2. Agenda
§ What is ISO 27001
§ The PDCA Model
§ Steps to achieve ISO
27001Certification
3. PDCA Model
§ The "Plan-Do-Check-Act" (PDCA) model applies at different levels throughout the ISMS (cycles within cycles)
§ The diagram illustrates how an ISMS takes as input the information security requirements and expectations and through the PDCA cycle
produces managed information security outcomes that satisfy those requirements and expectations
Information security requirements
and expectations
Managed information security
4. PDCA Model
§ Plan (establish the ISMS)
Establish ISMS policy, objectives, processes and procedures relevant to managing risk and improving information security to deliver results in
accordance with an organization’s overall policies and objectives
§ Do (implement and operate the ISMS)
Implement and operate the ISMS policy, controls, processes and procedures
§ Check (monitor and review the ISMS)
Assess and, where applicable, measure process performance against ISMS policy, objectives and practical experience and report the results
to management for review
§ Act (maintain and improve the ISMS)
Take corrective and preventive actions, based on the results of the internal ISMS audit and management review or other relevant information,
to achieve continual improvement of the ISMS
5. 10 Steps to Achieve ISO 27001
Step 1: Decision
§ Senior management need to be behind the decision for ISO 27001 certification. There is definite value in communicating this internally,
it enforces the company’s aspiration to pursue best practice
§ What is needed? Concise and positive briefing to senior management outlining benefits and how it provides a platform for business
growth
Step 2: ISO Management Representative
§ The company appoints a responsible and knowledgeable manager to run the program and implementation. This person will become the
company’s ISO 27001 specialist, understanding the controls and milestones needed towards accreditation
§ What is needed? Selection of the right individual with a specific job description and knowledge of ISO and ISMS requirements
6. 10 Steps to Achieve ISO 27001
Step 3: Gap Analysis and Risk Assessment
§ An assessment of risk or a gap analysis is conducted to find out what can go wrong and which threats endanger the Confidentiality, Integrity
and Availability of information. This is to understand the maturity of existing controls within the business and to determine the risk profile
§ What is needed? The gap analysis followed by a risk assessment of all in scope people, processes and technology performed by a qualified
auditor. Understanding the maturity of controls and risk profile
Step 4: Scope & Implementation Plan
§ The review of output from the gap analysis allows the business to validate the scope of implementation and the functional / operational
boundaries. For each risk identified, appropriate controls are set to manage the risk in a systematic way. This will ensure nothing important is
missed. Important milestones, time requirements, dates for any pre assessment and staged audits are set
§ What is needed? A step by step concise guide to explain the ISO 27001 process in sufficient detail
7. 10 Steps to Achieve ISO 27001
Step 5: Employee Introduction
§ It is important to engage with employees from the beginning to ensure they buy in to the ISO 27001 certification process and respond
appropriately. Also to help them to understand the individual, company and client benefits
§ What is needed? A short and easy-to-understand ISO 27001 and security introduction briefing that focuses on how employees are affected
and their role in the successful implementation
Step 6: Documentation, documentation, documentation!
§ ISO 27001 certification requires extensive documentation addressing all relevant millstones and individual controls. This forms the criteria the
company is measured against to meet the ISO standard
§ What is needed? A set of policies, standards and procedures to ensure the business is adhering to all requirements in an efficient and
achievable manner
8. 10 Steps to Achieve ISO 27001
Step 7: Realisation
§ With the gap analysis, scope and documentation ready, it is time to put new processes into ‘business as usual’ throughout the company to start
realising the many benefits of ISO 27001. At this stage it would be beneficial to conduct a pre assessment to ensure the company is on the
right track and validate the evidence
§ What is needed? Pre assessments forms, checklists and the gathering of evidence. Communication to staff about the revised processes, the
need to adopt them fully and report back on what isn’t working
Step 8: Internal ISO 27001 Audits
§ ISO 27001 requires an internal audit to assess where the company is at with the milestones and the implementation phase. An auditor will
complete documentation assessing the risk, noting controls and remediation to highlight the improvements required
§ What is needed? An experienced internal or external auditor. Audit tools that include forms, complete audit checklists and audit reports
9. 10 Steps to Achieve ISO 27001
Step 9: ISO 27001 Certification
§ The most important step is to pass the ISO 27001 certification audit. An independent assessor will issue a certificate stating that the
business is meeting the ISO 27001 controls and requirements. The appointed internal representative needs to be confident with the
process they have followed and consider how to best interact with the assessor
§ What is needed? Employee preparation for the ISO 27001 certification including questions that may be asked and the areas the audit
will focus on. An independent assessor from a reputable company
Step 10: Maintaining the ISO 27001 Certification
§ It is important to keep the ISO management system working by its integration into daily operations. The business should focus on
continual improvement
§ What is needed? A reinforcement message to employees. Focus on maintaining the standards through an internal champion. Treat it as
integral component of the business processes and not a one off project
