How to implement ISO 27001 Walkthrough - Part 1

00:02

so let's look at we'll do a couple of

00:04

the sections uh

00:05

today i won't overload you with it but

00:08

then we can come back

00:10

so the first clause that we're going to

00:11

look at here is the context of

00:13

organization

00:14

so this basically just says what i've

00:16

just said which is

00:17

we need to unders understand

00:20

our own context there are things that we

00:22

need to be able to to to be able to

00:24

articulate about ourselves

00:27

and again it's an easy win for a client

00:29

right the ability to write down who who

00:31

are you

00:32

you know what do you do

00:34

what are your objectives what are your

00:36

goals as i say what's your culture

00:40

here it wants us to look at in what it's

00:42

calling internal and external issues

00:46

internal and external issues are almost

00:48

like risks really

00:50

and i'm going to show you how we do this

00:53

later not today today we're just

00:55

touching on what it wants to see

00:56

so what it wants to see is that we've

00:58

looked at our information security

01:00

management system we've looked at our

01:01

organization and we've said yes these

01:03

external things

01:05

may have an impact on our ability to

01:07

deliver information security

01:09

so external things could be legislation

01:13

changes in brexit changes in

01:15

gdpr

01:17

external things could be relationships

01:19

with stakeholders

01:21

you know have you got a funding board

01:22

that sits over the top of it non-exec

01:24

directors

01:26

it could be

01:27

uh physical and environmental something

01:30

in the environment that's around you so

01:32

it's just saying look have you had a

01:33

look looked at your organization in the

01:35

in the wider hall and then adapted your

01:37

information security management system

01:39

to address some of that

01:41

and the first way that we would do that

01:42

is to identify that in a document and

01:45

then apply that to a risk register and

01:47

then manage that through risk

01:49

potentially but we'll touch on that

01:50

another day

01:52

internal issues are things normally

01:53

again

01:54

we are going to show in our

01:55

implementation

01:57

internal issues even if they're not an

01:58

issue

01:59

and the reason we're going to do that is

02:00

because we're going to show that we

02:02

considered them

02:03

so what an auditor likes to do right

02:05

auditors again

02:06

right let's come back to that

02:09

so auditors like they like to find

02:12

things

02:13

right sometimes we leave them things to

02:16

find otherwise they get sad and upset

02:18

and they think oh my god like i'm adding

02:20

no value here

02:22

sometimes the things that they pick up

02:24

on will be pedantic as hell because they

02:25

can't find out on anything big

02:28

but things like internal and external

02:30

issues if i put in their internal issue

02:33

potentially we don't have the right

02:35

resources to run an information security

02:36

management system but we have taken on

02:39

board a third party is it on the risk

02:42

register no then we've assessed it if

02:44

you don't do it they'll just ask you

02:46

they'll just say okay so when you were

02:48

looking at your organization did you did

02:49

you did you consider brexit did you

02:51

consider gdpr did you consider internal

02:54

resources you're like yes we considered

02:56

it and we wrote it down for you fella

02:57

look

02:58

it's there and ah damn on to the next

03:01

one

03:02

this is like second-guessing

03:04

what it is that they're looking to pick

03:06

up on and again providing them

03:07

information in a way that's going to

03:09

smooth and ease that process through

03:11

okay

03:13

clearly it does add some value right i

03:14

mean it is going to add some value but

03:15

that's a big part of what is a big part

03:17

of what we're trying to do

03:19

let's go back to that

03:25

understanding the needs and expectations

03:27

of interested parties

03:29

so again we're starting to look at

03:31

things like our stakeholders our

03:33

stakeholder analysis and what they want

03:35

to see

03:36

we've got information on that and an

03:38

approach to that

03:40

we're going to define the scope of our

03:42

information security management system

03:46

and we're going to implement this

03:47

process of continual improvement right

03:50

scope

03:52

getting scope right is absolutely key

03:56

all right so

03:57

as we've discussed discussed many times

04:00

there are

04:01

smart ass

04:04

professionals within our community who

04:06

say 27001 isn't worth the paper it's

04:08

written on because you could just say

04:10

that this broom cupboard over here is 27

04:12

01 and therefore how does that make you

