Nine Steps to Success: An ISO 27001 Implementation Overview

Table of contents

1. Copyright
2. About the author
3. Introduction
4. 1. Initial Approach
   1. Information risk and regulatory risk
   2. The ‘fear list’
   3. ISO 27001/ISO 17799
      1. Background to the standard
      2. ISO/IEC 17799
      3. Links to other standards
5. 2. Management Support
   1. Strategic alignment
   2. Prioritization and endorsement
   3. Change management
   4. The CEO’s role
      1. The CEO’s commitment
   5. Senior management support
6. 3. Scoping
   1. Endpoint security
   2. Defining boundaries
   3. Phased approach
   4. Network mapping
   5. Cutting corners
7. 4. Planning
   1. Structured approach to implementation
      1. Plan
      2. Do
      3. Check
      4. Act
   2. Integration with existing security management systems
      1. Gap Analysis
   3. Quality system integration
   4. Project management
      1. Project team chair
   5. Project plan
   6. Costs and project monitoring
   7. Consultants
   8. Information security manager
      1. Specialist information security advice
      2. Functional specialists
8. 5. Communication
   1. Staff buy-in
   2. Information security policy
9. 6. Risk Assessment
   1. Introduction to risk management
   2. Risk assessment
      1. Who conducts the risk assessment?
      2. Risk analysis
      3. Threats
      4. Vulnerabilities
      5. Impacts
   3. Controls
   4. Risk assessment tools
10. 7. Control Selection
    1. Nature of controls
    2. Control selection criteria
    3. Statement of Applicability
11. 8. Documentation
    1. Four levels of documentation
    2. Documentation approaches
       1. Trial and error
       2. External expertise
       3. Third party Documentation Toolkit plus guidance
12. 9. Testing
13. 10. Successful Certification
14. Useful Websites
    1. Governance
    2. Information Security