If I had six hours to chop down a tree, I’d spend the first four hours sharpening the axe.
—Abraham Lincoln
In the previous chapter, you learned about setting the scope and timeline of your implementation. It then becomes essential to kick off the ISMS implementation project in your organization, as it will help communicate to all key stakeholders/interested parties/employees that information security practices will be implemented and rolled out throughout the organization. It is the duty of every employee to adhere to these policies and all departments need to provide support in making the implementation successful.
When you formally start a project, the kick-off is an important activity to have with project stakeholders. This chapter explains how to conduct the ISO 27001 implementation kick-off with stakeholders. This chapter also talks about how to get stakeholder and team commitment on the project and how to set the timeline and create the project taskforce.
Presenting the high-level plan
Setting up the project taskforce
Getting commitment from stakeholdets
We started this chapter with the famous quote by Abraham Lincoln, “If I had six hours to chop down a tree, I’d spend the first four hours sharpening the axe”.
This means you should spend most of your time preparing for a task. Planning is an important step when working on ISO 27001 implementation projects.
Presenting a High-Level Plan
Setting up roles and responsibilities
Defining rules for continual improvement
Raising awareness of the team by providing them with regular training and communication
So, how do you initiate a kick-off? The CISO (Chief Information Security Officer) or relevant authoritative person must organize the kick-off meeting and invite all the key stakeholders associated with or working with the information security department. Many times, stakeholders are not aware of their role in the implementation, as the kick-off meeting is never planned. Hence, a project’s importance fades over time and the expected result becomes difficult to achieve or the timeline gets extended.
Once all the key stakeholders are present, it is very important to clearly communicate expectations. During the kick-off, you should also get lots of input, such as risks/issues/constraints that you’ll need to overcome during implementation. The information security implementation team must track and resolve these issues as soon as possible.
Tip
It’s critical that all stakeholders agree to the timeline, as they must provide the time to the project team, apart from their day-to-day tasks.
High-level timelines
Scope
Risk assessment
Risk treatment
Defining policies and procedures
Awareness or training sessions
Controls implementation
Internal audit
Closure of audit gaps
Stage 1 audit (external)
Stage 2 audit (external)
This is not an exhaustive list; there may be other activities, depending on your organization. The duration of each task could vary from one organization to another, as the required skills and scope of work may be different. Hence, the organization/implementation teams must keep in mind these factors before getting commitment from the stakeholders.
Setting Up the Project Taskforce
We all know that without team members’ support, projects aren’t successful. Hence, it is very important to set up the taskforce in order to implement the ISO 27001.
The project team can be selected based on the scope of the ISMS. For example, if you are implementing ISO 27001 in multiple locations of your organization, the scope is big and the same team does not work at all locations. It would be better to select teams geographically, in terms of where the actual implementation and audit will happen. Similarly, if you are implementing the ISMS in a single location and the scope is limited to one division/branch of your organization, the scope will be small and the team size will also vary.
Having said that, the taskforce setup depends on the scope of the ISMS, the resource availability of the organization, and the skill of the people. There is no fixed requirement from the standard to have certain people with certain roles implement the ISMS. It is good to have some key people supervise the implementation along with the management team.
Setting up the taskforce early in the planning and implementation stages will lead to better success. The team can take part in the kick-off meetings, which will make them confident as a team and give them the chance to get to know each other better.
Administration Department
The administration department can be represented as a SPOC (single point of contact) for managing and implementing the physical, operational, and facility related aspects of the ISMS framework. They can enable the acknowledgment of guidelines, procedures, and policies inside the organization in adherence with the ISO 27001 requirements. The authority and responsibility of the role can be defined by the organization.
Chief Information Security Officer (CISO)
The Chief Information Security Officer is primarily responsible for preparing, maintaining, and communicating the information security policies and procedures within the organization.
Lead the information security initiative and the information-security related activities.
Prepare security guidelines for the information security management team.
Maintain the ISMS, establish the security risk assessment process, and review the risk assessment reports and status. The next chapter discusses these terms in detail.
Maintain the statement of applicability.
Monitor ongoing compliance with security standards in the organization.
Prepare management and information related plans and procedures.
Ensure that the team members are adequately trained on the physical security domain in order to meet the security requirements of ISO 27001.
Analyze the reports prepared by various support departments and take corrective action when required.
Plan and conduct information security internal audits and management reviews.
Ensure that corrective actions are taken against the issues raised during the internal or external audits.
Report on the performance of the ISMS to top management.
System Admin or IT Manager
Implement the logical security measures over networking systems and ensure all networking resources are protected from unauthorized access.
Assess vulnerabilities in the present networking system and monitor firewall and router security.
