Who will be involved in implementing ISO 27001?

What is ISO 27001?

ISO/IEC 27001:2013 – to give the current international version its full reference – commonly referred to as ISO 27001, is the internationally recognised standard specification for an Information Security Management System (ISMS).

ISO 27001 is part of a family of standards in the ISO 27k range, covering a wide range of information and cybersecurity topics and compliance guidance.

The ISO 27k family is itself part of a broader family of management system standards based on the ISO/IEC Directives Part 1 (11th Edition 2020) Annex SL, which defines a common Management System framework.

It’s designed to enable a risk-focused business management system supporting the protection of information assets in any form – e.g. within IT systems, on hard-copy or digital media, and even within people’s heads. It’s not intended to be used as a technical security standard.
The standard contains:

• The mandatory “requirements “(often known as the “management system clauses”) that follow the ISO Directives Part 1 Annex SL framework; and
• Annex A – an example set of risk-selectable controls typically used to help reduce risks to a tolerable level.

Find out more about the core requirements of the ISO 27001 and the Annex A controls you may choose to implement here.

Why is ISO 27001 important?

All organisations create, manage, and distribute information, and all information has a value. Implementing an internationally recognised information security management system will help protect the value and give significant business benefit and return on investment.

Such benefits might include:

• The ability to operate in regulated markets that demand demonstrable information security.
• The opportunity to use accredited certification as a critical differentiator in winning new business.
• The reduction in operational overheads by focusing on security controls where they are genuinely needed to reduce critical risks and streamlining information security management processes.
• The reduction in costs associated with responding to information and cybersecurity incidents.
• More easily demonstrable compliance with legislation and regulation and the reduction of potential penalties for breaches of such.

What roles are required for implementing ISO 27001 Information Security Management System?

Whilst ISO 27001 doesn’t specify required roles; several fundamental responsibilities will need to be assigned to ensure that the ISMS aligns with your organisation’s culture and nature and its business operations and successfully manages information risks to a tolerable level.

The term “stakeholders” means different things to different people, and often you will hear about primary, secondary, and even tertiary stakeholders, direct and indirect stakeholders. The ISO management systems standards do not talk about stakeholders, but rather “interested parties”, but this doesn’t mean that you won’t have internal stakeholders for the ISMS.

Primary Stakeholders

As ISO 27001 is a business management system standard first and foremost, your primary stakeholders must sit at the most senior management level – this is about protecting your business after all!

You, primary stakeholders, are likely to include:

• “C” or Executive Board-level representation and sponsor.
• Senior risk stakeholder – possibly a Senior Information Risk Officer (SIRO) or similar role responsible for overseeing all business risk, of which information risk forms a part.
• An individual or team responsible for the ISMS – possibly a Chief Information Security Officer (CISO), Information Security Manager (ISM) or similar, that fits into your organisation’s culture and terminology and its existing structure.
• A “lead implementer” or similar nominated resource responsible for managing the implementation of the ISMS.

Secondary Stakeholders

Secondary stakeholders will be those who will be responsible for some part of the ISMS. This will include subject matter representatives from across the organisation and possibly its partners and even suppliers.

The list of secondary stakeholders will be determined by the size and nature of your organisation, but might include:

• Information and cybersecurity specialists relevant to your organisation’s operations.
• IT security and technical resource.
• HR representation.
• Physical security representation – possibly “Facilities” or similar
• Legal & compliance representation
• Internal audit
• Representatives from business departments responsible for your critical business processes – the ISMS needs to work with these, not become a blocker. So engaging business managers across the organisation will be fundamental in achieving this.
• Representatives from suppliers or partners who have access to the organisation’s information.

Lead implementer role defined

The “Lead Implementer” role is the individual responsible for overseeing the ISMS implementation and as such needs to be someone with the knowledge and competence required for the task.

They will need to understand the ISO 27001 standard and associated guidance standards from the same family. They will also need to know the key processes for implementing, operating, monitoring, and improving the ISMS to ensure the ISMS is efficient and effective.

Traditionally, this is either “bought-in” in the form of a specialist consultant or “bred-in” by sending one or more existing staff members on an ISO 27001 lead implementer training course. Both of these usually are expensive options.

The ISMS.online platform provides several tools that help fill the knowledge and competence gap that help reduce or eliminate the need for such expense. These include:

• Our actionable content – documented policies and controls that you can easily adopt, adapt, or add to, and that means you may have up to 77% of the documentation you need from day 1.
• Our “Assured Results Method” (ARM) – which is a subject matter expert crafted roadmap that leads you through the implementation of your ISMS logically and efficiently.
• Pre-built tools – such as our risk register which includes:
  • A sample bank of over 100 common information security risks,
  • Our interested parties map,
  • Our tracks for managing incidents, corrective actions, and improvements,
  • And our legal and regulatory register, which contains typically relevant legislation and regulation.
• Our “Virtual Coach” – an optional extra that provides expert advice and guidance through content-linked contextual video, audio, and textual explainers.

