10 Steps To Implement ISMS

I found it useful to write this article for those who are going to build an ISMS. When I did it the first time, I was scared that I could fail cause I felt that I’m too young and have not enough expertise; however, I had management support, experienced advisors, and thirdly without doubts, I can say that I worked with experts in their fields. Those three aspects were my whales holding a turtle named ISMS. Honestly, I always believed that it’s easy to achieve incredible results with real professionals, and in a year, we had certified ISMS.

Based on my experience, I’d like to highlight ten things that can help build an ISMS, and I hope they will be useful for you.

Step 1.Get the necessary knowledge!

The most important thing when you are going to build ISMS is to have the necessary knowledge. There are many free and paid courses, which can help you get information useful to implement ISMS. I’ve started searching for ISO 27001:2013 Lead Implementor training and selected the option that looked the best for me. It is essential to analyze the training program, define which option would be better for you an online live session with an instructor or recorded training, which you can take at any comfortable for you time. Finally, you will need to choose the training provided only by the experienced and highly-skilled instructor. That’s why I won’t recommend any exact course, but I’d like to highlight that it would be good to take any of ISO 27001 implementation free or paid training before ISMS implementation.

Step 2. Conduct Gap Assessment.

When you get the necessary knowledge, you will be confused about how to start. I did a little research on how I should start. The most common answer was to perform a security audit or at least a gap assessment, which can help evaluate the organization’s current security state and define which controls an organization already established. It’s essential to prepare for the audit, so do not hesitate to create an audit or gap assessment plan. The following questions helped me conduct an efficient gap assessment:

• What should be included in the audit scope?
• Do I need to involve any subject matter experts, or I have the necessary expertise?
• What should I use for audit criteria?
• Whom should I invite?
• When to set up interviews?
• How will I collect evidence?
• Which audit methods will I use?

Answer to those questions should be specified in your plan (if you are not sure about the right answer, ask your manager or colleagues, they will help you). Also, you need to be acquainted with the company mission, vision, organizational structure, business models, and infrastructure before the gap assessment, so request this information before the gap assessment and do not hesitate a chance to review it.

I would recommend to have a questionnaire or use existing gap analysis tools to ensure that all ISO requirements and controls will be covered. To perform a detailed audit, you can create a checklist based on ISO 27002. And as a gap analysis tool, I would suggest using the Free ISO 27001 Gap Analysis Tool created by Advisera.

Step 3. Create Implementation ISMS Project Plan and Roadmap

Based on gap assessment results, you’ll need to define corrective actions. If for gap assessment, you used ISO 27001/2, the best approach would be to use any comfortable task management solution to track progress on disciplinary actions implementation. Assign tasks to responsible persons, define deadlines, and creates alerts for any task updates; it can help you track progress and manage corrective actions implementation.

I would recommend establishing ISMS committee and periodical committee meetings during this step. For the kick-off committee meeting, you can prepare the following artifacts:

• Gap Assessment Report;
• ISMS Implementation Project Plan;
• ISMS Implementation Roadmap.

Adding a roadmap that I created for this article, but you can find many publicly shared and more detailed roadmaps, building your own. To make my own ISMS implementation project plan, I used this toolkit.

Step 4. Create an Information Security Policy

It’s essential to create an Information Security Policy that meets business objectives. Information Security Policy is ISMS’s main document that highlights the scope, objectives, responsibilities, and information security improvement framework, so you’ll need to work with the management team to ensure that policy meets their expectations and requirements to ISMS.

To evaluate ISMS’s effectiveness and the achievement of objectives, I highly recommend establishing KPI’s with the management team. I’ll leave you Jose Samuel’s article Cyber Security — Key Performance Indicators, which, as for me, provide clear and detailed information security KPIs that can be used for ISMS.

Step 5. Conduct Risk Assessment

I think that the most critical task during ISMS implementation is Risk Assessment. If the risk management process is new for you or you are not familiar with it, refer to NIST Risk Management Framework and ISO 27005. Those two documents helped me a lot to build the Risk Management process.

Once you are aware of all corporate assets, you can start the risk assessment process. I’m adding a simple diagram, which shows the main steps you should include in your risk management framework.

Also, I’m adding recommendations from my advisors that helped me create my risk management approach, and I hope those can help you as well:

1. Try to make risk management as realistic as possible and focus on your organization’s business model.
2. Define risks, which can be applied only to your business type.
3. Work with senior management on impact and probability criteria.
4. Automate risk management process. Create worksheets with automated calculations or use some external risk management applications.
5. Map your controls to some recognized framework, for instance, ISO 27002.

Step 6. Establish Controls

Now it’s time to work on controls defined during the risk assessment and gap assessment. ISO 27001 and 27002 will help you establish best in class administrative security controls. During the establishment of the technical controls, I found a great article published by Andrian Grigirof opensource security controls, where he described the best open-source security tools.

Step 7. Document Processes

Step 7 goes in parallel with step 6. While you are establishing controls, you need to document everything. If you have some documents templated provided by your organization, you can use those. But if not, do not hesitate to use documentation toolkits. The best document templates that I found you can download from:

• https://purplesec.us/resources/cyber-security-policy-templates/
• https://www.sans.org/information-security-policy/
• https://www.iso27001security.com/html/toolkit.html

Step 8. Improve Security Awareness Level.

It’s essential to improve the security awareness level. I recommend creating an awareness program where you consolidate your awareness activities. The awareness activities can include onboarding training, information security quizzes, security bulletins , etc.

Also, you can follow the standard approach and have Cybersecurity Month in October. During this month, you can share exciting information security-related articles, trends, conduct workshops or training.

Step 9. Conduct Internal Verification Gather feedback from your colleagues.

The effectiveness and performance of each management system should be evaluated from time to time. The information security management system is not an exclusion. You need to perform monitoring and measurement of the ISMS regularly. It’s an essential part of the ISMS implementation and improvement, which needs to be controlled. Evaluate how your ISMS is achieving KPIs and objectives. If you are not achieving some KPIs or objectives, it’s time to review the weak process and improve it. You should also regularly check your information security goals to ensure that they are still actual for your organization and you are achieving them. Otherwise, you’ll need to define other objectives to improve an ISMS continuously.

Similar to gap assessment, you need to conduct an internal audit. But you need to select auditors and conduct audits that ensure objectivity and the impartiality of the audit process. This process would help you evaluate ISMS progress periodically and prepare you for external audits.

One more thing that I recommend do to evaluate ISMS’s effectiveness is to gather anonymous feedback from your colleagues to know what they think about the Information Security processes within your organization.

Step 10. Conduct External Audit. (Optional)

If you did all steps mentioned above, your ISMS is ready for an external audit. Select the Accredited Body — the organization, which will perform the certification audit. Be prepared to manage the certification process and work with findings. And don’t worry! Fingers crossed:)

The certification itself provides many benefits for your organization, such as improved customer confidence, increased business resilience, and alignment with customer requirements. So I highly recommend reviewing the certification as an option that can improve your collaboration with customers.