04:14

any more secure and then you go

04:16

technically you are correct you are

04:18

technically correct but the question

04:20

that you always ask anybody is are you

04:21

27 0001 and can i have a copy of your

04:24

scope statement

04:25

because what i want to know is what is

04:27

it that you certified and then actually

04:29

you ask them for a copy of their

04:30

statement of applicability as well

04:31

because you want to know the controls

04:32

they've applied but those two the scope

04:35

statement documents are key

04:37

so when we're working with when we're

04:39

working with our client we're going to

04:40

say we're going to document and we we

04:42

need to document the scope there's a

04:43

structure and a template for that we're

04:45

going to try and restrict the scope to

04:47

the minimum requirement

04:49

that the organization has in the first

04:51

pass especially if this is the first

04:53

pass

04:54

ah we want the company to be 27 0001

04:57

okay nice aspiration so you want to go

04:59

through the full rigor of all of this

05:02

in relation to like your crm

05:05

marketing databases finance databases

05:07

things nobody's bothered about really

05:09

you want to go through all of that rigor

05:12

not a problem let's push it out by two

05:14

years because you're big you've got too

05:16

many things now in play

05:18

how do we define scope the way that we

05:20

define scope or the first step to

05:22

defining scope is

05:25

what is your client asking you for

05:28

right

05:29

because we're only going to do whatever

05:31

it is we're being asked for if client

05:33

says to me you build widgets

05:36

all right are you 27 0001 and you go oh

05:39

yeah i'm on 271 for booking holidays it

05:41

goes but i don't book holidays with you

05:43

i buy widgets right yeah

05:46

so we are going to do the scope around

05:48

widgets that's what we are going to

05:50

define our scope for that's what we're

05:52

going to go forward for certification

05:53

for because it meets the requirement of

05:55

the end customer

05:57

if our customer doesn't our customer

05:59

doesn't know the answer to that

06:02

then we will have a process that says

06:04

what are the products and services that

06:05

we deliver

06:07

on which one of these is the one we sell

06:10

the most of that we want to put that

06:12

band and that badge on

06:14

so there is a process we can go through

06:15

to help through to help them but it

06:18

should become self-evident they'd be

06:19

like whatever it is that they deliver to

06:21

client that's the only thing that that

06:23

client

06:24

is interested in is what i am buying

06:26

from you to secure the supply chain is

06:29

that twenty seven thousand and one so

06:31

that helps your client to define what it

06:32

is that is their scope

06:35

so we've got templates that look at

06:36

scope and then in the context of

06:38

organization it's looking at continual

06:40

improvement

06:42

now again we've got a structure we

06:43

touched on that on the last session

06:45

where we talked about on the left-hand

06:47

side policies procedures applied to

06:49

staff staff our staff having incidents

06:51

incidents lead to continuing improvement

06:53

internal audits they need to get an

06:55

external audit they lead to continual

06:56

improvement

06:58

etc

06:59

that we

07:00

report that back to the management

07:01

review meeting management review meeting

07:03

makes a decision maybe adds it to a risk

07:05

register etc so i'm not teaching you

07:07

continuing improvement right now but i'm

07:09

saying that this standard wants it it

07:11

calls it out specifically and that we

07:12

have that built into it

07:15

let's go back to that

07:20

the next section is

07:21

uh

07:22

is leadership

07:24

so i'm flipping i'm flipping in and out

07:26

because it's better to look at me then

07:27

look at a spreadsheet you can read the

07:28

spreadsheet later

07:30

so

07:31

the iso standards

07:33

again they're about that management

07:35

buy-in and this is a good i think it's a

07:37

good thing you know many good things i

07:38

like about 27001 from risk management

07:41

but also that demonstration of

07:43

leadership and leadership buying you

07:45

know it wants to see that it's baked

07:47

into the objectives of the organization

07:50

that the uh that it's well communicated

07:53

that there is buy in at that senior

07:55

level there's a whole heap of things

07:57

that we're going to do in our isms to

07:59

help to drive and evidence that

08:01

things that we're going to have in terms

08:02

of you know contracts of employment that

08:04

say certain things

08:06

the way that we've recorded what

08:08

resources are allocated to demonstrate

08:10

that we take it seriously we've

08:11

allocated resources to it and we can

08:13

show that

08:15

we're going to have things like a

08:16

communication plan that shows when we're

08:18

going to discuss things and when and

08:19

when we did discuss it

08:22

in our information security policy we've

08:24

got a chief exec statement

08:26

now i always say i provide a templated

08:28

version of that i always do say try and

08:30

change it to make it your own words

08:32

because i think i've been on 15 audits

08:34

where every ceo says exactly the same

08:36

thing

08:41

that's fine maybe they're all aligned in

08:42

the zeitgeist right they're like looking

08:44

at their heads

08:48

so but we're going to show that

08:49

demonstration right we're going to show

08:50

that we've got that leadership

08:51

commitment so there's a whole

08:53

section here

08:55

uh that looks at leadership and again

08:57

that's that's mapped to the document so

08:58

i don't need to worry about that until

09:00

we get into each document

09:04

so i'm showing you in here

09:06

policies we're going to have a a suite

09:09

of policy

09:11

policies statements of what we do not

09:13

how we do it how we do it is covering

09:15

procedures

09:16

we logically separate

09:18

uh what we do from how we do it that

09:21

enables us to be able to share what we

09:23

do externally because it won't have gdpr

09:25

confidential data in it it's not going

09:27

to have mobile phone numbers and you

09:28

know in disaster recovery policies

09:31

they're going to be deep within the

09:32

plans

09:33

so we're going to logically separate

09:35

that out we're going to have a pack of

09:37

policies that for a small organization

09:39

can sometimes seem as overkill

09:42

but the reason that we've got it we've

09:43

got a clear desk policy a software

09:45

policy a physical security policy a

09:47

change management policy some of them

09:49

are only one or two pages long

09:52

yes it can seem as overkill but the

09:54

reason we've done it again

09:56

as you grow you can allocate a policy to

09:58

a person or a department so not

10:00

everybody's updating one massive

10:02

document and we want to do that we want

10:05

to allocate policies and documents to

10:07

owners for accountability purposes

10:10

it also allows us to satisfy

10:12

questionnaires if you've ever been

10:13

involved in them they will call these

10:15

documents out by name do you have a

10:17

change management policy do you have a

10:19

clear desk policy so rather than sending

10:21

them a 50 page one document

10:24

you know we send them what they've asked

10:25

for yeah change bank gone

10:27

so we are going to have a we are going

10:29

to have a process sorry we're going to

10:31

have a series of policies that explain

10:32

to the business what they do

10:35

we've got a process at the back of that

10:36

about communicating that

10:39

we can't expect people to operate in a

10:42

way unless we tell them the way that we

10:44

expect them to operate and that's one of

10:46

the things that policies does it says

10:48

this is what we expect of you

10:50

outside of my gift of my remit and above

10:53

my pay grade there's a whole

10:54

conversation about hr's ability to

10:56

discipline

10:57

um if you haven't explained to somebody

10:59

what it is that you expect them to do so

11:01

if you have a data breach and you say oh

11:03

you emailed everything out to all the

11:05

customer

11:06

an employee he says well you never told

11:08

me not to

11:09

what are you going to do how are you

11:11

going to how are you going to discipline

11:12

them they're just going to go okay

11:15

now we'll tell you now now we'll get

11:16

some policies in place

11:18

yeah so there's a whole hr reason for

11:20

policy as well that sits at the back

11:24

then we've got a piece around

11:25

organization

11:27

roles and responsibilities and again

11:30

we're going to document some of what

11:32

those roles and responsibilities are

11:34

okay

11:38

so in terms of today with 10 minutes

11:40

left i'm going to call it there you'll

11:42

have to remind me next week how far we

11:43

got because i will forget

11:45

and we're up to planning so we've just

11:47

done we've just finished off on the on

11:49

the leadership side of it

11:50

and i'll just carry on walking through

11:52

what the expectation of the standard is

11:54

so you can get a feel for it you'll have

11:56

the document that's mapped so you can

11:58

always go back to it and then when we

12:00

get to the next stage it's tend to go

12:01

through each document and say right

12:03

we've now got this document called the

12:04

risk register how does it work but you

12:07

understand the context of why we've got

12:09

it because you'll see here in the in the

12:11

standard that it's asked for it