How to implement the ISO 27001 standard: a step-by-step guide

Implementation step 1: GAP analysis

The GAP analysis is the beginning of any implementation process. We begin by performing an analysis to determine the current status of your organization. In doing so, we identify the processes related to information security. We prepare a report with the gaps to the standard and create a practical project schedule with clear roles and responsibilities.

The GAP analysis gives us important insights into the current state of information security within your organization. This insight helps identify vulnerabilities, determine needed resources and establish policies.

We perform the GAP analysis where we review each point in the standard. In this way, your personal consultant draws a detailed picture of the current state of affairs. Our added value lies not only in identifying security problems within processes and procedures, but also in providing solutions. For example, if we identify a gap in security according to the ISO 27001 standard, we make a proposal to close this gap. This can range from implementing authentication measures to improving the monitoring of sensitive data flows.

‍

Implementation step 2: Risk analysis

ISO 27001 is a risk-based standard, which means that measures must be tailored to the risks of your organization. Through a comprehensive risk analysis we map and evaluate all risks inside and outside your organization.

Risk analysis is a mandatory part of the standard. It helps identify vulnerabilities and threats that could affect your organization. It allows you to take targeted measures to mitigate these risks, strengthening the security of your information and preventing potential damage.

ISO 27001 requires that risks and opportunities be identified. We do this by means of a brainstorm. With the aim of assessing the probability and impact. For this we have a template that meets all parts of the standard. Through our experience and knowledge, we know what an auditor looks for when assessing risks and control measures taken. We are also familiar with relevant risks and trends so we can go deeper into your organization / industry specific risks.

‍

Implementation step 3: Set up management system

A management system is the set of policies, processes and procedures that enable an organization to control its policies and objectives. At its core, a management system helps an organization:

• Defining its policies and objectives;
• identify and manage risks;
• encourage continuous improvement;
• implementing security controls.

Setting up the management system is the most important part of the implementation process. It provides a structured approach to controlling information security, ensuring standards compliance and demonstrating continuous improvement. There are no hard requirements for what the system should look like, only what it should contain and what the system should ensure.

Our approach is based on the needs of your organization. We set up the management system for your organization and in your software. In addition to different software, we obviously have best practices. When we build a management system, user-friendliness is our highest priority. After implementation, it must be easy to maintain. See here how we do that.

‍

Implementation step 4: Awareness

Awareness simply means that, everyone in the organization is fully aware of the requirements and goals of the standard. It involves understanding the importance of handling information securely and recognizing the specific requirements of the standard. This awareness extends to all levels of an organization.

80% of cyber incidents are the result of human error. Awareness is therefore critical and is (according to Annex A.6.3.) a mandatory part of the standard. By making employees aware of risks and best practices, we can reduce the likelihood of incidents and strengthen the overall security of your organization.

We offer standard physical training so that the mandatory part of the standard is met. In addition, there are numerous opportunities to raise awareness within your organization, such as:

• Microlearning through gamification;
• phishing campaign;
• job-specific training;
• E-learning modules;
• USB drop;
• flyers, posters and newsletters.

‍

Implementation step 5: Internal audit

The internal audit is a mandatory review moment to verify that the management system is operating effectively and meets all standards requirements. Periodically, the organization must have its management system independently audited by competent auditors. From this test, the auditor identifies areas for improvement and shortcomings.

The internal audit is a mandatory part of the standard and helps your organization identify and correct any deficiencies or areas for improvement before the external audit.

Our consultants are certified as Lead Auditors and can therefore conduct a critical internal audit. That way, you know that if you pass the internal audit, the external audit should also be fine. We guarantee independence because the internal audit is always performed by a different consultant from the one doing the implementation. That way you have the four-eye principle of two specialists. During the internal audit, we look for improvements in the organization's management system.

Also read our article "What does an internal audit look like?"

‍

Implementation step 6: Management review

In addition to the internal audit, the management review is also a mandatory component. This was previously also called the management review . During the management review, the management evaluates the effectiveness, suitability and efficiency of the management system. The records of this are recorded in the management system which is immediately used as evidence for the external audit. The management review always follows the internal audit so that these results are included in the assessment.  

The main purpose of the management review is to continuously improve the management system and the organization. This is achieved through concrete action points that come from the management review. With deadlines and responsibilities, the organization ensures that improvement measures are actually implemented within the organization.

In the management review, we go through a standardized approach to discuss all mandatory components with stakeholders. Together with management, we assess whether the management system actually contributes to achieving the intended objectives. We identify opportunities for improvement and take a look at previous years to measure progress. This review contributes to management commitment, which is important for Chapter 5, "Leadership and Engagement.

