Scribd
Upload
573 views

How To Accelerate ISO 27001 Implementation

This document provides tips and recommendations for implementing an ISO 27001 Information Security Management System (ISMS). It outlines a 20-step ISMS implementation plan covering tasks such as conducting a gap analysis, establishing security policies and objectives, risk assessment, and documentation management. Potential obstacles to implementation are discussed, including lack of resources and skills. Recommendations are provided for the implementation team, project management, and core ISMS processes to help accelerate certification. External toolkits and templates are also referenced.

Uploaded by

Vijay Vel
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
573 views

How To Accelerate ISO 27001 Implementation

This document provides tips and recommendations for implementing an ISO 27001 Information Security Management System (ISMS). It outlines a 20-step ISMS implementation plan covering tasks such as conducting a gap analysis, establishing security policies and objectives, risk assessment, and documentation management. Potential obstacles to implementation are discussed, including lack of resources and skills. Recommendations are provided for the implementation team, project management, and core ISMS processes to help accelerate certification. External toolkits and templates are also referenced.

Uploaded by

Vijay Vel
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 15

ISO 27001:2022 Tips and Tricks.

How to accelerate
the implementation
by Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001
www.patreon.com/AndreyProzorov

1.0, 01.06.2023
Agenda

1. ISMS Implementation plan


2. The main obstacles
3. Recommendations for the implementation team
4. Recommendations for the project management
5. Recommendations for the core processes
6. Other recommendations
7. ChatGPT and ISO 27001 (ISMS) Toolkits

2
ISMS Implementation plan
1. Conduct awareness trainings for the top 11.Develop ISMS Framework and define roles and
management responsibilities
2. Conduct a Gap analysis 12.Develop and implement a set of ISMS
3. Understand the Context policies and procedures
4. Plan the implementation 13.Plan and implement additional information
5. Conduct the first IS Committee meeting security measures
6. Establish Information Security Policy and Information 14.Plan, prepare and conduct awareness
Security Objectives trainings
7. Take an inventory of the assets 15.Operate the ISMS
8. Define a method of risk assessment, identify 16.Monitor the ISMS
and assess information security risks 17.Audit the ISMS
9. Prepare Statement of Applicability (SoA) and 18.Conduct ISMS Management reviews
Risk Treatment Plan (RTP) 19.Practice continual improvement
10.Define requirements for documentation management 20.Prepare for the certification audit

*time-consuming tasks
3
ISMS Implementation plan
1-2 years

Program Evaluation Review Technique (PERT) is a project management planning tool


used to calculate the amount of time it will take to realistically finish a project
4
1. Lack of top management support
2. Insufficient budget and resources / no allocated resources
3. Resistance to change (e.g., sophisticated alignment, extensive
document approval, complicated procurement process)
4. Inadequate understanding of ISMS concepts
(e.g., focus on Annex A, not on the main text)
5. Lack of skilled professionals
6. Unclear roles and responsibilities
7. Ineffective communication with the interested parties
8. Choosing a Risk Assessment methodology that is too complicated
The main obstacles 9. No processes / low maturity level of processes / too complex processes,
especially:
• Internal audit
• Nonconformity management
• ISMS Evaluation (metrics and KPIs)
• Asset management
• Incident management
• Change management
• Business continuity management
10. Desire to radically increase the maturity of the processes (+ 2-3 levels)
11. Implementing new automation tools (e.g., GRC, SIEM, UEBA, SOAR)
before building the processes
12. Lack of information security culture / Lack of awareness 5
1. Educate the implementation team in advance
2. Protect the implementation team from other projects and tasks
(prioritisation)
Recommendations for
the implementation 3. Increase the motivation of the implementation team
team (e.g., additional bonuses, flexible hours, training courses)
4. Hire a few interns
5. Involve external consultants and/or mentors

6
1. Set clear and realistic project goals
2. The project charter is important, but don't make it too
complicated
3. Reduce the ISMS scope for the certification
4. Improve communication between the implementation team
Recommendations for members (e.g., use a Kanban board, create a channel on
the project Slack/MS Teams)
management 5. Don't spend much time on detailed planning.
Use the sprints (1-2 weeks)
6. Schedule parallel tasks (e.g., Risk Assessment and Documents
preparation)
7. Prepare and strictly follow a Communication Plan

7
1. Launch awareness training ASAP. Start from the top management
2. Launch the ISMS Committee / IS Steering Committee ASAP.
Hold meetings once or twice a month at first, then once a quarter.
3. Use simple templates for ISMS documents, and easy approval and review
procedures (e.g., during the ISMS Committee meetings)
4. Use Notion/Confluence (if allowed)
5. Create templates and registers in advance:
1. ISMS Committee presentation and MoM
2. Policy (Template)
3. Statement of Applicability (SoA)
Recommendations for 4. Audit Plan and Report
5. Nonconformity Register and Report
the core processes
6. ISMS management review report
7. Risk register
8. Incident register
6. Prepare the mandatory documents first. You don’t need the full set of
topic-specific policies and procedures!
7. Simplify the core processes! You will improve them later…
8. Combine an ISMS Gap Analysis with Internal Audits
9. Don't spend much time on Risk Assessment. You will improve it later…
10. Implement only critical controls (Annex A). Just plan to implement others…
11. Continual improvement is better than the perfect system 8
1. Purchase and study ISO 27000, 27001, 27002, 27003, 27005,
27007, 19011 in advance
2. Collect and keep records with care
3. MS Excel is the best GRC for starters
• Asset register
• Incident register
Other • Nonconformity register
Recommendations • Risk register and RTP
• Statement of Applicability (SoA)
• ISMS Documented information
• Supplier register
• …
4. Use ChatGPT
5. Use templates and toolkits

9
www.patreon.com/posts/how-to-use-for-83553386
10
1. ISO27k Toolkit by ISO27k Forum (Free) - https://lnkd.in/eC5Kh5d6
2. ISMS Implementation Toolkit by Andrey Prozorov (28$ per month) -
https://lnkd.in/enzZdZ9
3. ISO 27001 Documentation Toolkit by Advisera (897$) -
https://lnkd.in/euYBc-SW
4. ISO 27001 Toolkit by CertiKit (950€) - https://lnkd.in/ePxZUjHe
5. ISO 27001 Toolkit by IT Governance (595£ per year) -
Best ISO 27001 (ISMS) https://lnkd.in/eAwTcuE6
Toolkits 6. ISO/IEC 27001 Info Kit by PECB (Free) - https://lnkd.in/d-HEuN_8
7. ISO 27001 Templates Toolkit: Consultant Edition 2022 by HighTable (597£)
- https://lnkd.in/dxhZX56U
8. ISO 27001:2022 All-In-One Toolkit by Certification Templates (999$) -
https://lnkd.in/djXhSbiv
9. Instant 27001 for Confluence (from 1995€) - https://lnkd.in/dE7y6vzX
10. ISO/IEC 27001:2022 Documentation Toolkit by UCStoolkit (466€) -
https://lnkd.in/d7CpThMF
11
www.patreon.com/posts/
47806655

12
Thanks, and good luck!

www.linkedin.com/in/andreyprozorov
www.patreon.com/AndreyProzorov
13
My ISMS Implemantation Plan + templates

www.patreon.com/posts/isms-plan-iso-74660190
14
My other ISMS-related presentations

You might also like