Find out how our more about how ISMS.onlines simplified, secure and sustainable platform can fit for your needs here.

Top Management

“Everything starts at the top” – ISO 27001 is first and foremost a business management system designed to manage the protection of an organisations information assets and reduce information risks to a tolerable level.

Without support from top level management, it is unlikely that the implementation and operation of the ISMS will be successful, efficient, or effective.

ISO 27001 defines some fundamental clauses that are the responsibility of senior management, including:

• 5.1 Leadership and commitment – Top management commitment to the integration of information security within the organisation and its processes
• 7 Support – provision of sufficient and competent resource for the ISMS
• 9.3 Management review – a commitment for the senior management to review on at least an annual basis, the effectiveness of the ISMS

Information Security / Governance Staff

Fundamental to the successful implementation and operation of the ISMS will be the information security and governance staff tasked with the ISMS’s overall management and its components.

These are usually staff whose primary role is focused on information security and governance. However, if your organisation is small, this is likely to be one person who has another day job as well.

The ISMS.online platform can help provide the knowledge, competence, and confidence where expert level resources are not available and ensure that the ISMS does not become a burdensome overhead.

IT department or supplier(s)

As much information is stored, processed, and transmitted on or through IT systems, networks and applications, there will be a need to ensure that appropriate interaction with IT departments and/or suppliers are built into the ISMS at an early stage.

Many of the controls that will be implemented to protect your information assets will be technical controls designed, developed, implemented, and operated by your IT department or suppliers.

Managing the expectations and division of responsibilities for the technical aspects of information and cybersecurity will be critical to the ISMS’s success.

Internal Auditor(s)

ISO 27001, as with all of the ISO management system standards, requires an organisation to have a programme of internal audits to verify the effective operation of the ISMS and its ability to reduce information risks to a tolerable level.

At a minimum, the ISMS management clauses (4-10) must be audited annually, and Annex A controls audited within the certification period (3 years for UKAS accredited certifications).

The selection of internal auditors must ensure objectivity – that is you can’t audit your own work – and competence – the auditor must have the knowledge and competence to conduct the audit.

Our Virtual Coach service comes prebuilt with everything you need to know about internal audits or read our simplified guide to ISO 27001:2013 Internal Audits with guidance and ideas on how you can achieve your goal.

Data Protection Officer

The Data Protection Officer is typically responsible for ensuring the appropriate management, use, and protection of personally identifiable information (PII) within the organisation. Such information will relate to an organisation’s staff, and often to that of its customers.

This responsibility clearly includes ensuring that adequate information and cybersecurity controls and processes are in place to protect this type of information.

The Data Protection Officer role is not specified or mandated within ISO 27001, however, other relevant legislation and regulation such as the UK Data Protection Act (2018) and the General Data Protection Regulation (GDPR) do require a role of this nature. Additionally, compliance and other controls within ISO 27001 strongly imply the need for such a role.

Who will audit our ISMS for ISO 27001 certification?

If you are looking to achieve recognised and respected certification for your ISMS – necessary to gain the maximum benefit from it – you will need to engage an ISO 27001 accredited certification body to carry out the required audits for certification.

What are ISO 27001 certification bodies?

The certification bodies provide auditors with the skills, knowledge, and competence to conduct the certification audits and ensure that certifications are accredited to a consistent level.

Such organisations are usually listed on the website of the territorial accreditation body. In the UK, the accreditation body is the United Kingdom Accreditation Service (UKAS), and they oversee the accredited certification bodies within the UK.

How long will it take to build the ISMS?

As with any significant project, the time taken will depend upon what needs to be done and the capacity and competence of the resources made available to do it.

For ISO 27001, the “what needs to be done” is well-defined within the standard, and the resources made available will be determined by your organisation.

Typically, for a small to medium-sized organisation with some pre-existing policies and controls, building an ISMS can take anywhere from 6 months to a year (dependant on resource levels). Sometimes, it is even longer if available resources are having to split their time across other jobs. A 150-day (full-time equivalent) project is quite common.

The ISMS.online platform can help significantly reduce your resource levels. Depending on how much of the actionable content you can adopt or easily adapt, the building of your ISMS can be reduced by as much as 75% or 80%. Some customers can go from a standing start to being ready to begin the certification audit process within 6 weeks.

How long will it take to get ISO 27001 certification?

Once your ISMS is built, the certification audit process occurs in two stages with an elapsed timeframe of 2 months being commonplace. Typically the two-stage process is:

• Stage 1 Audit – ISMS Documentation review
• Corrective action period – usually 4-6 weeks between the two stages to allow for an organisation to take any corrective actions arising from the Stage 1 Audit
• Stage 2 Audit – Evidential “certification” audit
• Certification and accreditation body review – typically 2-4 weeks. The certification body will peer review the audit internally and submit the audit to UKAS who may optionally sample the audit for review.

How do I choose a Certification Body?

Many factors will influence your choice of certification body.

The most important of these will be ensuring that the certification body is accredited. It is possible to gain non-accredited certification. However, this will have limited integrity and value. We strongly recommend that you do not go down this route.

