The document summarizes ISO 27001, an international standard for information security management. It defines ISO 27001's objectives of ensuring confidentiality, integrity and availability of information. The paper then proposes a methodology for organizations to implement an Information Security Management System (ISMS) according to ISO 27001. This involves a gap analysis between current processes and ISO 27001 controls, as well as developing a risk assessment, risk treatment plan, and statement of applicability. Implementing an ISMS framework according to ISO 27001 can help organizations securely manage sensitive information and gain international certification.

1. ISO 27001: A Methodology for deployment of Information Security
Management System
Ruchit Ahuja
Dr. Koilakuntla Maddulety
Abstract
Information is an asset for an organization. It can exist in any form like, Printed, written, electronic or even spoken.
Owing to the critical nature of this asset, it becomes imperative to suitably safeguard it. ISO 27001 is an
internationally recognized standard to secure information on 3 dimensions:-
1) Confidentiality: - restriction on accessibility of information.
2) Integrity: - accuracy and completeness of information.
3) Availability:-only authorized access to information.
It first defines information security objectives (39 in count) and to fulfill each one of them, it provides 133 controls.
The paper defines a methodology to achieve ISO 27001 standardization. It defines 2 aspects as gap analysis and
steps to implement ISMS. Gap analysis can be done by observing their processes against each control of ISO 27001.
The gaps are to be identified if the current processes are not as per ISO 27001 standards. There is a step by step
approach to implement ISMS (Information Security Management System). Gap Analysis basically puts a ground
work to implement ISMS.
ISO 27001 certificate can provide a number of advantages in terms of market differentiation, structured approach to
information security, certification of international recognition etc.
Key words: - ISO 27001, ISMS (information security management system), information security, gap analysis.
1. Introduction
ISO 27001, formerly BS-7799:2002 part 2 is the international standard for a company to manage
its information security. To its core it is basically about setting up of ISMS (Information security
management system). It is a systematic approach or a framework to managing sensitive company
information, ensuring it remains both secure and available. It helps to identify, manage and
quantify the range of threats to which information is regularly subjected.
Information security is a management process, not a technological process. According to “AC
Neilson” report, till now there are 5797 companies are ISO 27001 certified in 64 countries. Some
notable ISO 27001 certified companies’ are- EDS, SAP, Sun Microsystems,
PriceWaterhouseCoopers, Xerox etc.
ISO 27001 is a part of family. The family is known as ISO 27000 series. Following are the
members’ standards of the family:-
1. ISO 27000 :– Principles and Vocabulary (in development)
2. ISO 27001 :– ISMS Requirements (BS7799 – Part 2)
3. ISO 27002 :– ISO/ IEC 17799:2005 (from 2007 onwards)
4. ISO 27003 :– ISMS Implementation guidelines (due 2007)

2. 5. ISO 27004 :– ISMS Metrics and measurement (due 2007)
6. ISO 27005 :– ISMS Risk Management
7. ISO 27006 – 27010 :– Allocation for future use [7]
It calls the security from CIA perspective (a 3-dimensional approach):-
1. Confidentiality: - By implementing ISO 27001 in your organization, you ensure that
accessibility to even the smallest piece of information is restricted to those it is meant for.
2. Integrity: - The ISO 27001 standard introduces a systematic process that safeguards the
accuracy and completeness of information and processing methods. This ensures
continuity and restoration of your business in case of disaster.
3. Availability (Restricted):- By introducing ISO 27001 in your system, you make sure that
only authorized users have access to your information and associated assets. This makes
security management an easy task to handle. [7]
This is achieved by putting following 4P’s in proper place:-
1. People: - The employees of the organization must be aware of their responsibilities.
2. Products: - The products or systems being used have integrated security features.
3. Procedures: - The procedures for carrying out tasks must be standardized.
4. Policies: - The policies of the organization must be documented. [7]
Implementation guidelines were prepared by the Joint Technical Committee ISO/IEC JTC1,
IT Sub Committee SC27, IT Security Techniques and replaces BS7799-2:2002 (British
Standard 7799-2:2002). It can be obtained standalone, with ISO 27002, or as part of the
ISO27000 Toolkit. [7]
2. Cost Benefit Analysis [10]
Along with a number of benefits in terms of operational activities and costs, implementation of
ISO 27001 has its own financial implications. Before going ahead with the project an
organization must do a cost-benefit analysis so as to get a clear picture what is in store for the
firm after implementation. Following table gives the generic picture:-
S. No Benefits Costs
1 Reduction in Information Security risks Implementation as a project
2 Reduction in the probability and impacts of
information security incidents.
Organizational changes
3 Internationally recognized standard Actual auditing, surveillance and
certification visits
4 Brand value enhancement and market
differentiator
Operation and maintenance
5 Structured and coherent approach to

