The Cetbix ISO ISMS comes with tools, frameworks and documentation that you can integrate, customise or extend. The Cetbix approach to quality assurance is straightforward. Designed to ensure certification on the first attempt.  100% success rate.

How/Where do I start?

STEP 1 Management

First get the support of your top management. They must demonstrate their commitment and determination to implement an ISO27001 information security management system in your organisation. No information security initiative can be successful without commitment from top management.

To demonstrate commitment to the development and implementation of an ISMS and to continuously improve its effectiveness, top management should:

1. make clear to the organisation the importance of meeting customer, legal and regulatory requirements,
2. establish the organisation's information security policy and make it known to every employee.
3. ensure that information security objectives are established at all levels and for all functions
4. ensure the availability of the resources required for the development and implementation of the ISMS
5. lead the required management review meetings.
6. encourage the involvement of all staff
7. identify and communicate the key objectives to be achieved by the ISMS, such as:
   1. protecting confidential information
   2. giving customers and stakeholders confidence in our risk management
   3. enabling the secure exchange of information
   4. ensuring compliance with legal obligations
   5. provide a competitive advantage
   6. better manage and minimise risks
   7. raising awareness of security issues.

STEP 2 Appoint the team

Top management should appoint an Information Security Management Representative (ISMR) as the project leader to plan and oversee the implementation, and a supporting team that includes representatives from all corporate functions that fall within the scope.

The 'Information Security Management Representative' must become an expert in and committed to ISO27001, have the necessary attributes and authority to lead the implementation team and, if you choose to pursue third-party certification, represent your organisation to the certifier. The ISMR should:

1. have the full backing of the CEO or equivalent.
2. have a genuine and passionate commitment to information security in general and to the implementation of an ISO 27001 ISMS in particular
3. have the ability and presence to influence staff at all levels and functions of the organisation
4. have organisational skills, a clear and logical mindset, computer skills
5. a comprehensive understanding of the processes underlying business operations
6. Good knowledge of information security methodologies in general and ISO 27001 in particular (or a quick learner, training would be a great advantage).

ISO 27001 requires that the ISMR has a clear responsibility for:

1. ensuring that the ISMS is defined, implemented, maintained and improved in accordance with the requirements of ISO 27001.
2. Reporting to senior management on how well or poorly the ISMS is performing, including identifying areas for improvement.

STEP 3 Raise awareness among employees

It is important to inform all affected employees as early as possible that you are planning to implement an ISO 27001 ISMS. You need to explain the concept of ISO 27001 and how it will affect all employees to get them to adopt and support it.

Training programmes should be structured for different categories of staff - senior managers, mid-level managers, supervisors and employees. These training programmes should cover.

1. the basic concepts of ISMS and the standard,
2. the general implications for the organisation's strategic objectives
3. the changing work processes and the likely impact of the ISMS on the work culture.

In addition, initial training on topics such as process mapping may also be required.

STEP 4 Decide on the scope of your ISMS

4.1. General

Top management needs to determine the scope of your ISMS implementation so that it matches the scope of the information the ISMS is designed to protect. It can be difficult to get the scope right for your purposes, so let's go into a little detail.

It doesn't matter how or where this information is stored, you want to protect this information no matter where, how or by whom it is accessed.

So if you have mobile devices, for example, even if they don't contain sensitive information, they fall within the scope if they can remotely access secure information stored on your network.

When you get certified, the auditor checks that all the elements of the ISMS are working well within your scope, he does not check the departments or systems that are not included in your scope.

Basically, ISO 27001 states that you must do the following when defining your scope:

1. Consider the internal and external aspects defined in section 4.1.
2. Consider all requirements defined in section 4.2
3. Consider interfaces and dependencies between what happens within the ISMS scope and the external world.

Although it is not required by the standard, it is often helpful to include a brief description of your location (you could use floor plans to describe the site) and organisational units (e.g. organisation charts) in your documented scope.

• • You can define your scope directly on the Cetbix Platform under the content Scope.

4.2. Dependencies

To best visualise this, draw your processes (all business processes, not just security or IT processes) that are included in your ISMS scope, and then outside that circle, draw the processes that are provided from outside your scope.

Once you know the dependencies, you need to identify the interfaces. Once you have identified the interfaces and their inputs/outputs, you can include them in the scope if they have an impact on information security.

4.3. 27001 Example Scopes

1. The Information Security Management System (ISMS) applies to the control of all our operations, premises and resources within the UK. Sites and resources outside the UK are excluded from the scope of the ISMS.
2. The ISMS covers all business processes carried out by the IT department at XYS motors. All other business units are excluded from the scope.
3. The ISMS will protect the confidentiality, integrity and availability of XYS motors' customer data at all times in the UK offices. This includes the IT department, call centres and XYS office locations.

STEP 5 Perform a Gap Assessment

The first major task of the ISMR is to conduct a comparison of your existing ISMS with the requirements of the ISO27001 standard. This is often referred to as "gap assessment" and should determine:

1. what existing company policies and procedures already meet ISO 27001 requirements
2. what existing policies and procedures need to be modified to meet ISO 27001 requirements
3. what additional policies and procedures need to be created to meet ISO 27001 requirements

This can be done using the Cetbix ISO27005 questionnaires or the BSI questionnaires on your ISMS dashboard under "Situational".

