ISMS implementation project guidance checklist

This checklist will be appended to a new SecAware guideline on implementing an ISMS, elaborating clause-by-clause on ISO/IEC 27001 - essentially, our version of ISO/IEC 27003.  It offers pragmatic guidance for information security managers and CISOs - nothing too obscure or complex.

---oooOOOooo---

Project definition, justification, scoping and planning

⬚  Study the standards, in depth: complete lead implementer training if possible.

⬚  Study the business, in depth, to understand its objectives, strategies, culture, governance arrangements, existing information risk and security management etc.

⬚  If the organisation has a defined, structured approach for this phase, use it!

⬚  Build a business case that identifies and promotes the business benefits of the ISMS.

⬚  Look beyond ‘security’ and ‘compliance’ e.g. helping management to manage business risks, supporting/enabling other business initiatives and strategies.

Mil-spec management lessons

 

"A calamity can often strike without warning. Whether it be generated by humans or a natural disaster, leaders need to be ready to direct their teams in the aftermath. In order to be ready for crisis, leadership skills, like any others, must be practised over and over beforehand. So the way you lead in the quiet times helps to build the skills you need when you have to dig deep."

That paragraph plucked from this month's impressive NZ Airforce newsletter about the military response to the devastating flooding caused by cyclone Gabrielle here in Hawkes Bay caught my beady eye this morning. 

The idea of practicing incident management as well as incident handling or operations on relatively small incidents makes perfect sense.

27001 & climate change

Like other ISO management systems standards, ISO/IEC 27001:2022 has just been amended to incorporate two small wording changes:

• “The organization shall determine whether climate change is a relevant issue” (clause 4.1);
  
  
• “NOTE: Relevant interested parties can have requirements related to climate change.” (clause 4.2).

So, it is fair to ask what has climate change got to do with information risk and security? Is it even relevant? Having been been mulling that over for quite some while now, I've come up with a dozen points of relevance:

For more on those twelve, read "Secure the Planet".

The clock in that image is a reminder that time is pressing, so here are half-a-dozen things information risk and security professionals can do to help.

ISMS internal audit priorities

A thread on the ISO27k Forum sparked my imagination over coffee this morning.

Hope had previously asked for assistance with an ISO/IEC 27001:2022 audit plan. 

Bhushan offered a lengthy and generally sound response explaining how to use a spreadsheet with tabs to plan and record the audit work performed on 100% of the main body clauses and 50% of the 93 Annex A controls, day-by-day. That's OK ... except it wasn't entirely clear that he was interpreting and elaborating on the standard's actual requirements.

ISO/IEC 27001 does not explicitly require, for example, that (as Bhushan stated) "ALL the management system clauses from 4 to 10 AND their sub-clauses need to be listed and audited" in an ISMS internal audit, although evidently he interprets it in that way. In clause 9.2.1, the standard states a requirement for internal audits to provide information on whether the ISMS conforms to the organization’s own requirements for the ISMS plus the requirements of the standard, and is effectively implemented and maintained. There is no "ALL" in the standard's main body clauses. Spreadsheets are not mentioned at all, not even once.

Mandatory documentation in ISO27001

ISO/IEC 27001 formally requires just 14 types of "documented information" of every organisation competently certified conformant with the standard, as a minimum:

1.       ISMS scope (Clause 4.3);

2.       Information security policy (Clause 5.2);

3.       Information security risk assessment procedure (Clause 6.1.2);

4.       Statement of applicability (Clause 6.1.3 d);

5.       Information security risk treatment procedure (Clause 6.1.3);

6.       Information security objectives (Clause 6.2);

7.       Personnel records (Clause 7.2);

8.       ISMS operational information (Clause 8.1);

9.       Risk assessment reports (Clause 8.2);

10.   Risk treatment plan (Clause 8.3);

11.   Security measurements (Clause 9.1);

12.   ISMS internal audit programme and audit reports (Clause 9.2.2);

13.   ISMS management review reports (Clause 9.3.3);

14.   Records of nonconformities and corrective actions (Clause 10.1).

However, in the course of writing an ISMS implementation guideline, I have realised that #8 on the list is, strictly speaking, discretionary, not mandatory.

Innovative approaches to ISO/IEC 27001 implementation

This week I've read an interesting, inspiring piece by Robin Long exploring the costs, benefits, approaches and strategic options for implementing ISO27k.  

I like Robin's idea of trying things out and banking some 'security wins' before committing to a full implementation. A full-scope ISMS is a major commitment requiring strong understanding and support from management, requiring a high degree of trust in the team and CISO/ISM/project leader as well as the [planned] ISMS. Demonstrating and celebrating security wins is a good way to build trust and sustain it, once the ISMS is running.

I'm also intrigued by the possibilities of unconventional, creative, less boring approaches to implementation project planning - for example, instead of plodding sequentially through ISO/IEC 27001, clause-by-clause, think about: