ARE YOU READY FOR ISO27001:2013

Transcription

1 ABSTRACT If you re thinking about implementing ISO 27001:2013, then this guide will help you make an assessment of whether you re ready to face the challenges ahead ARE YOU READY FOR ISO27001:2013 A Simple Guide MISSING THE LINQ 2016

2 ARE YOU READY FOR ISO27001:2013? A SIMPLE GUIDE INTRODUCTION If you re thinking about implementing ISO 27001:2013, then this guide will help you make an assessment of whether you are ready for ISO27001:2013. By asking a few simple questions, it will enable you to make the right decision for you and your business and help you avoid making a costly mistake. Follow the Are You Ready for ISO27001:2013 A Simple Guide to learn what is required. If you want more detailed information or help in jump starting your accreditation process then go to our website for more information or send us an at contact@missingthelinq.com MISSING THE LINQ

3 QUESTION 1 IS YOUR MANAGEMENT TEAM COMMITTED? Unless you have the backing of the senior management team and/or a member of the senior team management leading the project it will fail. They should be the driving force behind the programme, they need to completely understand the strategic issues around IT governance and information security and the value of successful certification. If the senior management are not behind this project, there is little point in proceeding, certification will not be awarded without clear evidence of such commitment. Management support is very important as an ISMS project cuts across all parts of an organisation, and therefore all key leaders need to be onside. QUESTION 2 DO YOU HAVE A GOOD BUSINESS CULTURE? Without Staff Buy-in you will not achieve the outcomes required, IS27001:2013 is about business change and those affected by change need to be on-board. Everyone will answer this question with a positive, all people believe that they have a good business culture and some will even believe they have the best business culture. However, you have to answer this question honestly. A professional organisation is one where everyone knows what they are responsible for, why they do it and what is expected from them. An openness to change is a benefit when adopting standards as well as good communication and high levels of staff engagement. MISSING THE LINQ

4 QUESTION 3 ARE YOU ALREADY MEETING THE REQUIRMENTS? A well organised company, with good structure and organisation and supporting processes and people open to change and wiling to learn may already be on the path to accreditation. In order to understand how far your organisation is from accreditation and how much work is required to achieve it, it is worth getting hold of a copy of the step by step guides to implementing ISO27001:2013 this will give you a simple introduction to the Standard and an insight of what is required. Furthermore, it is recommended before committing yourself to the full project that a gap analysis is performed. A top-down approach is suggested as this will get to the critical loopholes quickly and identify gaps up front before embarking on a costly project. This can be done using the Statement of Applicability (SoA) as guidance on which controls need to be put in place and on which the management systems will be based. QUESTION 4 DO YOU HAVE AVAILABLE BUDGET & RESOURCES? Fail to Plan, Plan to Fail - of course while it is necessary, it is not sufficient to just have a plan, having the right level of resource and budget is critical when implementing the project. Not every organisation can afford the luxury of a dedicated Information Security Officer, or a Security Manager, nor does every organisation have the skills or competencies in-house to deliver the project. Likewise, some may have implemented the ISO standard in a previous role, or have backgrounds in creating management systems. The good news is that people of all types have successfully implemented ISO27001:2013 and achieved certification, it may take a little longer depending on experience. MISSING THE LINQ

5 QUESTION 5 WHAT ARE THE RISKS/COSTS OF NOT BEING ACCREDITED? Risk assessment is at the heart of the Standard and must be business driven, it should reflect legal, regulatory and contractual requirements, understanding what the risks are to the business not being accredited are crucial. The requirement ultimately is that the risk assessment should take into account both the organisations context as well as requirements of third parties who may have an interest. The organisation needs to determine its criteria for accepting risks and identify the levels of risk it is willing to accept. A risk assessment is a process that combines risk analysis and risk evaluation. Risk analysis is the use of information to estimate risk. Risk evaluation is the process of comparing the estimated risk against given risk criteria to determine its significance In other words; what is the realistic likelihood of a risk occurring, and the harm likely to result from the risk. QUESTION 6 WILL IT MAKE YOU A BETTER BUSINESS? The final question you should ask yourself, is going through all the hard work, time and effort across all parts of the organisation, implementing change and controls going to make you a better business? A lot of work and commitment is going to be required to implement ISO27001:2013, a lot of change will need to be managed across a lot of the organisation and therefore there has to be a tangible business benefit, which is measurable and quantifiable. Acknowledging that ISO27001:2013 is a good idea, or doing the project for the tick in the box is not the reason to put the organisation through the changes required. There will be more beneficial projects to work on which will have bigger returns on investment, however depending on the answers to the above 5 questions it will give you a good indication of where this projects sits in terms of prioritisation and whether it fits in your organisations strategy or not. MISSING THE LINQ

6 GLOSSARY OF TERMS Statement of Applicability (SoA) Is one of the key documents in the ISO27001:2013 Standard. It identifies the controls relevant to the business and explains why those controls have been selected to treat the identified risks. The SoA defines how the information security programme will be implemented and is the link between the risk assessment and implementation of the information security processes. The SoA explains which of the suggested 114 controls from Annex A will be applied and justifies any excluded controls. Risk Assessment A risk assessment combines two techniques a risk analysis and a risk evaluation. Risk Analysis - Uses information to identify possible sources of risk. It uses information to identify threats or events that have a harmful or detrimental impact. It then estimates the risk by asking what is the probability of that event occurring, and what impact would it have if it occurred? Risk Evaluation Compares the estimated risk with a set of risk criteria. This is done to determine how significant the risk really is. Risk Acceptance Is part of the Risk Treatment decision making process, meaning the risk is acceptable given certain controls are in place or the risk has been mitigated in some other way. Controls In the context of information security management, a control is any administrative, managerial, technical, or legal method that is used to modify or manage information security risk. Controls can include things such as practises, processes, policies and organisation structures. Controls are sometimes referred to ask safeguards or countermeasures. Information Security Management System (ISMS) Includes all of the policies, procedures, documents, records, plans, guidelines, agreements, contracts, processes, practises, methods, activities, roles, responsibilities, relationships, tools, techniques, technologies, resources and structures that are used to protect and preserve information, to manage and control information security risks and to achieve business objectives. MISSING THE LINQ

7 Missing the Linq 9 Farncombe Lane Oakwood Derby DE21 2AY Registered in England and Wales No WEB: contact@missingthelinq.com MISSING THE LINQ