ISO27001 and the Initial Clauses
When talking to clients about implementing any ISO standard the question that they all have is "where do I start?" which seems like a really obvious question, and the answer, well that's equally obvious you start at the very beginning! Now that you have Mary Poppins in your head let's begin.
The very first thing you should do is go out and actually buy the standard so you can read it, I know it's a radical thought but trust me you will feel much better about everything, ok maybe not everything but certainly about what to do when you implement your systems to meet the ISO27001 Information Security Management Systems (ISMS) standard, and the reason you will feel better is because you will in fact have the roadmap in your hand on what to do. Here's a pro hint however, don't just buy 27001, also get
- ISO27000 which is the Overview and Vocabulary document which basically helps translate things,
- ISO27002 which is the code of practice for information security controls which is going to give you even more hints
- ISO27003 which is actually an implementation guide, which is useful, but the reality is you won't follow it to the letter which is OK but it's helpful to read.
- ISO27005 which outlines ISMS risk management approach
ISO270024 will give you a standard to follow for ISMS metrics and these are pretty standard within the industry but I wouldn't rush out and get it just yet.
You can only be accredited to 27001 but the other documents really will help you and we'll refer to them throughout the series of posts about 27001.
The ISO27001 Clauses
Now that's out the way we can talk about some of the initial clauses that you are going to skip right over and head to clause 4, because that's where all ISO standards really start, we'll don't it's really important to at least stop, read and think about those initial clauses in the standard.
Clause 0.1 General
This clause sets out the basic requirements for your ISO27001 ISMS compliance, it's the ground rules so without knowing those you may stumble around a bit. Here's the crux of what they are saying:
Firstly it lays out a really important rule about the standard, it's right there in the very 1st sentence, the opening shot if you like: "This International Standard has been prepared to provide requirements for establishing, implementing, maintaining and continually improving an information security management system." Yep the expectation is that you will continually improve your processes and systems that are linked to your ISO27001 Information Security Management System, so if you don't build that in or you think you can just set up a system in a folder and put it on a shelf or file it somewhere once you achieve certification guess what, you are wrong!
It also highlights what should be blindingly obviously, implementation of this system needs to be a strategic decision, you are fundamentally going to change the way your organisation looks, thinks and handles information, if it doesn't come from the very top then you are wasting your time, stop doing it and find something else to fill in your time.
It also reinforces that this standard is applicable to organisations of any size, you don't need to be a multinational company to want or need to be using this standard, it's designed to scale automatically, the controls a company of 10 people would put in vs that controls of a 1000 person company with offices in 17 countries will be different, the standard recognises that.
It helps define what information Security management system should do: "The information security management system preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed" Interested parties is something you will need to define but you can bet it'll cover people like your customers for example. Notice we also highlighted the work risks, so again its layout out the ground rules that you need to take a risk based approach to implementing and managing your system when it comes to information security management.
Clause 0.2 Compatibility
Clause 1 Scope
This is the scope of the standard, it has nothing to do with the scope of your business or your Information Management System as such however keep in mind that the standard should be looked at and implemented within the context of your organisation which we'll discuss in more detail later. It also reminds you that it's about taking risk based approach to your ISMS, probably most importantly however is that unlike some other standards you cannot exclude anything from the standard, you need to implement it all and you need to implement it across your entire organisation. Think about why that would be, can you imagine having a set of information security processes for say engineering but nothing for HR or manufacturing? It just wouldn't make any sense.
Clause 2 Normative References
Normative references are there to set the meaning of the words used within the standard. They are held in ISO27000 -Information Security Management Systems – Overview & Vocabulary, as mentioned earlier you need to get a hold of it so that you can use it as your common reference document. The terms used in there should become the terms that you use in your organisation when talking about your ISMS.
Clause 3 Terms and Definitions
Guess where you will find all the terms and definitions that you need to understand for your ISO27001 system? Yep ISO27000, so another reason you should go get it, for example there are 77 items listed in the Terms & Definitions section of the 27000 standard that you will need to understand and think about for your system and of course your training so really, just go buy that standard if you haven't already.
The ISO27001 standard works for any size and type of organisation but you need to implement it fully and across your entire organisation, you can't opt out of anything. You need to start with it coming from the top boss saying this is what we are going to do, middle out just wont work. There are a number of supporting standards in the 27000 family and you should get a hold of them to help you really understand what's being asked for. The two key elements about your new ISO27001 Information Security Management System that are stressed here and on going is that it's risk based and there is an expectation of continuous improvement of your system.
© Many Caps Consulting Ltd | All Rights Reserved