How to implement ISO 27001 Walkthrough - Part 1
Summary
TLDRThe video script focuses on the implementation of an Information Security Management System (ISMS) as per ISO 27001 standards. It emphasizes understanding the organization's context, including internal and external issues that may impact information security. The speaker outlines the importance of documenting and managing these factors through a risk register. The script also highlights the need for leadership commitment and communication, as well as defining the scope of the ISMS to meet client expectations and ensure continual improvement. It touches on the creation of policies and procedures to guide staff behavior and the allocation of resources to demonstrate the organization's seriousness about information security.
Takeaways
- 📝 The script discusses the importance of understanding the organization's context, including internal and external issues that could impact information security management.
- 🔍 It emphasizes the need to identify and articulate the organization's objectives, goals, and culture as part of the information security management system.
- 🏢 The speaker mentions that external factors such as legislation changes, Brexit, and GDPR, as well as relationships with stakeholders, should be considered in the security management system.
- 📋 The process of documenting internal and external issues is suggested, starting with identifying them in a document and applying them to a risk register for management.
- 🕵️♂️ Auditors are highlighted as a driving force for documenting and addressing issues, as they seek to find and resolve potential problems within the system.
- 🤝 Understanding the needs and expectations of interested parties, such as stakeholders, is crucial for defining the scope of the information security management system.
- 📉 The scope of the system should be defined based on what the client is asking for, and it's important to document this scope to meet the requirements of the end customer.
- 🔑 Leadership is a key component of the ISO standards, with a focus on management buy-in and demonstrating commitment to information security objectives.
- 🗣️ Communication plans and policies are essential to ensure that all stakeholders understand their roles and responsibilities within the information security management system.
- 📚 The script mentions the creation of a suite of policies that logically separates what the organization does from how it does it, allowing for transparency and accountability.
- 🔄 Continual improvement is a specific requirement of the standard, and the script outlines a process involving internal audits, management reviews, and risk management to achieve this.
Q & A
What is the main purpose of understanding the context of an organization in the context of information security?
-The main purpose is to identify and articulate the organization's internal and external issues that may impact its ability to deliver information security. This includes understanding the organization's culture, objectives, goals, and adapting the information security management system to address potential risks.
What are the external factors that an organization should consider when assessing its information security management system?
-External factors include legislation changes such as Brexit or GDPR, relationships with stakeholders, and physical and environmental factors in the surrounding environment. These factors may affect the organization's ability to maintain information security.
How does an organization typically document and manage the internal and external issues identified in its information security management system?
-The organization should identify these issues in a document and apply them to a risk register. The issues are then managed through a risk management process, potentially in conjunction with other risk management activities.
What is the importance of having a clear understanding of the needs and expectations of interested parties in an organization's information security management?
-Understanding the needs and expectations of stakeholders is crucial for defining the scope of the information security management system, ensuring that it meets the requirements of those parties and facilitates a process of continual improvement.
Why is defining the scope of an information security management system so important?
-Defining the scope is key because it helps to ensure that the system is tailored to the specific needs and objectives of the organization. It also helps to manage the certification process effectively and to demonstrate compliance to stakeholders.
What is the significance of leadership in the context of ISO 27001 and information security management?
-Leadership is significant because it drives management buy-in and ensures that information security is integrated into the organization's objectives. It also demonstrates commitment at the senior level, which is essential for the successful implementation and maintenance of the information security management system.
How does an organization demonstrate leadership commitment to information security?
-An organization can demonstrate leadership commitment through various means, such as including information security in the objectives of the organization, ensuring it is well communicated, and showing buy-in at the senior level. This can be evidenced through policies, procedures, and resource allocation.
What is the role of policies in an information security management system?
-Policies play a crucial role in defining what the organization expects in terms of information security behavior and practices. They provide a clear framework for staff to operate within and help to communicate the organization's stance on information security.
Why is it important to logically separate policies from procedures in an information security management system?
-Logically separating policies from procedures allows the organization to share its high-level objectives and commitments externally without revealing sensitive details or confidential data. It also simplifies the process of updating and maintaining these documents.
