Step 1: Get management buy-in
The first and most critical step in the preparation for ISO 27001 certification is to get management buy-in. This can be gained through a business impact analysis of information assets. Such analyses not only reveal how vulnerable a company's information assets are, but also estimate the possible extent of loss to business (in financial) terms if these assets are compromised.
Risk analysis of the existing security architecture can also help an organisation gauge the easiness of accessing sensitive and confidential information. In my experience, after a presentation on the organization's state of security, in almost 90% of cases, management acknowledges the seriousness of this issue and gets ready to address it. Once there is management buy-in and the company decides to go ahead with ISO 27001 certification, the senior-most official (MD or chairman or CEO) will need to pin down his commitment toward this certification. He will need to write a memo or letter addressing all employees about the company's seriousness regarding information security and the implications of non-conformance with its policies. This will make the employees more aware and concerned about this project.
Step 2: Establish a steering committee
The management can then form a steering committee or a department or a body headed by a senior executive to drive the ISMS project. The organization will also need to form a working group, preferably of department heads, to look after individual departments with regard to information security. Department heads must have thorough knowledge of their individual departments, information assets and processes.
Step 3: Develop an information security policy
The company should come up with a detailed information security policy in consultation with the steering committee, department heads and independent consultants. This information security policy will not only identify and classify all kinds of information assets, but will also define each individual's right to access any given information asset.
Department heads can list all hard and soft information within their purview. The information security policy can include things like computer access policy, laptop theft policy, Internet access, and access to PDAs and BlackBerrys. The information can be classified into different categories such as sensitive, confidential, internal and public.
If the company already has an information security policy, this should be reviewed against the ISO 27001 standard's current version. The policy document should try to keep a balance between the organization's culture and requirements for certification, because you want to ensure that security does not hamper the employees' work.
Step 4: Decide the ISO 27001 certification's scope and coverage
Before actual implementation of the ISO 27001 standard, you need to decide scope and coverage of the certification. You may want to cover all office locations or only the head office. Or you may want to cover five locations in the current year, and five in the next. The coverage will also help you to estimate approximate costs and resources required to implement security.
Companies rarely do such projects in-house because they lack the expertise and resources. The best time to involve a consultant is from the start. It's also advisable to have more than one consultant, since you may not want to put all your eggs in one basket. Depending on the cost of these consultants and their expertise, the company may involve more than one consultant in the process.
Finally, when putting security control measures in place, you need to ensure that the value of your control does not exceed the value of your asset. The entire stage of planning for ISO 27001 certification can take more than three months, but companies must remember that well begun is half done.
(These views represent the author's personal views and do not reflect his employer's standpoints.)
About the author: Tarun Gour is an information security consultant at Mahindra Special Services Group. He has implemented the ISO 27001 standard for many organizations and has conducted pre-certification audits and performed risk assessment with recommendation of safeguards.
(As told to Dhwani Pandya.)
This was first published in March 2010