ISO/IEC 27001:2013 is an internationally recognised information security standard, part of the ISO/IEC 27000 family of standards, of which the last version was published in 2013. ISO 27001 specifies an Information Security Management System (ISMS) that is intended to formalise the management of information security through the application of controls specified by the standard. Organisations that meet the controls may be certified by an accredited registration body following successful completion of an audit.
Implementation of an ISO 27001 ISMS is a 2-stage process
Stage 1 Gap Analysis
The first stage requires the development of the policies and procedures which underpin the ISMS – finishing with the definition of the scope and applicable controls in the Statement of Applicability (SoA).
Stage 2 Gap Analysis
The second stage measures how the policies and procedures are applied to the people, processes and technologies within the scope defined in the SoA. At this point, the organisation under assessment is being measured against it’s own policies and procedures. This cannot commence before Stage 1 documentation and the SoA is complete and the ISMS is being operated by the organisation under assessment.
Full implementation of an ISO27001 ISMS is a significant undertaking by any organisation. The two key points which must be initially addressed before moving on any ISO27001 project are:
Is there a necessary business driver which requires ISO27001 compliance?
Is there a board-level sponsor for an ISO27001 project?
Without these preliminary components present, it is unlikely that an organisation will have the necessary motivation to implement ISO27001, even if the scope is reduced to a specific business function.