Are you ready for ISO27001 - Missing the Linq€¦ · · 2017-06-06ARE YOU READY FOR...
Transcript of Are you ready for ISO27001 - Missing the Linq€¦ · · 2017-06-06ARE YOU READY FOR...
AREYOUREADY
FOR
ISO27001:2013ASimpleGuide
ABSTRACTIfyou’rethinkingaboutimplementingISO27001:2013,thenthisguidewillhelpyoumakeanassessmentofwhetheryou’rereadytofacethechallengesahead
MISSINGTHELINQ2016
AREYOUREADYFORISO27001:2013
MISSINGTHELINQ2016 2
AREYOUREADYFORISO27001:2013?
ASIMPLEGUIDE
INTRODUCTION
Ifyou’rethinkingaboutimplementingISO27001:2013,thenthisguidewillhelpyoumakeanassessmentofwhetheryouarereadyforISO27001:2013.
Byaskingafewsimplequestions,itwillenableyoutomaketherightdecisionforyouandyourbusinessandhelpyouavoidmakingacostlymistake.
FollowtheAreYouReadyforISO27001:2013–ASimpleGuidetolearnwhatisrequired.
Ifyouwantmoredetailedinformationorhelpinjumpstartingyouraccreditationprocessthengotoourwebsitewww.missingthelinq.comformoreinformationorsendusanemailatcontact@missingthelinq.com
AREYOUREADYFORISO27001:2013
MISSINGTHELINQ2016 3
QUESTION1–ISYOURMANAGEMENTTEAMCOMMITTED?
Unlessyouhavethebackingoftheseniormanagementteamand/oramemberoftheseniorteammanagementleadingtheprojectitwillfail.
Theyshouldbethedrivingforcebehindtheprogramme,theyneedtocompletelyunderstandthestrategicissuesaroundITgovernanceandinformationsecurityandthevalueofsuccessfulcertification.Iftheseniormanagementarenotbehindthisproject,thereislittlepointinproceeding,certificationwillnotbeawardedwithoutclearevidenceofsuchcommitment.
ManagementsupportisveryimportantasanISMSprojectcutsacrossallpartsofanorganisation,andthereforeallkeyleadersneedtobeonside.
QUESTION2–DOYOUHAVEAGOODBUSINESSCULTURE?
WithoutStaffBuy-inyouwillnotachievetheoutcomesrequired,IS27001:2013isaboutbusinesschangeandthoseaffectedbychangeneedtobeon-board.
Everyonewillanswerthisquestionwithapositive,allpeoplebelievethattheyhaveagoodbusinesscultureandsomewillevenbelievetheyhavethebestbusinessculture.However,youhavetoanswerthisquestionhonestly.
Aprofessionalorganisationisonewhereeveryoneknowswhattheyareresponsiblefor,whytheydoitandwhatisexpectedfromthem.Anopennesstochangeisabenefitwhenadoptingstandardsaswellasgoodcommunicationandhighlevelsofstaffengagement.
AREYOUREADYFORISO27001:2013
MISSINGTHELINQ2016 4
QUESTION3–AREYOUALREADYMEETINGTHEREQUIRMENTS?
Awellorganisedcompany,withgoodstructureandorganisationandsupportingprocessesandpeopleopentochangeandwilingtolearnmay
alreadybeonthepathtoaccreditation.
Inordertounderstandhowfaryourorganisationisfromaccreditationandhowmuchworkisrequiredtoachieveit,itisworthgettingholdofacopyofthestepbystepguidestoimplementingISO27001:2013thiswillgiveyouasimpleintroductiontotheStandardandaninsightofwhatisrequired.
Furthermore,itisrecommendedbeforecommittingyourselftothefullprojectthatagapanalysisisperformed.Atop-downapproachissuggestedasthiswillgettothecriticalloopholesquicklyandidentifygapsupfrontbeforeembarkingonacostlyproject.
ThiscanbedoneusingtheStatementofApplicability(SoA)asguidanceonwhichcontrolsneedtobeputinplaceandonwhichthemanagementsystemswillbebased.
QUESTION4–DOYOUHAVEAVAILABLEBUDGET&RESOURCES?
FailtoPlan,PlantoFail-ofcoursewhileitisnecessary,itisnotsufficienttojusthaveaplan,havingtherightlevelofresourceandbudgetiscriticalwhen
implementingtheproject.
NoteveryorganisationcanaffordtheluxuryofadedicatedInformationSecurityOfficer,oraSecurityManager,nordoeseveryorganisationhavetheskillsorcompetenciesin-housetodelivertheproject.
Likewise,somemayhaveimplementedtheISOstandardinapreviousrole,orhavebackgroundsincreatingmanagementsystems.
