ISO 27001 describes an Information Security Management System (ISMS). In essence, this is a Plan-Do-Check-Act (PDCA) cycle. Implementing it makes sure information security will be embedded in the DNA of your organization.
On this page, you will see how Instant 27001 helps you to do so, by providing guidance, instructions and samples for each step of the way.
Divided into an organizational and a technical track, the built-in project plan guides you through all the steps needed, providing helpful tips along the way.
An important part of the “Plan”-phase is to get a better understanding of your organization, the stakeholders and the requirements they might have.
It makes sense to do so, because this will have an impact on how you design your ISMS.
In Instant 27001, all clauses and controls have their own page, which state the Requirement from the standard, an Instruction of what you should do, and under Implementation you will find an example, which then only needs to be modified to match your own organization.
The Implementation can also refer to another document. In this case, the Stakeholder analysis is defined on its own page, for readability.
Perhaps the most important part of ISO 27001 is the risk assessment, and consecutively the selection of the proper security controls to mitigate the risks.
Before we dive into that, the standard requires you to define a methodology first. Instant 27001 comes with a qualitative method, based on SPRINT.
To speed up the process, a list of 36 common threats is provided. We suggest you to start with evaluation these for relevance. After this, new risks can be added based on a built in Risk-template.
This risk can be mitigated by establishing a Mobile device policy (A.6.2.1), a Cryptography policy (A.10.1.1) and requiring people to report the loss of a device as immediately (A.16.1.2).
The information entered under Treatment is the used to automatically generate the Risk treatment plan.
Annex A of ISO 27001 defines 114 common security controls, that can be used to mitigate the risks as defined above.
While ISO 27001 does not suggest how to implement these controls, Instant 27001 comes with suggestions based on industry best practices.
Policies and procedures
All policies and procedures are defined on their own page, for easy hyperlinking and redistribution (content can be exported as Word or PDF files).
The documents are kept as clear and concise as possible, so people will have no problem understanding and implementing them.
Statement of applicability
After all Annex A controls have been evaluated for relevance (their ability to mitigate one or more of the risks you have identified earlier), a Statement of applicability must be created.
Instant 27001 does this automatically, by accumulating the information entered earlier on the pages of the controls.
Monitoring and measuring
Once the implementation of the security controls is done, ISO 27001 requires you to think about how you will monitor during the year that all controls are effective.
The security controls can be expanded with Check details, this information is then gathered to automatically create the Monitoring plan.
Now all you have to do is transfer this schedule into your own calendar or ticketing system.