu­al secu­ri­ty awa­re­ness trai­ning sessions.

#4 Regu­la­te respon­si­bi­li­ties at an ear­ly stage!

Seve­ral depart­ments are invol­ved in the imple­men­ta­ti­on of an ISMS. For a quick rea­liza­ti­on of a 27001 cer­ti­fi­ca­ti­on, the­se are­as have to take over their respon­si­bi­li­ties inde­pendent­ly, here are a few examples:

  • The purcha­sing depart­ment is to per­form a sup­pli­er eva­lua­ti­on of the essen­ti­al sup­pli­ers; for this pur­po­se, it recei­ves sup­port from the CISO, of cour­se, but the sup­pli­er sur­vey and eva­lua­ti­on must be per­for­med by the purcha­sing department.
  • Who keeps the par­ti­ci­pant lists for the neces­sa­ry secu­ri­ty awa­re­ness trai­ning cour­ses? The HR depart­ment, of cour­se! Just as for all other trai­ning mea­su­res for all employees, Human Resour­ces is respon­si­ble for mana­ging the trai­ning cour­ses. HR also crea­tes the KPI for par­ti­ci­pa­ti­on levels and reports this metric to the CISO.
  • The secu­ri­ty locks for the locked doors are not orde­red by the CISO, but by the per­son respon­si­ble in Office Manage­ment or Faci­li­ty Management.
  • In soft­ware deve­lo­p­ment, of cour­se, deve­lo­p­ment manage­ment takes respon­si­bi­li­ty for ensu­ring that modern web appli­ca­ti­ons are secu­re­ly desi­gned and deve­lo­ped. To this end, soft­ware deve­lo­p­ment crea­tes secu­re coding gui­de­lines as well as secu­re coding prin­ci­ples and com­mis­si­ons pene­tra­ti­on tests.

The CISO crea­tes the neces­sa­ry gui­de­lines, but the imple­men­ta­ti­on is the respon­si­bi­li­ty of the com­pa­ny depart­ments such as IT, HR, Faci­li­ties, Pro­cu­re­ment, etc.

Tip: The respon­si­bi­li­ty for indi­vi­du­al mea­su­res always lies with the depart­ment that is named as the cont­act per­son for the audi­tor in the cer­ti­fi­ca­ti­on audit. It is the­r­e­fo­re essen­ti­al that imple­men­ta­ti­on takes place in the depart­ments. Invol­ve the depart­ments in the audit plan­ning at an ear­ly stage and prepa­re the employees for the challenge!

#5 Start with an envi­ron­ment ana­ly­sis, set­ting the scope, and then the secu­ri­ty policy

ISO 27001 Projektstart

Start­ing an ISMS imple­men­ta­ti­on is often dif­fi­cult becau­se you have a big list of tasks to do in front of you. Here, we recom­mend the fol­lo­wing initi­al steps that easi­ly lead to the right next phases:

  • Per­form an envi­ron­ment ana­ly­sis and defi­ne the scope (how do you see the scope of infor­ma­ti­on security?).
  • Defi­ne respon­si­bi­li­ties: who will take on the role of the infor­ma­ti­on secu­ri­ty mana­ger / CISO?
  • Crea­te the secu­ri­ty poli­cy (see link for content)
  • From the secu­ri­ty poli­cy, all fur­ther docu­ments such as the risk manage­ment (con­tent see link) and the Info­Sec gui­de­lines (con­tent see link) and the user poli­cy (con­tent see link) ari­se

Tip: The scope of an ISMS can cover the enti­re com­pa­ny or only the data cen­ter ope­ra­ti­on or, for exam­p­le, a sub­area such as soft­ware deve­lo­p­ment. The decisi­ve fac­tor here is that the sub­area can be delinea­ted as an orga­niza­tio­nal unit. Indi­vi­du­al pro­ducts or IT ser­vices can­not be cer­ti­fied. For smal­ler com­pa­nies, it is advi­sa­ble to cer­ti­fy the enti­re com­pa­ny, whe­re­as for lar­ger com­pa­nies it is per­fect­ly con­ceiva­ble to cer­ti­fy only the IT department.

#6 Take your time, but not too much…

An ISMS imple­men­ta­ti­on with sub­se­quent ISO 27001 cer­ti­fi­ca­ti­on requi­res a cer­tain lead time and a func­tio­ning ope­ra­ti­on of the Info­Sec pro­ces­ses. Only then can you meaningful­ly pro­ceed with cer­ti­fi­ca­ti­on. Depen­ding on the size of the com­pa­ny, this initi­al pha­se of imple­men­ta­ti­on requi­res at least 3 months even for small com­pa­nies, and 6 months or more for medi­um-sized companies.

Cer­ti­fi­ca­ti­on pro­jects that are set up with a dura­ti­on that is too long often do not have the neces­sa­ry pres­su­re in the first few months and do not get off the ground.