‍

Implementation step 7: External audit

The external audit is the official test performed by an independent party (Certification Body) to verify that your organization complies with the ISO 27001 standard. After the audit, the auditor will issue a positive or negative recommendation to certify the organization.

The external audit is part of the external audit process that consists of a 3-year cycle. The 3-year audit cycle starts with the initial audit consisting of the preliminary audit (stage 1) and the certification audit (stage 2). This is followed by two control audits (surveillance audit). At the end of this cycle, the recertification audit determines whether the certificate is renewed and the organization enters a new 3-year cycle.

Our role in the external audit is to prepare and support your organization. We are experienced in dealing with external auditors and understand the expectations and requirements. Consider answering questions, analyzing areas for improvement and applying for certification. During the external audit, we may speak for your organization to guide the audit to success.

‍

Implementation step 8: Maintenance

Maintaining the management system is a mandatory part of the standard. Maintenance is checking and keeping the management system up-to-date. Tasks that are important:

• Implement the controls of the annual schedule (e.g., making backups, testing the continuity plan and checking issued authorizations);
• Measuring and monitoring set objectives;
• Checking that procedures are actually followed (for example, before leaving employment when someone leaves). It is important to remain critical and ask yourself whether your organization is actually complying with the policies that have been established.  

Now that your organization is certified in possession of the intended certificates, you obviously want to keep them. Letting the certificate gather dust is not an option. Every year the management system is checked by a control audit. By maintaining the management system and continuously improving it, you show during the next audit that your organization is in control and remains certified.

‍

The cost of an ISO 27001 implementation

Periodically, your organization makes adjustments to the management system. In this way, you ensure that the management system remains current. With the help of an annual schedule, you perform all annual mandatory parts of the standard. We still support 98% of our customers in maintaining the management system and performing the annual internal audit.

The Cost You probably have the pressing question, "How much does it cost to become ISO 27001 certified?" Unfortunately, there is no one-size-fits-all answer. How much cost you will incur in addition to time to implement an ISO 27001 depends on several factors. It starts with the current state of information security within your organization:

• Do you already have policies on handling information?
• Do you already have a management system related to information security?
• Have you already mapped out processes?

Factors such as company size and complexity also play a role. This is determined by the number of employees, locations, products and services, and the diversity of your processes. Size is not necessarily an indicator of complexity; a small company with multiple processes can be just as complex. By submitting multiple requests for quotes, you can compare price and quality.

‍

Want to learn more about how the cost of ISO certification is structured? Read our blog here!

‍

What can you expect from us during the ISO 27001 implementation?

Implementation processes demand a lot from the internal organization. We like a pragmatic approach and take into account the needs of your organization. Remote or on location? Weekly meetings or short updates? Your own software or a new tool?

We are your knowledge partner and are always available for questions. Your organization does not need knowledge of the standard. As a fresh team of specialists raised in digital world, we like a clear and smooth communication, so don't hesitate to call, email or app.

Every organization is different, which is why we offer two types of implementation processes:

Accompanying implementation process

In this process, we offer coaching and advice in the implementation of the management system and related policy documents. This system will be set up in a process-oriented way and will serve as an instrument for identifying risks in order to subsequently control them. During this process, we think along with your organization, provide templates and best practices that you can apply to your organization. In addition, our consultants are available to your organization on a daily basis for questions, depth and advice.
‍

For whom.

For organizations that want to do the implementation themselves and need advice, templates and support on mandatory parts of the standard such as the internal audit and management review.
‍

Workload?

Within your organization, we expect approximately the following workload expressed in number of hours per week. Please note that this is an estimate.

‍

Unburdening implementation process

In this process, we take full responsibility for a successful implementation from you. Our consultant relieves your organization and takes you from A to Z during the process. This allows your people to continue doing what they always do: running the business.
‍

For whom.

For organizations that do not want to do the implementation themselves and just want editing and answering organization-specific questions.
‍

Workload?

Within your organization, we expect approximately the following workload expressed in number of hours per week. Please note that this is an estimate.

‍

What we expect from you during the ISO 27001 implementation

For clear and smooth communication, we expect a point of contact within your organization. This is often referred to as the Security Officer. It is important that the Security Officer has knowledge of internal systems. It is also nice to agree on a periodic fixed time when we have contact together.
‍

Benefits of an ISO 27001 implementation partner

Working with an experienced implementation partner brings a number of benefits: Need help choosing the right implementation partner? Read here which 7 criteria to look out for.

‍

Choosing Fendix as an implementation partner

We hope this blog has been able to offer you a clear insight into what an implementation process looks like. Have you become enthusiastic about our approach? Then we would love to hear from you. Check our website for more information or contact us directly.

‍

‍