How does an organization ensure that its information security management system is continually improving?
-An organization ensures continual improvement through processes such as internal audits, management reviews, and feedback mechanisms. These processes help identify areas for improvement and drive changes that enhance the effectiveness of the information security management system.
Outlines
📚 Understanding Organizational Context and Information Security Management
The first paragraph focuses on the importance of understanding an organization's context in relation to information security management. It emphasizes the need to articulate the organization's identity, objectives, goals, and culture. The speaker discusses the necessity of considering both internal and external issues that could impact information security, such as legislation changes, relationships with stakeholders, and physical environmental factors. The paragraph introduces the concept of documenting these considerations in a risk register and managing them through risk assessment. It also touches on the role of auditors and the importance of providing them with clear documentation to ensure a smooth audit process.
🎯 Defining the Scope and Continual Improvement in Information Security Management
The second paragraph delves into defining the scope of an information security management system (ISMS) and the concept of continual improvement. It stresses the importance of aligning the scope with client requirements and the organization's most significant products and services. The speaker mentions the use of templates for documenting scope and the significance of the scope statement and statement of applicability in certification processes. The paragraph also highlights the structure for continual improvement, including policies, procedures, staff training, incident management, internal audits, external audits, and management review meetings, all aimed at enhancing the ISMS over time.
👥 Leadership and Policy Development in Information Security
The third paragraph discusses the role of leadership in information security, emphasizing the need for management buy-in and communication of the organization's commitment to information security. It covers the development of policies and procedures that clearly define what the organization does and how it does it, allowing for transparency and accountability. The speaker mentions the creation of policy suites that cover various aspects of information security, such as clear desk policies, software policies, and physical security policies. The paragraph also touches on the importance of documenting roles and responsibilities and the rationale behind having distinct policies for different aspects of the organization's operations.
Mindmap
Keywords
💡Information Security Management System (ISMS)
💡Context of Organization
💡Risk Management
💡Stakeholders
💡Scope
💡Continual Improvement
💡Leadership
💡Policies and Procedures
💡Internal Audits
💡Management Review
💡ISO 27001
Highlights
Understanding the organization's context is crucial for articulating information about the company, its objectives, and culture.
Identifying internal and external issues is akin to managing risks, which can impact information security.
External factors such as legislation changes and stakeholder relationships can influence information security management.
Internal issues might include resource allocation for running an information security management system.
Auditors seek evidence of consideration for both internal and external issues within an organization.
Documenting and managing risks through a risk register is a recommended practice.
Understanding the needs and expectations of stakeholders is essential for effective information security management.
Defining the scope of an information security management system is critical and should align with customer requirements.
ISO 27001 certification involves documenting the scope and controls applied, which is important for security and compliance.
Leadership and management buy-in are vital for the success of an information security management system.
Demonstrating leadership commitment through policies, procedures, and communication plans is necessary.
Policies should be clearly communicated and separated from procedures to ensure understanding and accountability.
Roles and responsibilities within an organization should be well-documented for clarity and accountability.
A communication plan is essential for discussing and disseminating information about information security.
The importance of having a clear information security policy with a statement from the chief executive.
The process of continual improvement is a key component of the ISO 27001 standard.