Review network logs and incidents to ensure the security of network OS.
Escalate any illegal activities to senior management and to the information security management team immediately.
Evaluate and recommend new security products be implemented across the organization and report their utility and benefits to the organization.
Information Security Management (ISM) Team
This team may have members from each department or function included in the information security scope. The ISM team is primarily responsible for incident reporting and response. The team may also participate in internal auditing and business continuity/disaster recovery.
Human Resources Management
Follow and comply with the HR requirements as dictated by the ISO 27001 framework.
Release the documents of ISO 27001 to appropriate personnel inside the organization.
Establish the HR department as the SPOC for ISO 27001 between the employees and the management.
Ensure that training, development, and background verifications/referral checks are completed on all employees.
These roles may entail more or less responsibility depending on the organization you are working in and the nature of the business. The team can be expanded or modified as per the organization’s need.
Note
The titles of these roles may be different, and the titles illustrated in this book are for understanding purposes only. They might be similar or completely different and they depend on the organization’s needs and the nature of their business.
Getting Commitment
This important step involves getting commitment from the team. After conducting a kick-off and presenting the high-level plan to all the stakeholders, it’s important to get commitment from all affected parties.
Commitment to achieve something new mostly comes from the top. Once you get management-level commitment, it’s easier to get commitment from the people doing the work. As an example, say you have one highly skilled resource in your organization, Henry, who you think can help with the ISO 27001 implementation. Henry is actively involved with another project and reports to a different manager. In this case, if you approach him without the proper management approval, chances are he will not work with you, as he has other priorities.
In order to get Henry to work on your project, you need to get approval from his manager. Of course, individual team member commitment also depends on whether management is committed to the ISMS project.
To get the commitment and support of team members, it is best to have clearly defined roles and responsibilities for every team member and these must be approved by top management.
If the management team is not supportive or involved—if they are not interested and don’t participate in management reviews—then your initiatives are not likely to succeed.
During the ISO 27001 audit, management commitment is checked for compliance to the standard. If the auditor observes during the audit that management commitment is weak, he might assume that implementation is also weak.
Such a scenario may not go well with the auditor’s team members. The auditor might feel that the teams will not get the management support they need to implement the standard requirements in an effective manner.
A poor audit can be a showstopper from the organization and team’s point of view. After all, auditors don’t come in every day to do audits and share their experiences. If the company is implementing the standard for the first time, it becomes very important to learn and implement best practices.
Thus, management commitment is the driving force of each step you are taking to implement the ISMS or ISO 27001 standard. Other stakeholders/members you would expect commitment from are those who are either involved in the decision-making process or are implementers.
Decision makers and implementers will spend most of their time implementing the ISMS. Hence, getting their commitment is very important. It is also very important to have a balance of commitment levels from management and the other stakeholders. If this is mismatched, it will impact the implementation and the overall results.
To manage these scenarios, the ISO 27001 standard includes Clause 5.3, Organizational Roles, Responsibilities, and Authorities, which states that “top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated”.
Ensuring that the information security management system conforms to the requirements of this international standard
Reporting on the performance of the information security management system to top management
Source: ISO/IEC 27001 Standard Second Edition
Note
Top management may also assign responsibilities for reporting the performance of the information security management system within the organization.
Commitment to information security must be driven from the top to the bottom. It is also very important to have a balance of commitment levels from management and the other stakeholders.
The ISO 27001 standard is a management framework and it focuses on risks catering to the processes of the organization.
Security controls can be IT related but they are mostly business oriented. IT acts as a tool to implement security controls to meet the ISO 27001 requirements.
ISO is not an IT certification. It is a business certification and it is the responsibility of everyone to control/protect the information.
Risk management should be institutionalized as a practice throughout the organization. For this, the risk register has to be maintained.
The organization must place business continuity controls to ensure the continuity of its business services.
The organization must perform regular internal audits and plan/conduct three-year cycle external audits.
By signing the commitment form, every member acknowledges the effort required to implement the ISMS/ISO 27001.
The management is committed to the requirements of the ISO 27001.
Members are aware of the ISO 27001 initiative and have agreed to work with the implementation team toward a successful ISMS implementation.
The management and staff commit to maintaining the security standards, even after the initial certification, to ensure continued compliance.
The management and staff commit to continually improving the information security approach.
Sample commitment signature format
Summary
This chapter talked about a high-level plan for implementing ISO 27001. It also touched on how to set up the project taskforce, which is required to execute the project. It briefly talked about their roles and responsibilities. You also learned about the importance of getting commitment from the team as well as from upper management in order to kick off the project.
The next chapter covers identifying risk related to information security. You’ll learn about how to do risk assessment and report it to stakeholders.