If you already hold other certifications, such as:

• ISO 9001 (quality management)
• ISO 14001 (environmental management)
• ISO 45001 (occupational health and safety management)*

You will probably approach your existing certification body first to see if they are also accredited for ISO 27001.

*note – if you already have certifications to other management system standards, you may benefit from integrating these into a single “Integrated Management System” – and the ISMS.online platform can help achieve this.

What resources will I need for ISO 27001 implementation?

We have identified above several roles that will be involved in implementing your ISMS, but essentially you will need:

• Competent resource (such as a lead implementer) – with the knowledge of the standard – the ISMS.online platform can provide much of the required competence through its pre-built content and tools.
• Capacity of other resources – such as subject matter representatives from IT, Legal, Facilities, Senior Management, and business departments.

It is an essential part of your ISMS implementation planning that you consider the competence, capacity, confidence, and discipline requirements of your resources if you wish to achieve successful, efficient, and effective implementation in a reasonable timeframe.

Assuming we get certification, what resources will we need for maintenance?

A certified ISMS is a continuing journey, not a destination. As such, it will require a certain resource level to maintain it. The more an ISMS is integrated into the organisation’s day-to-day processes, and the more federated the responsibility is, the less overhead it will be.

Beyond the integrated control aspects of the ISMS, you will need to ensure that the critical processes of the ISMS are operated:

• Risk management – regular review of risks to ensure treatments remain adequate and proportionate.
• Internal audit – the ongoing operation of an internal audit programme covering the entire standard, at minimum, within the certification period (3 years for a UKAS accredited certification), and more frequently audits those areas of essential operation or risk.

• Management Review – a top-level management review of the ISMS on at least an annual basis to ensure the efficiency and effectiveness of the ISMS in achieving the business-led objectives set for information security.
• Corrective action and continual improvement – processes to ensure that the ISMS continually improves over time and nonconformities are corrected in a reasonable timeframe.

What will we need to do when the standard is updated?

This will depend on the nature of the update. All ISO management system standards are viewed and updated periodically.

If the standard is found to be largely appropriate, then it may be that only minor updates are made to the wording.

However, sometimes the standard is re-worked for some reason. This results in a major update that may require a “transition” audit from one version of the standard to the new one.

The last time a major restructure of ISO 27001 occurred was in 2013 (the change from the 2005 version to the 2013 version). As this was a major overhaul, there was a 2-year transition period granted to organisations.

Because such a change can create large amounts of work and cost for many organisations, ISO tries to avoid such significant changes wherever possible.

Whatever the updates are, your certification body should let you know what you need to do.

Rest assured, we will update the ISMS.online platform to reflect the standard’s current version whenever this happens.

What if my business changes the products/services we offer?

Depending on how significant the changes are, you may require an extraordinary audit by the certification body to ensure that your certification covers the new products and services within the ISMS scope.

However, it is common that the certification body will combine this audit with a periodic surveillance audit or at your next recertification audit.

It is important to note that your new products or services may not be covered by your existing certification until confirmation from the certification body has been given.

What if we open a new office in a foreign country?

As with changes to products/services above, you will likely require some level of additional audit from your certification body to verify that your operations in the new country are covered within the scope of the certification.

One crucial factor to consider for extending your ISO 27001 to include operations in new countries is that there will almost certainly be different information security legislation and regulation to consider.

Which department should ‘own’ the ISMS?

There is no right or wrong answer to this question, and it will be entirely dependent on the structure of your organisation and its culture. However, there are some key points to consider:

• ISO 27001 is a business management system standard – so it may be best to place ownership in a cross-business department such as Risk or Compliance.
• Ownership could be placed within IT. However, this can often lead to information security, becoming an IT-only issue and may miss the standard’s business-led aspects.
• The ISMS could be placed within an “Information Security” specific department, however, this can tend to lead to the activity being “siloed”, interacting poorly with the broader business or being seen as a “policing” structure which quickly becomes seen as a blocker rather than an enabler.

One good way that can work for many organisations is for the ownership to be at the organisation’s top level. The ISMS operation can be federated across the organisation but coordinated by a lead resource, such as a CISO or information security manager.

How can ISMS.online help me implement ISO 27001 faster?

By de-mystifying ISO 27001 and the approach to implementing an ISMS, the ISMS.online platform can accelerate your implementation by focusing your efforts in the right place at the right time.

Additionally, by providing an all-in-one-place ISMS solution, considerable time can be saved by not having to search around for multiple tools, set up complex documentation repositories, and implement new processes – these are all right then in the box from day 1.

The ISMS.online platform can help to significantly reduce to the time required to implement an ISMS by providing you with everything you need to achieve ISO 27001 certification first time.

How does ISMS.online make implement ISO 27001 easier?

The ISMS.online platform de-mystifies ISO 27001 and implements and operates an ISO 27001 compliant and certified ISMS. With these and contextualised information in the right place, the ISMS.online platform will help you to easily adopt, adapt, or add to our sample content, and make your journey to certification much easier.