Steps for Implementing ISO 27001
In providing guidance on the planning and decision-making processes associated with ISO 27001 implementation, ISACA® Journal volume 4 author Charu Pelnekar, CISA, CISM, ACA, AICWA, BCOM, CISSP, CPA, MCSE, QSA, offered the following steps to implement ISO/IEC 27001:2005 Information technology—Security techniques—Information security management systems.
Requirements:
- Identify business objectives.
- Obtain management support.
- Select the proper scope of implementation.
- Define a method of risk assessment.
- Prepare an inventory of information assets to protect, and rank assets according to risk classification based on the risk assessment.
- Manage the risk, and create a risk treatment plan.
- Set up policies and procedures to control risk.
- Allocate resources, and train the staff.
- Monitor the implementation of the information security management system.
- Prepare for the certification audit.
- Conduct periodic reassessment audits.
Read Pelnekar’s full article, “Planning for and Implementing ISO 27001,” in the current issue of the ISACA Journal, in which you will also find additional coverage of timely and relevant issues affecting the ISACA® professional communities.