Thursday, 14 April 2016

Implementing ISO 27001 - Part 2

Software development companies

Implementation Phases

An organization needs to have the detailed understanding of PDCA implementation phases to manage the costs of the project. Software development companies adopt PDCA cycle to implement international standards. Cycle of the PDCA is consistent with all auditable international standards: ISO 18001, 9001 and 14001. ISO/IEC 27001:2005 gives the following PDCA steps for an organization to follow:
  • Define an ISMS policy.
  • Define the scope of the ISMS.
  • Perform a security risk assessment.
  • Manage the identified risk.
  • Select the controls to be implemented and applied.
  • Prepare an SOA.

Phase 5—Prepare an Inventory of Information Assets to Protect, and the Rank Assets According to the Risk Classification Based on Risk Assessment

The various companies, such as software development companies, needs to create a list of information assets to be protected. The following are suggested steps:
  • For the assets classify the key CIA impact levels: high, medium and low.
  • Identify the risks, and also classify them according to their severity and vulnerability.
  • After complete identification of the risks and the levels of CIA, do assign the values to the risks.

Phase 6—Manage the Risks, and Create a Risk Treatment Plan

To control the impact associated with risk, the organization must accept and avoid and transfer or reduce the risk to an acceptable level using risk mitigating controls. Then the next stage is performing the gap analysis with the controls provided in the standard to create an RTP and an SOA and it is also important to obtain management approval of the proposed residual risks.
The RTP also provides:
  • Acceptable risk treatment (accept, transfer, reduce, avoid)
  • Identification of operational controls and additional proposed controls with the help of gap analysis

Phase 7—Set Up the Policies and Procedures to Control Risks

For the controls adopted, shown in the SOA the organization will require the statements of policy or a detailed procedure and responsibility document to identify user roles for consistent and effective implementation of policies and procedures. And the documentation of policies and procedures is a requirement of ISO/IEC 27001. Also the list of applicable policies and procedures depends on the organization’s structure, the locations and the assets.

Phase 8—Allocate Resources, and Train the Staff

The ISMS process highlights one of the important commitments for the management: sufficient resources to manage, develop, maintain and implement the ISMS. And also it is very essential to document the training for audit.

Phase 9—Monitoring the Implementation of the ISMS

The periodic internal audit is a must for monitoring and review. The internal audit review consists of testing of controls and identifying corrective/preventive actions. In order to complete the PDCA cycle all the gaps identified in the internal audit must be addressed by identifying the corrective and preventive controls needed and the company’s compliance based on a gap analysis.

Also to be effective, the ISMS need to be reviewed by management at periodic and planned intervals. This review follows the changes and improvements to the policies, procedures, the controls and staffing decisions. It is a very important step in the process is project management review. Thus the results of audits and periodic reviews are documented and maintained.

Phase 10—Preparation for the Certification Audit

In order for the organizations, such as software development companies, to be certified it is very essential that it conduct a full cycle of internal audits and management reviews and activities in the PDCA process and that it retains evidence of the responses taken as a result of those reviews and audits. The ISMS management should review risk assessments, the RTP, the SOA, and the policies and procedures at least annually.

An external auditor will first examine the ISMS documents to determine the scope and content of the ISMS and the objective of the review and audit is to have sufficient evidence and review/audit documents sent to an auditor for review. Thus the evidence and documents will demonstrate the efficiency and effectiveness of the implemented ISMS in the organization and its business units.

Phase 11—Conducting Periodic Reassessment Audits

The follow-up reviews or periodic audits confirm that the organization remains in compliance with the standard.

The certification maintenance requires periodic reassessment audits to confirm that the ISMS continue to operate as specified and intended. Thus with any other ISO standard the ISO 27001 follows the PDCA cycle and assists ISMS management in knowing how far and how well the enterprise has progressed along this cycle. It directly influences the time and cost estimates related to achieving compliance.


The true success of ISO 27001 is its alignment with the business objectives and effectiveness in realizing those objectives. For software development companies the IT and other departments play an important role in implementing ISO 27001. Implementing ISO 27001 is an exercise toward better understanding an existing inventory of IT initiatives, information availability and ISMS implementation phases. An organization also needs to have the detailed understanding of PDCA implementation phases. 

Without a well-defined and well-developed ISO 27001 project plan, implementing ISO 27001 would be a time- and cost-consuming exercise. To achieve the planned return on investment (ROI), the implementation plan has to be developed with an end goal in mind. Training and internal audit are major parts of ISO 27001 implementation. ISO 27001 certification should help assure most business partners of an organization’s status with respect to information security without the necessity of conducting their own security reviews. 

Author Signature: Shreyans Agrawal (

No comments:

Post a Comment