What work do I need to get done for ISO 27001?
We always recommend organisations purchase the ISO 27001:2013 standard so they are able to determine what is expected. The work to get done from that standard includes describing and demonstrating your approach to the following:
- Evidencing the ISO 27001:2013 management system requirements
- Evidencing controls applied or not applicable from the Annex A control objectives (where there is lots of synergy with regulations like GDPR)
It might seem overwhelming at first glance, and there is a lot to cover if you start from a blank canvas. But once understood it is logical and ‘common sense’ especially if following a business led approach to ISO 27001:2013 with commitment from leadership. There are many ways to fast track success such as with ISMS.online.
Like most standards, you need to describe what you do to meet it then demonstrate it is happening in practice by showing your workings when required e.g. during audits and reviews with stakeholders.
Covering the management requirements well means all the investment in the relevant Annex A controls will then go towards securely doing business the way you want it to be done, and powerful stakeholders can take confidence from it too. It requires a business led approach to embed into your cultural norms, so please do not let the information security tail wag the dog! Following inappropriate information security advice could mean a much higher risk and cost. It might mean many security-oriented activities are needed before doing the actual task you wanted to do. That will either mean those things don’t get done, leaving the business insecure, or the staff do them, and the business has massively slowed down its productivity and effectiveness!
You might also lose key staff too if they don’t want to follow practices that are not integrated well with your cultural values and behaviours. (Of course, you may need to change some practices if you are not already demonstrating good behaviours. However, that doesn’t mean you need to institute Top Secret Military grade practices for good cyber hygiene in your sector.)
An ISMS delivers a positive return on investment. The goal of our whitepaper is to show you why, what, and how you can get RoI from an ISMS that fits the business needs.
What are the key considerations when building the business case for an ISMS?
- A growing challenge
- Three reasons why nothing happens
- The return on investment from information security management
- A point on people
- In considering the technology
- What is an ISMS?
- What are the components of an ISMS?
- Why do organisations need an ISMS?
- Is your organisation leadership ready to support an ISMS?
- Developing the business case for an ISMS
- Benefits to realise – Achieving returns from the threats and opportunities
- Evaluating the threats
- Identifying the opportunities
- Stakeholder expectations for the ISMS given their relative power and interest
- Scoping the ISMS to satisfy stakeholder interests
- GDPR focused work
- Doing other work for broader security confidence and assurance with higher RoI
- Work to get done for ISO 27001:2013/17
- Build or buy – Considering the best way to achieve ISMS success
- The people involved in the ISMS
- The characteristics of a good technology solution for your ISMS
- Whether to build or buy the technology part of the ISMS
- The core competences of the organisation, costs and opportunity costs
- In conclusion