ISO 27001 Implementation Processes

An organization can take a Plan-Do-Check-Act (PDCA) approach to implement Information Security Management System that can be ISO 27001 Certified.

1.      Project Initiation

This phase will focus on the key tasks that properly set up the project. Key tasks in this phase are:

  • Confirm project approach and preliminary timeline
    • Establish the project team with roles and responsibilities
    • Develop project management (coordination/communication/reporting) plan

2.      Plan

It is important that the project is built on a solid foundation. In this phase, we will assist the client with identifying gaps, designing the ISMS framework, and developing implementation plan. The key tasks are:

  • Gather relevant information
    • Perform risk assessment
    • Perform gap analysis
    • Determine the certification scope
    • Establishing ISMS framework
    • Determining ISMS document structure
    • Developing implementation plan

3.      Do

In this phase, we will work closely with the client to execute the ISMS implementation plan to develop the ISMS artefact. The key activities are:

  • Develop ISMS governance structure and process
    • Develop ISMS management processes
    • Develop Statement of Applicability
    • Develop ISMS information security policy
    • Implement information security policies and procedures
    • Develop and implement information security related processes
    • Provide training and awareness

4.      Check

With solid ISMS design, we will assist the client to monitor, review, assess and audit the ISMS to identify non-conformities and opportunities for improvement.  Key activities are:

  • Continuously monitor, review and report the ISMS operations
    • Perform management review of ISMS
    • Perform internal audit on ISMS design and performance

5.      Act

We will assist the client with necessary actions to remediate the non-conformities and enhance the security controls to ensure effectiveness and efficiency. Key activities are:

  • Remediate identified non-conformities
    • Enhancing the ISMS management and information security controls
    • Monitor the effectiveness and efficiency of the ISMS

6.      Certification Audit

It is extremely important to be well prepared for the certification audit. All management team and staff members may be interviewed as part of the certification audit. Appropriate training must be provided to the staff to prepare them to give appropriate responses to the auditor’s questions. We will participate and support the client in the certification audit. Key activities are:

  • Provide Certification audit preparation training to all in-scope staff
    • Assist with Certification Pre-audit
    • Assist with Certification stage 1 and 2 audit