Tip: Start on time, but do not plan an ISMS imple­men­ta­ti­on that takes more than 1 year, becau­se expe­ri­ence shows that with long pro­ject dura­ti­ons, time is not used efficiently.

Tip: Sel­ect the audit ser­vice pro­vi­der as ear­ly as pos­si­ble and arran­ge an audit date as soon as pos­si­ble. Good audit ser­vice pro­vi­ders and expe­ri­en­ced audi­tors often have long lead times or even wai­ting lists.

#7 An inter­nal or an exter­nal infor­ma­ti­on secu­ri­ty offi­cer or CISO?

The start of an ISMS pro­ject requi­res the appoint­ment of a CISO (= infor­ma­ti­on secu­ri­ty offi­cer) for the ope­ra­ti­on and fur­ther deve­lo­p­ment of the ISMS. For this, it must be taken into account that the CISO must have resour­ces (own time and cost bud­get) as well as pro­fes­sio­nal com­pe­ten­ci­es.

One pos­si­bi­li­ty is to nomi­na­te a per­son alre­a­dy employ­ed in the com­pa­ny who will under­go fur­ther trai­ning and take on the role of CISO/information secu­ri­ty offi­cer. Often, the inter­nal person’s skills are sup­port­ed by exter­nal Info­Sec con­sul­tants during the initi­al period.

If the­re is no inter­nal per­son who can assu­me the role of CISO, then an exter­nal CISO can be appoin­ted tem­po­r­a­ri­ly or per­ma­nent­ly. “Rent-a-CISO” or “CISO-as-a-Ser­vice” offers are available from con­sul­ting com­pa­nies, also from SEC4YOU.

ISMS Kompetenz

  • For smal­ler com­pa­nies, the appoint­ment of an exter­nal CISO is advi­sa­ble, espe­ci­al­ly if the­re are no resour­ces or know-how available internally.
  • The lar­ger the com­pa­ny, the more likely a full-time inter­nal CISO will take on this responsibility.
  • When appoin­ted in regu­la­ted indus­tries such as ban­king, insu­rance or finan­cial ser­vices, the­re is a requi­re­ment for a CISO who is inde­pen­dent of IT and reports direct­ly to seni­or management.
  • Assig­ning the role of CISO as a staff uni­on with other func­tions in the com­pa­ny only makes sen­se if the­re is no con­flict of inte­rest. For exam­p­le, an ope­ra­tio­nal IT employee can­not simul­ta­neous­ly con­trol his/her work as CISO.

Tip: The CISO’s job descrip­ti­on includes the goal of achie­ving com­pli­ance with ISO 27001. He/she must ensu­re that the indi­vi­du­al depart­ments meet all requi­re­ments. This means that the CISO role has cor­re­spon­ding com­pe­ten­ci­es and is a manage­ment task.

Tip: Do not place the CISO in the IT depart­ment, but ins­tead depict the CISO in the org chart as a staff posi­ti­on in midd­le manage­ment, for example.

#8 Choo­sing the right ISMS tools

An ISMS tool requi­res inten­si­ve stu­dy and lear­ning of the tool and is a major dis­trac­tion from the real task at hand, which is under­stan­ding a manage­ment sys­tem and crea­ting the neces­sa­ry docu­ments and pro­ces­ses. Most ISMS beg­in­ners get the impres­si­on that a tool will struc­tu­re their work and reli­e­ve them of many tasks. Not at all! In the 5–10 days it takes to acqui­re, con­fi­gu­re and learn about a tool, they would have alre­a­dy crea­ted a majo­ri­ty of their poli­ci­es. At a later stage — e.g. one or two years after cer­ti­fi­ca­ti­on — you should of cour­se think about whe­ther their tasks are so com­plex that an ISMS tool can help them.

What is the case for a tool:

  • This helps meet com­plex requi­re­ments, for example: 
    • sup­port col­la­bo­ra­ti­on in lar­ge teams,
    • link a varie­ty of busi­ness pro­ces­ses and assets, and
    • Gene­ra­te auto­ma­tic reports and query/calculate KPIs.

Argu­ments against a tool:

  • the high lear­ning cur­ve for the tool
  • the loss of focus on the essen­ti­al buil­ding blocks of an ISMS
  • the addi­tio­nal cos­ts for the tool, of cour­se in con­side­ra­ti­on of the cost-bene­fit ratio

Tip: Espe­ci­al­ly in the first year, the most important ISMS tools are paper and pen­cil or their digi­tal twins Word and Excel! An infor­ma­ti­on secu­ri­ty manage­ment sys­tem is not about a soft­ware sys­tem, but about the metho­do­lo­gy of the infor­ma­ti­on secu­ri­ty manage­ment system.

#9 Cou­ra­ge to fill the gap!

Risk manage­ment often invol­ves iden­ti­fy­ing a lar­ge num­ber of thre­ats that pose a high or very high risk to the com­pa­ny. Howe­ver, cer­ti­fi­ca­ti­on does not requi­re that all of the­se risks be addres­sed imme­dia­te­ly, but rather that the risks be addres­sed in plan­ned actions. Like­wi­se, it is con­ceiva­ble that cer­tain risks will be accepted.

If a com­pa­ny does not meet indi­vi­du­al points of the stan­dard during cer­ti­fi­ca­ti­on, the­re is the pos­si­bi­li­ty of a fol­low-up audit within a few months. It is then up to the audi­tor, depen­ding on the seve­ri­ty of the non-con­for­mi­ty, whe­ther to recom­mend tem­po­ra­ry 27001 cer­ti­fi­ca­ti­on. The cer­ti­fi­ca­te is not issued by the audi­tor hims­elf, but by the cer­ti­fi­ca­ti­on body on the recom­men­da­ti­on of the auditor.

Tip: The­re are seve­ral opti­ons when deal­ing with risks: Risk accep­tance (smal­ler risks can be accept­ed), risk miti­ga­ti­on (e.g. through fur­ther mea­su­res), risk avo­id­ance (e.g. ban­ning came­ras, BYOD, or USB sticks), risk off­loa­ding (usual­ly through insuring).

#10 What is important to the 27001 auditor?

During cer­ti­fi­ca­ti­on, it is par­ti­cu­lar­ly important to the audi­tor whe­ther the manage­ment sys­tem is actual­ly estab­lished and is accept­ed and unders­tood by the acting per­sons. This also includes that it is not the exter­nal con­sul­tant who pro­vi­des the ans­wers during cer­ti­fi­ca­ti­on, but the Info­Sec manager(s) as well as the depart­ments them­sel­ves who feel respon­si­ble and act.

27001 Zertifizierung

In addi­ti­on, it is impe­ra­ti­ve that the­re is con­sis­tent track­ing of mea­su­res and that a down­stream review of the effec­ti­ve­ness of the mea­su­res set is unders­tood and implemented.

The focus must be on the sys­te­ma­tic natu­re of the manage­ment sys­tem and not on indi­vi­du­al tech­ni­cal details. The sys­te­ma­tic approach also includes regu­lar report­ing and the deter­mi­na­ti­on of effec­ti­ve­ness by top manage­ment. The audi­tors also attach par­ti­cu­lar importance to the visi­ble sup­port of top management.

Tip: Train top manage­ment ear­ly on about their stra­te­gic Info­Sec respon­si­bi­li­ty and have top manage­ment accu­ra­te­ly repre­sent this essen­ti­al respon­si­bi­li­ty during the audit.

Tip: The trans­pa­rent pre­sen­ta­ti­on of the ACTUAL sta­te is very important during the audit. You will quick­ly lose the auditor’s trust if you try to decei­ve him.

#11 The right choice of 27001 audit ser­vice pro­vi­ders and consultants

The test­ing ser­vice pro­vi­der, also cal­led the cer­ti­fier, is respon­si­ble for issuing the ISO 27001 cer­ti­fi­ca­te. The test ser­vice pro­vi­der usual­ly pro­po­ses a test engi­neer who can be accept­ed by the cus­to­mer or rejec­ted under cer­tain circumstances.

In the run-up to the audit, the audit ser­vice pro­vi­der or audi­tor should be sel­ec­ted who:

  • has expe­ri­ence with the respec­ti­ve industry
  • fits the size of the company;
  • takes into account the cul­tu­re of the coun­try and the company
  • has the neces­sa­ry repu­dia­ti­on, as they usual­ly also want to adver­ti­se with the certificate.

The cost of cer­ti­fi­ca­ti­on depends on the sites to be audi­ted, the scope, the size of the com­pa­ny and other cri­te­ria, and starts at a few thousand euros per year for small com­pa­nies. The lar­ger por­ti­on of the cost should be plan­ned for exter­nal con­sul­ting fees. Here, depen­ding on the expe­ri­ence of the CISO and the invol­vement of the com­pa­ny, cal­cu­la­te with at least 10–20 person-days.

Tip: In addi­ti­on to the cos­ts of the audit ser­vice pro­vi­der, cal­cu­la­te the exter­nal con­sul­ting cos­ts and also the num­ber of per­son-days of the inter­nal employees for the ISMS implementation.

Tip: Arran­ge an (online) mee­ting with the pro­po­sed audi­tor to find out whe­ther the che­mis­try is right.

Do you have any questions?

We are hap­py to help with any ques­ti­ons you may have about imple­men­ting a cer­ti­fied ISMS system.

Matching pro­ducts from the SEC4YOU Shop