Business Defence Systems

Call +44(0)20 4577 0250

ISO 27001

Ten Top Tips for ISO27001

Ten Essential Steps for Developing an Effective Information Security Management System and Policies Aligned with ISO27001

In today’s business world, cyber security protection against the ever-present threat of attacks is crucial. What can you do to demonstrate your commitment to data security to your customers, staff, and suppliers? One option is to obtain certification in a relevant standard such as  ISO27001.

At first glance, ISO27001 certification can seem daunting, but it isn’t. Like any standards-based project, planning is critical to understanding what actions are required. ISO27001 aims to protect a business and its information by ensuring that it is confidential, integral, and available to authorised users; it is flexible enough to allow for tailoring to individual businesses.

At Business Defence Systems, we have developed a list of ten critical activities aligned with ISO27001 principles that are fundamental in understanding your ISMS needs, design, and implementation

  • Build an asset register.

It seems simple, but at the outset, it pays to ensure that you capture your entire IT and information estate. This includes more than the physical; it needs to include any data sets.

 

  • Develop a  list of interested parties and needs

This includes you and your staff, any contractual agreements (data processing needs), regulatory requirements (GDPR, PECR, PCI DSS, etc.), and even criminals and their intentions.

 

  • Define the scope and boundaries of the information security management system.

This activity allows you to prescribe what is within or outside the scope of your ISMS and, therefore, what you need to consider in the next step.

 

  • Identify & classify relative risks of all information and data sets 

A significant body of knowledge about your business’s risks and the likelihood and impact.  At this stage, we recommend documenting the treatment you will apply to mitigate the risk.

 

  • Develop policies to establish standard operating practices to achieve goals

Your policies establish a framework for your organisation’s actions and decision-making, establishing a set of rules, expectations, guidelines, classifications, and measures for your behaviour.

  • Identify  and implement “comprehensive and appropriate” security controls for datasets & Infrastructure to attain goals

At this stage, you are ready to examine and select technologies and products that can be implemented as controls to eliminate or restrict the identified risks to the standards you have set out in your policies. 

 

  • Test effectiveness of security controls

Once you have implemented your controls, you must test and monitor their effectiveness in detecting, alerting and preventing threats from accessing your systems and information.

 

  • Document processes, results and lessons learned

As you develop your ISMS, it’s best practice to document your processes and procedures and the results you achieved. This will act as a baseline for the future as you start to monitor to see if everything is working as you set out. 

  • Maintain, monitor and update controls to sustain OGSM goals.

It’s not over now that you’ve built out your ISMS. Attack vectors will change, and your system’s ability to recognise and adapt to new threats is a key principle behind ISO27001. Setting out your auditing timetable with clear objectives, goals, strategies, and metrics (OGSM) will ensure you keep on top of developments and prevent any threat from succeeding. 

  • Download our template kit.

Download our kit of ISO 27001 templates to assist you in conducting risk assessments, identifying treatments, and developing your needs, requirements, classifications, and behaviours.