ThegoodnewsisthatpeopleofalltypeshavesuccessfullyimplementedISO27001:2013andachievedcertification,itmaytakealittlelongerdependingonexperience.
AREYOUREADYFORISO27001:2013
MISSINGTHELINQ2016 5
QUESTION5–WHATARETHERISKS/COSTSOFNOTBEINGACCREDITED?
RiskassessmentisattheheartoftheStandardandmustbebusinessdriven,itshouldreflectlegal,regulatoryandcontractualrequirements,understanding
whattherisksaretothebusinessnotbeingaccreditedarecrucial.
Therequirementultimatelyisthattheriskassessmentshouldtakeintoaccountboththeorganisationscontextaswellasrequirementsofthirdpartieswhomayhaveaninterest.
Theorganisationneedstodetermineitscriteriaforacceptingrisksandidentifythelevelsofriskitiswillingtoaccept.Ariskassessmentisaprocessthatcombinesriskanalysisandriskevaluation.Riskanalysisistheuseofinformationtoestimaterisk.
Riskevaluationistheprocessofcomparingtheestimatedriskagainstgivenriskcriteriatodetermineitssignificance
Inotherwords;whatistherealisticlikelihoodofariskoccurring,andtheharmlikelytoresultfromtherisk.
QUESTION6–WILLITMAKEYOUABETTERBUSINESS?
Thefinalquestionyoushouldaskyourself,isgoingthroughallthehardwork,timeandeffortacrossallpartsoftheorganisation,implementingchangeand
controlsgoingtomakeyouabetterbusiness?
AlotofworkandcommitmentisgoingtoberequiredtoimplementISO27001:2013,alotofchangewillneedtobemanagedacrossalotoftheorganisationandthereforetherehastobeatangiblebusinessbenefit,whichismeasurableandquantifiable.
AcknowledgingthatISO27001:2013‘isagoodidea’,ordoingtheprojectforthetickintheboxisnotthereasontoputtheorganisationthroughthechangesrequired.Therewillbemorebeneficialprojectstoworkonwhichwillhavebiggerreturnsoninvestment,howeverdependingontheanswerstotheabove5questionsitwillgiveyouagoodindicationofwherethisprojectssitsintermsofprioritisationandwhetheritfitsinyourorganisationsstrategyornot.
AREYOUREADYFORISO27001:2013
MISSINGTHELINQ2016 6
GLOSSARYOFTERMS
StatementofApplicability(SoA)–IsoneofthekeydocumentsintheISO27001:2013Standard.Itidentifiesthecontrolsrelevanttothebusinessandexplainswhythosecontrolshavebeenselectedtotreattheidentifiedrisks.
TheSoAdefineshowtheinformationsecurityprogrammewillbeimplementedandisthelinkbetweentheriskassessmentandimplementationoftheinformationsecurityprocesses.TheSoAexplainswhichofthesuggested114controlsfromAnnexAwillbeappliedandjustifiesanyexcludedcontrols.
RiskAssessment–Ariskassessmentcombinestwotechniquesariskanalysisandariskevaluation.
RiskAnalysis-Usesinformationtoidentifypossiblesourcesofrisk.Itusesinformationtoidentifythreatsoreventsthathaveaharmfulordetrimentalimpact.Itthenestimatestheriskbyaskingwhatistheprobabilityofthateventoccurring,andwhatimpactwouldithaveifitoccurred?
RiskEvaluation–Comparestheestimatedriskwithasetofriskcriteria.Thisisdonetodeterminehowsignificanttheriskreallyis.
RiskAcceptance–IspartoftheRiskTreatmentdecisionmakingprocess,meaningtheriskisacceptablegivencertaincontrolsareinplaceortheriskhasbeenmitigatedinsomeotherway.
Controls–Inthecontextofinformationsecuritymanagement,acontrolisanyadministrative,managerial,technical,orlegalmethodthatisusedtomodifyormanageinformationsecurityrisk.Controlscanincludethingssuchaspractises,processes,policiesandorganisationstructures.Controlsaresometimesreferredtoasksafeguardsorcountermeasures.
InformationSecurityManagementSystem(ISMS)–Includesallofthepolicies,procedures,documents,records,plans,guidelines,agreements,contracts,processes,practises,methods,activities,roles,responsibilities,relationships,tools,techniques,technologies,resourcesandstructuresthatareusedtoprotectandpreserveinformation,tomanageandcontrolinformationsecurityrisksandtoachievebusinessobjectives.
AREYOUREADYFORISO27001:2013
MISSINGTHELINQ2016 7
MissingtheLinq9FarncombeLaneOakwoodDerbyDE212AYRegisteredinEnglandandWalesNo.9832076
WEB:www.missingthelinq.com EMAIL:[email protected]