3. information security
6 Confidence to interested parties
3. Controls
ISO 27001 Consists of 11 control sections. Under these sections, there are 39 control objectives,
and 133 controls.
Following is the list of all the control sections:-
1. Information Security policy
2. Organizational Security
3. Asset Management
4. Human Resources Security
5. Physical and Environmental security
6. Communications and operations management
7. Access control
8. Systems development and maintenance
9. Information Security Management and Incident Reporting
10. Business continuity management
11. Compliance
[5]
4. Methodology
The idea is to ensure that the framework of management of information as described by ISO
27001 is followed in an organization. It will in turn make its organization and handling more
structured and secure.
The two basic tasks involved to achieve ISO 27001 standardization are as follows:-
1. Gap Analysis against defined controls of ISO 27001.
2. Planning for setting up of ISMS
Following the methodology as in this section, the project deliverables will be as follows:-
1. Gap Analysis Report
2. Recommendations for gap analysis.
3. Framework and Report for:-
a) Risk Assessment (RA) and Risk Treatment Plan (RTP)
b) Statement of Applicability (SoA)
4.1 Gap Analysis
First we need to find the gaps between the current processes and requirements of ISO 27001.
ISO 27001 defines 133 controls segregated under 11 control sections. To achieve the objective, a
study needs to be carried out for each control of the ISO 27001 and each one needs to be judged
over 4 parameters:-
(a) Applicability: - whether the control is applicable to our organization or not.

4. (b) Implementation: - whether the control is implemented in organization or not.
(c) Fulfillment: - ISO defines a requirement level to be fulfilled so as to pass against that
control. Here we identify whether the criteria level is fulfilled or not.
(d) Criticality Index: - Also judge on the basis of criticality, whether Non critical, Critical or
highly Critical.
Quantify the judgment by assigning values as per following table:-
Applicability Implementation Fulfillment Criticality Index
0-If Not Applicable
1-If Applicable
1-If Implemented
2- If not Implemented
0-If fulfilled
1-If not fulfilled
1-Not Critical
2-Critical
3-Highly Critical
Now find a Gap priority index (GPI) should be calculated by multiplying the values assigned to
the four parameters:-
Gap Priority Index (GPI) = Applicability * Implementation * Fulfillment * Criticality Index
Once gap priority index (GPI) is calculated for all of the controls, the focus areas can be easily
found. The values which this index can assume are 0, 1, 2, 3, 4, or 6. The organization must sort
out controls as per GPI. Following inferences can be drawn from the GPI values:-
1. The controls which have GPI values > 2 are primary focus areas and must be sorted
out first.
2. If the count of controls with GPI > 2 is 25 or more, the systems in organization are
not in place and considerable improvements are required.
3. To get the ISO certificate, the GPI values for all controls must be 0.
Finally gaps can be identified and recommendation report be prepared for all controls whose GPI
is non zero:-
Gaps= Processes required (as per ISO) – Processes implemented (currently in place)
4.2 Implementation of ISMS
ISMS, Information Security Management System are the overall management system comprising
governance, policies, procedures etc. through which information security is directed and
controlled. It is basically a framework in which the information is organized and handled.
Broadly the implementation of ISMS is divided into 2 parts:-
1) Planning phase: - The initial 5 steps of the flowchart below fall in this planning phase.
Here we mainly identify the loopholes in our information security framework and plan
for steps to be taken to fill the shortcomings.
2) Implementation phase: - After the gaps are identified and planning done to fill the gaps,

5. it’s time to take corrective actions and go for the auditing process. This is defined in steps
7-11 in the flowchart.
Flow chart: - Input Vs Output for Implementation of ISMS [10]

6. Flow chart: - Input Vs Output for Implementation of ISMS (Contd...) [10]
4.2.1 Risk Assessment (RA) and Risk Treatment plan (RTP)
For the RA and RTP, the FMEA, Failure mode Effect analysis methodology is adopted. In this
FMEA approach, we basically find out RPN (Risk Priority number), which is defined as:-
RPN= Severity*Probability*Detect ability
Following the FMEA method, the risks are assessed, RPNs calculated and then risks are ranked
by RPN.
Following steps are involved in the process:-
1. Identify the businesses or the services rendered by the department under the scope of RA.
2. Compute the assets that deliver or support the business or service identified.
3. Write down the asset number (to avoid duplication).
4. Write down the function of the asset in delivering or maintain the identified business or
service.
5. Now identify the failure modes for the identified function. Please note that there could be
more than one failure mode for each function.
6. Now identify the effect, if the identified failure mode happens. That if the identified
failure mode happens what will be the effect on the business or service.
7. Now refer the severity chart and choose the number relevant to the effect of the failure
mode.
8. Now identify the cause for the failure mode. Please note that each failure mode can have
more than one cause.
9. Now refer to the probability chart and choose the number that is more relevant to the
frequency of the cause happening.
10. Now list down the current controls. Kindly categorize the controls as preventive and
detective controls. Write each control in separate rows.
11. Now refer to the detect ability chart and choose a number relevant to the effectiveness of
the controls.
12. You can now see the Risk Priority Number calculated for a failure mode of the respective