Transcripts
so let's look at we'll do a couple of
the sections uh
today i won't overload you with it but
then we can come back
so the first clause that we're going to
look at here is the context of
organization
so this basically just says what i've
just said which is
we need to unders understand
our own context there are things that we
need to be able to to to be able to
articulate about ourselves
and again it's an easy win for a client
right the ability to write down who who
are you
you know what do you do
what are your objectives what are your
goals as i say what's your culture
here it wants us to look at in what it's
calling internal and external issues
internal and external issues are almost
like risks really
and i'm going to show you how we do this
later not today today we're just
touching on what it wants to see
so what it wants to see is that we've
looked at our information security
management system we've looked at our
organization and we've said yes these
external things
may have an impact on our ability to
deliver information security
so external things could be legislation
changes in brexit changes in
gdpr
external things could be relationships
with stakeholders
you know have you got a funding board
that sits over the top of it non-exec
directors
it could be
uh physical and environmental something
in the environment that's around you so
it's just saying look have you had a
look looked at your organization in the
in the wider hall and then adapted your
information security management system
to address some of that
and the first way that we would do that
is to identify that in a document and
then apply that to a risk register and
then manage that through risk
potentially but we'll touch on that
another day
internal issues are things normally
again
we are going to show in our
implementation
internal issues even if they're not an
issue
and the reason we're going to do that is
because we're going to show that we
considered them
so what an auditor likes to do right
auditors again
right let's come back to that
so auditors like they like to find
things
right sometimes we leave them things to
find otherwise they get sad and upset
and they think oh my god like i'm adding
no value here
sometimes the things that they pick up
on will be pedantic as hell because they
can't find out on anything big
but things like internal and external
issues if i put in their internal issue
potentially we don't have the right
resources to run an information security
management system but we have taken on
board a third party is it on the risk
register no then we've assessed it if
you don't do it they'll just ask you
they'll just say okay so when you were
looking at your organization did you did
you did you consider brexit did you
consider gdpr did you consider internal
resources you're like yes we considered
it and we wrote it down for you fella
look
it's there and ah damn on to the next
one
this is like second-guessing
what it is that they're looking to pick
up on and again providing them
information in a way that's going to
smooth and ease that process through
okay
clearly it does add some value right i
mean it is going to add some value but
that's a big part of what is a big part
of what we're trying to do
let's go back to that
understanding the needs and expectations
of interested parties
so again we're starting to look at
things like our stakeholders our
stakeholder analysis and what they want
to see
we've got information on that and an
approach to that
we're going to define the scope of our
information security management system
and we're going to implement this
process of continual improvement right
scope
getting scope right is absolutely key
all right so
as we've discussed discussed many times
there are
smart ass
professionals within our community who
say 27001 isn't worth the paper it's
written on because you could just say
that this broom cupboard over here is 27
01 and therefore how does that make you
any more secure and then you go
technically you are correct you are
technically correct but the question
that you always ask anybody is are you
27 0001 and can i have a copy of your
scope statement
because what i want to know is what is
it that you certified and then actually
you ask them for a copy of their
statement of applicability as well
because you want to know the controls
they've applied but those two the scope
statement documents are key
so when we're working with when we're
working with our client we're going to
say we're going to document and we we
need to document the scope there's a
structure and a template for that we're
going to try and restrict the scope to
the minimum requirement
that the organization has in the first
pass especially if this is the first
pass
ah we want the company to be 27 0001
okay nice aspiration so you want to go
through the full rigor of all of this
in relation to like your crm
marketing databases finance databases
things nobody's bothered about really
you want to go through all of that rigor
not a problem let's push it out by two
years because you're big you've got too
many things now in play
how do we define scope the way that we
define scope or the first step to
defining scope is
what is your client asking you for
right
because we're only going to do whatever
it is we're being asked for if client
says to me you build widgets
all right are you 27 0001 and you go oh
yeah i'm on 271 for booking holidays it
goes but i don't book holidays with you
i buy widgets right yeah
so we are going to do the scope around
widgets that's what we are going to
define our scope for that's what we're
going to go forward for certification
for because it meets the requirement of
the end customer
if our customer doesn't our customer
doesn't know the answer to that
then we will have a process that says
what are the products and services that
we deliver
on which one of these is the one we sell
the most of that we want to put that
band and that badge on
so there is a process we can go through
to help through to help them but it
