How to implement ISO/IEC 27001 in an Organization

This post summarizes the steps to implement ISO/IEC 27001 in an organization. It pretends to be a high-level overview of the whole process and provide a holistic view.

If you need further details on this, you may do some research on each sub-phase, refer to the original ISO/IEC 27000 family documentation (specifically ISO/IEC 27001, 27002 and 27004) or find more details on preparation material for ISO/IEC 27001 implementer certifications.

Introduction to ISO/IEC 27001 and its implementation

ISO/IEC 27001 is an international standard on how to manage IT security. Organizations can opt to implement it, and then external auditors can assess that it meets the certification standards and certify it for third parties.

This certification describes all the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS).

The definition of ISO/IEC 27001 has been updated during the time. The latest version as of 2023 is ISO/IEC 27001:2022.

You can get a paid copy of this document from the following links:

• ISO/IEC 27001:2022
• ISO/IEC 27001:2013

You can find a list of 27001:2013 annex A controls on this external link.

ISO/IEC 27001You can get a copy of this document from this link. Charges apply.

ISO/IEC 27001 certification implementation is a continuous process, as you need to monitor the implementation once is finished and you may expand the certification scope. In any case, if we isolate an iteration, the implementation process consummates when an organization passes the external audit.

The ISO/IEC 27001 implementation process consists on proceeding with all the necessary steps to fulfill the requirements that are described on document ISO/IEC 27001. This standard does not describe the way to meet this requirement, and we need to refer to a different standard to get a guideline on how to implement it. This document is ISO/IEC 27002.

While performing each implementation step, you must take into account that we are doing it to meet one or more requirements of ISO/IEC 27001. This post tries to mirror each step with the corresponding ISO/IEC 27001.

Steps to implement ISO/IEC 27001 in an organization

These steps are based on ISO/IEC 27003, though some descriptions have been changed.

There are four major phases in ISO/IEC 27001 implementation:

1. Define
2. Implement
3. Monitor
4. Maintain

Each phase has a sub-phase that is described in further detail:

1. Define
   1. Initiate ISMS implementation
   2. Perform an analysis of organization
   3. Define ISMS scope
   4. Plan ISMS and get project approval
   5. Analyze organizational structure
   6. Analyze existing system
   7. Complete the security policy
   8. Perform a risk analysis
   9. Create the Statement of Applicability (SoA)
2. Implement
   1. Ensure documentation management
3. Monitor
4. Maintain

1.1. Initiate ISMS implementation

Select the ISMS implementation approach (among the availables) and align with best practices from a reliable source, like ISO, ANSI, ITIL, PMI or any other.

1.2. Perform an analysis of organization

The activities on this sub-phase are about understanding the organization, determine the ISMS objectives, the business requirements and preliminary scope, analyze internal and external environment, processes and interested parties.

1.3. Define ISMS scope

The activities on this sub-phase are about determining the ISMS boundaries and scope.

An output of this sub-phase is the Scope Statement document.

This step meets: ISO/IEC 27001, clause 4.3

1.4. Plan ISMS and get project approval

The activities on this sub-phase are:

1. Create a business case
2. Determine ISMS resource requirements
3. Create the ISMS project plan
4. Create the ISMS project team
5. Get top management approval for the ISMS project

This step meets: ISO/IEC 27001, clause 5.1

1.5. Analyze organizational structure

The activities on this sub-phase are:

1. Define the organizational structure
2. Appoint an IS coordinator
3. Assign roles and responsibilities of interested parties
4. Assign roles and responsibilities of committees

1.6. Analyze existing system

The activities on this sub-phase are:

1. Determine current state
2. Conduct gap analysis
3. Establish maturity targets
4. Issue gap analysis report

1.7. Complete the security policy

The activities on this sub-phase are:

1. Create policy templates
2. Draft the IS policy
3. Draft specific policies
4. Get management approval on policies

1.8. Perform risk analysis

Neither ISO/IEC 27005 nor 31000 are required for ISO/IEC 27001.

ISO/IEC 27005 is an adaptation to information security of ISO 31000 and provides guidelines on IS risk management. Nevertheless, it does not provide an specific IS risk management method.

The activities on this sub-phase (based on ISO/IEC 27005) are:

1. Risk assessment
2. Risk treatment
3. Risk aceptance
4. Communication and/or consultation
5. Report
6. Monitor

1.9. Create the Statement of Applicability (SoA)

A statement of applicability (SoA) is a document that link the risk management with the ISMS objectives.

The completion and approval closes the definition phase.

Another approach

1. Specify scope
2. Perform gap analysis
3. Create ISMS training plan
4. Create asset type catalog
5. Create thread catalog
6. Create measure catalog
7. Map threads with asset types
8. Map threads with measures
9. Identify asset
10. Identify threads affecting assets
11. Quantify risk on asset vs thread
12. Quantify mitigation of risk on asset vs thread
13. Create ISMS manual
14. Create Statement of Applicability (SoA)
15. Create action plan
16. Apply action plan

Audit Process

When audit is done, auditors can report findings.

There are 4 types of findings:

1. Major nonconformity: it must be solved in 90 days after the end of the audit.
2. Minor nonconformity: the action plan must be reported in 90 days after the end of the audit, and it must be solved for the next review.
3. Observation: it must be solved for the next review.
4. Opportunity for improvement: non-mandatory recommendation.

Frameworks related to ISO 27000 family

ISO 22301 “Security and resilience – Business continuity management systems – Requirements” is focused on business continuity rather than information security (as ISO 27000 family).

National Adaptations of ISO/IEC 27001

ISO/IEC standards may be issued by national organisms.

In addition to this, ISO/IEC 27001 may be adapted to national regulations.

For example, in the case of Spain, the UNE (Spanish Association of Normalization), a private organization that depends on Ministry of Economy of  Spain, adapted ISO/IEC 27001:2013 + Cor 1:2014 + Cor 2:2015 into UNE-EN ISO/IEC 27001:2017.

It may take some years for a standard to be adapted from the international standard to the national one.

ISO/IEC 27001 vs other IT Security Frameworks

ISO/IEC 27001 vs COBIT 5

You can read an article by ISACA about compatibilities between ISO/IEC 27001 and ISACA’s COBIT 5 on this external link.

You might also be interested in…

• ISO/IEC 27001 Lead Implementer Certifications
• How to get PECB ISO/IEC 27001 Lead Implementer Certification
• ISO/IEC 27000-series

External references

• “ISO/IEC 27005:2018“; ISO.org