7. asset function.
13. Now if the RPN is not under the acceptable value then the risk status shows "HIGH
RISK", recommendation to mitigate each of these HIGH RISK has to be listed down.
Kindly list each control in separate rows.
14. Now identify who will implement the recommended control and by what target date the
recommended control would be implemented.
15. Now if the RPN is under the acceptable value then the risk status shows "LOW RISK".
Else it displays as HIGH RISK. If it is HIGH RISK then the process has to be repeated
from step 1.
16. Refer the Probability Chart.
17. Refer the Delectability Chart.
18. New RPN is calculated. Compare it with the acceptable norms and if not satisfying then
redo the same process.
[10]
The prioritized list of risks provides management with a rational basis for determining how much
resource to apply to risk reduction: the cutoff point should go further down the list if more
resources are allocated, and vice versa.
After sorting the risk as per RPN, the risks selection for risk treatment plan is based on following
criteria:-
1. All risks which have RPN greater than 125.
2. Risk treatment Plan is prepared for at least 5% of the total number of risks
4.2.2 Statement of Applicability (SoA)
The Statement of Applicability refers to the document where we identify which controls are
applicable to our organization. This is basically generated by using the output of Risk
Assessment (RA) and Risk Treatment Plan (RTP). Applicable controls are identified within the
RA and RTP documents itself. Here some more information is added. Along with the applicable
controls, the SoA also identifies reasons for their applicability.
The results can be tabulated as follows:-
S.
No
ISO 27001Controls
Current
Controls
Remarks
(Justification
for exclusion)
Selected Controls
and Reasons for
selection
Remarks
(Overview of
implementation)
Clause Sec
Contro
l
Object
ive/Co
ntrol
LR CO
BR/
BP
RR
A

8. 1
SoA Structure [10]
• The controls can be applicable for following reasons:-
• LR: legal requirements
• CO: contractual obligations
• BR/BP: business requirements/adopted best practices
• RRA: results of risk assessment
• TSE: to some extent.
Proper justification is provided as why a particular control is not applicable. The organization
can then focus on areas which are relevant to them.
5. Conclusion
There are few companies all over the world which are ISO 27001 certified. AC Nielson in one of
its survey results put the count at 5797. Being an ISO 27001 certified firm can become a major
reputation and differentiating factor for an organization. Before 3rd
parties start pointing out the
loopholes, it is better that they are identified internally so that they are fixed before someone
exploits them.
6. References *
1. http://www.asq.org/learn-about-quality/process-analysis-tools/overview/fmea.html
2. http://www.bhconsulting.ie/ISO%2027001%20%20A%20Standard%20to
%20Maintain.pdf
3. http://capdev.msc.com.my/images/pdf/CaDevWe/D1_Session2.pdf
4. http://www.complianceonline.com/images/supportpages/500071/Sample.pdf
5. http://www.docstoc.com/docs/6130716/ISO-27001-Controls-and-Objectives
6. http://www.encodegroup.com/
7. www.fvc.com/FVC/FVCWEB/files/ISO27001%20Introduction.pdf
8. http://www.informationshield.com/papers/ISO%2027001%20Certification.pdf
9. http://www.infosecwriters.com/texts.php?op=display&id=335
10. http://www.iso27001security.com/ISO27k_Toolkit_3v8.zip
11. http://www.itgovernance.co.uk/files/Infosec_101v1.1.pdf
12. http://www.itgovernance.co.uk/files/Documentationtoolkitdescriptionintv7.pdf
13. http://www.infosecwriters.com/text_resources/pdf/ISMS_VKumar.pdf

9. 14. http://i.zdnet.com/whitepapers/Tripwire_WP2712_ISO27001.pdf
15. http://www.wolcottgroup.com/documents/WG_ISO27001PoV_0607C2.pdf
*The web-Links were accessed from 1 Jan 2009 up till 25 Sep 2009.
AUTHORS
1) Ruchit Ahuja
Affiliation: - Student, National Institute of Industrial Engineering, Mumbai
Contact Address:- Room No-442, Hostel No-5, NITIE, Vihar Lake Post,
Mumbai- 400087
ruchit.ahuja@gmail.com
09769149550
2) Dr. Koilakuntla Maddulety, Asstt. Professor
Affiliation: - National Institute of Industrial Engineering, Mumbai
Contact Address: - Dr. Koilakuntla Maddulety, NITIE, Vihar Lake Post, Mumbai-
400087.
Koila@rediffmail.com
09969326007