should become self-evident they'd be
like whatever it is that they deliver to
client that's the only thing that that
client
is interested in is what i am buying
from you to secure the supply chain is
that twenty seven thousand and one so
that helps your client to define what it
is that is their scope
so we've got templates that look at
scope and then in the context of
organization it's looking at continual
improvement
now again we've got a structure we
touched on that on the last session
where we talked about on the left-hand
side policies procedures applied to
staff staff our staff having incidents
incidents lead to continuing improvement
internal audits they need to get an
external audit they lead to continual
improvement
etc
that we
report that back to the management
review meeting management review meeting
makes a decision maybe adds it to a risk
register etc so i'm not teaching you
continuing improvement right now but i'm
saying that this standard wants it it
calls it out specifically and that we
have that built into it
let's go back to that
the next section is
uh
is leadership
so i'm flipping i'm flipping in and out
because it's better to look at me then
look at a spreadsheet you can read the
spreadsheet later
so
the iso standards
again they're about that management
buy-in and this is a good i think it's a
good thing you know many good things i
like about 27001 from risk management
but also that demonstration of
leadership and leadership buying you
know it wants to see that it's baked
into the objectives of the organization
that the uh that it's well communicated
that there is buy in at that senior
level there's a whole heap of things
that we're going to do in our isms to
help to drive and evidence that
things that we're going to have in terms
of you know contracts of employment that
say certain things
the way that we've recorded what
resources are allocated to demonstrate
that we take it seriously we've
allocated resources to it and we can
show that
we're going to have things like a
communication plan that shows when we're
going to discuss things and when and
when we did discuss it
in our information security policy we've
got a chief exec statement
now i always say i provide a templated
version of that i always do say try and
change it to make it your own words
because i think i've been on 15 audits
where every ceo says exactly the same
thing
that's fine maybe they're all aligned in
the zeitgeist right they're like looking
at their heads
so but we're going to show that
demonstration right we're going to show
that we've got that leadership
commitment so there's a whole
section here
uh that looks at leadership and again
that's that's mapped to the document so
i don't need to worry about that until
we get into each document
so i'm showing you in here
policies we're going to have a a suite
of policy
policies statements of what we do not
how we do it how we do it is covering
procedures
we logically separate
uh what we do from how we do it that
enables us to be able to share what we
do externally because it won't have gdpr
confidential data in it it's not going
to have mobile phone numbers and you
know in disaster recovery policies
they're going to be deep within the
plans
so we're going to logically separate
that out we're going to have a pack of
policies that for a small organization
can sometimes seem as overkill
but the reason that we've got it we've
got a clear desk policy a software
policy a physical security policy a
change management policy some of them
are only one or two pages long
yes it can seem as overkill but the
reason we've done it again
as you grow you can allocate a policy to
a person or a department so not
everybody's updating one massive
document and we want to do that we want
to allocate policies and documents to
owners for accountability purposes
it also allows us to satisfy
questionnaires if you've ever been
involved in them they will call these
documents out by name do you have a
change management policy do you have a
clear desk policy so rather than sending
them a 50 page one document
you know we send them what they've asked
for yeah change bank gone
so we are going to have a we are going
to have a process sorry we're going to
have a series of policies that explain
to the business what they do
we've got a process at the back of that
about communicating that
we can't expect people to operate in a
way unless we tell them the way that we
expect them to operate and that's one of
the things that policies does it says
this is what we expect of you
outside of my gift of my remit and above
my pay grade there's a whole
conversation about hr's ability to
discipline
um if you haven't explained to somebody
what it is that you expect them to do so
if you have a data breach and you say oh
you emailed everything out to all the
customer
an employee he says well you never told
me not to
what are you going to do how are you
going to how are you going to discipline
them they're just going to go okay
now we'll tell you now now we'll get
some policies in place
yeah so there's a whole hr reason for
policy as well that sits at the back
then we've got a piece around
organization
roles and responsibilities and again
we're going to document some of what
those roles and responsibilities are
okay
so in terms of today with 10 minutes
left i'm going to call it there you'll
have to remind me next week how far we
got because i will forget
and we're up to planning so we've just
done we've just finished off on the on
the leadership side of it
and i'll just carry on walking through
what the expectation of the standard is
so you can get a feel for it you'll have
the document that's mapped so you can
always go back to it and then when we
get to the next stage it's tend to go
through each document and say right
we've now got this document called the
risk register how does it work but you
understand the context of why we've got
it because you'll see here in the in the
standard that it's asked for it
Browse More Related Video
5.0 / 5 (0 votes)