ISO 27001 describes an Information Security Management System (ISMS). In essence this is a Plan-Do-Check-Act (PDCA) cycle, making sure information security will be embedded in the DNA of your organization.
On this page, you will see how Instant 27001 helps you to do so, by providing guidance, instructions and samples for each step of the way.
10 steps to certification
The 10 steps to certification visualize this, and shows you all necessary activities to become certified. To allow for a better resource planning, an estimation is included here.
An important part of the “Plan”-phase is to get a better understanding of your organization, the stakeholders and the requirements they might have. It makes sense to do so, because this will have an impact on how you design your ISMS.
In Instant 27001, all clauses and controls have their own page, which state the Requirement from the standard, an Instruction of what you should do, and under Implementation you will find an example, which then only needs to me modified to match your own organization.
The Implementation can also refer to another document. In this case, the Stakeholder analysis is defined on its own page, for readability.
Perhaps the most important part of ISO 27001 is the risk assessment, and consecutively the selection of the proper security controls to mitigate the risks.
Before we dive into that, the standard requires you to define a method first. Instant 27001 comes with a qualitative method, based on SPRINT:
To speed up the process, a list of 36 common threats is provided. We suggest you to start with evaluation these for relevance. After this, new risks can be added based on a built in Risk-template.
This risk can be mitigated by establishing a Mobile device policy (A.6.2.1) and a Cryptography policy (A.10.1.1).
The information entered under Treatment is the used to automatically generate the Risk treatment plan.
Annex A of ISO 27001 defines 114 of the most common security controls, that can be used to mitigate the risks as defined above.
Policies and procedures
All policies and procedures are defined on their own page, for easy hyperlinking and redistribution (content can be exported as Word or PDF files).
Statement of applicability
After all Annex A controls have been evaluated for relevance (their ability to mitigate one or more of the risks you have identified earlier), a Statement of applicability must be created.
Instant 27001 does this automatically, by accumulating the information entered earlier on the pages of the controls:
Monitoring and measuring
Once the implementation of the security controls is done, ISO 27001 requires you to think about how you will monitor during the year that all controls are effective.
The security controls can be expanded with Check details, this information is then gathered to automatically create the Self check schedule report.
Now all you have to do is transfer this schedule into your own calendar or ticketing system.