ISO/IEC 27005 deals exclusively with information security risk management. It describes the procedures for conducting an information security risk assessment in accordance with ISO 27001. The ISO 27005 guidelines are a subset of a broader set of best practices for preventing data breaches in your organisation. The specification provides guidance for formally identifying, assessing, evaluating and addressing information security vulnerabilities - procedures that are central to an ISO27k Information Security Management System (ISMS). Its aim is to ensure that organisations rationally plan, execute, administer, monitor and manage their information security controls and other arrangements related to their information security risks. Like the other standards in the series,
ISO 27005 does not set out a clear path to compliance. It merely recommends best practices that can be incorporated into any standard ISMS. The other alternative to the ISO27005 risk assessment is the BSI questionnaire.

Self Assessment

Cetbix ISO ISMS also offers the option for organisations to enter their own questionnaires into the platform without using ISO27005. This option can be achieved by activating "Self Assessment" under "User Dashboard".

STEP 6 Initial asset review and data collection

At this phase, you need to start determining your assets. While this step isn't absolutely necessary, it is often useful, in that you will better understand the task ahead and better able to predict timescales, to do an initial scan of assets and their associated risks before drawing up a detailed implementation plan.

6.1 Asset identification

Guided by the included Appendix A Controls 'Asset Management Controls' document, carry out an initial fist scan of information assets:

Firstly, list out those information processing facilities that are used by more than one department, such as:

1. the company website
2. the front office (visitor log, employee attendance, material check-in and check-out, security checks, etc.)
3. Local Area Network (server computer, server operating system software, routers, client computers, etc.)
4. ERP software
5. client database
6. access control system, etc.

All these assets can be inventoried using the Cetbix Asset Inventory on your dashboard.

Then look at information assets within each department (both electronic and hardcopy), such as:

1. CRM software
2. customer supplied specifications and other proprietary items
3. email / hardcopy communication with customers, etc.
4. marketing department database and systems
5. R&D data of the design department
6. testing software and test reports
7. designs and specifications
8. databases

All these assets can be inventoried using the Cetbix Asset Inventory on your dashboard.

6.2 Initial information security risk assessment

ISO 27001 sets out the process you should adopt to identify, analyse, evaluate and treat the risks to your information assets: Guided by the Control of Risks and Opportunities Procedure, conduct an initial risk assessment for each functional area to:

1. identify the risks and risk owners
2. identify the affected information assets and their owners
3. quantify the risk
4. prioritise risks for treatment

If the same risk applies to more than one area, you may put them together when treating the risk.

In addition to the simple risk assessment approach that we have included, there are plenty of mature, risk management frameworks, such as : ISO/IEC 27005, ISO 31000, NIST SP800-37 (RMF)

Risks arise from your existing assets, so consider;

1. What information do we have?
2. Who are responsible for them?
3. Which of those should we protect?
4. In what priority should we protect them?
5. What costs are we willing to treat these risks?

All this is assessed on the Cetbix asset inventory on your dashboard - when you click on an asset, you are taken to the "audit page"

In your considerations:

1. use the ISMS defined context
2. define risk appetite and tolerance: how much is too much risk?

6.3 Prepare of tentative 'Statement of Applicability'

Considering the list of identified risks, go through the control checklist (based on Annex A of the standard) and identify the control objectives and controls that are applicable and why, and also record those that you think are not applicable and why. 'Cetbix will automatically generate your SOA report for you. To create your SOA in Cetbix, follow these steps.

1. Add assets to your inventory and click on the added asset to access that asset's profile.
2. Assign a threat (if known) to each asset under "Quantitative Risk Identification' under "Expected Threat Exposure and Cost'.
   1. Note: You can only assign threats if you add a value in the "Asset Cost & Benefit Assessment'.
   2. Now analyse the assets under "Risk Analysis & Audit Controls.
   3. Select the vulnerability for the identified threat under "Quantitative Risk Identification'.
3. Scroll down to 'ISO27001 controls list: the 14 control sets of Annex A' under 'Risk Analysis & Auditing Controls' and assign the controls accordingly.
   1. Fill in all the required information needed on this page, such as the Inherent and Residual Risk.
   2. The Inherent & Residual Risk values are generated on your USER Dashboard under Methodology.
4. After you have assigned the controls to your assets, saved all settings and set the risk, the last step should be to click 'Save & Submit'. Note: If you have the RISK ACCEPTANCE feature, you can simply print out the risk and submit it to your management or enter it digitally on the Cetbix platform.
5. Now go to the sidebar and search for 'Audit -> 'Controls Check' and make sure all settings are rechecked here.
6. Now go to the sidebar and search for "Audit' -> "Reports' and "SOA'.

6.4 Risk Treatment Plan

Review the findings of the initial risk assessment and prepare an initial risk treatment plan. Remember, only risk owners can accept risks and their treatment! Cetbix automatically generates your RTP report for you. Other reports such as Risk Register, Asset Register and other reports are generated automatically on Cetbix.

STEP 7 Implementation Planning

At this stage 7, you have been able to verify both issues in your ISO27005 assessment and your "Assets" assessment. That was your gap assessment phase. Now you should have a clear picture of how your existing ISMS compares with the ISO 27001 standard.

A detailed implementation plan should then be developed that identifies and describes the tasks required to make your ISMS fully compliant with the standard. This plan needs to be both thorough and specific, including the:

1. information security documentation to be developed
2. person or team responsible
3. training required
4. resources required
5. approvals required (if you are going for third party certification)
6. estimated completion date

Cetbix automatically generates your implementation plan for you if you have already activated that feature. You could also use your own local system to get this done.

The time required to get from a decision to implement to final certification depends on many factors. It is essential that the plan is neither rushed, nor so slow that energy and momentum are lost. You need a high-level implementation action plan, for a modest implementation.

STEP 8 Documentation Development

Congratulations - with the acquisition of the Cetbix licence, you will be provided with all documents and forms digitally and manually, which will be much easier than it would have been otherwise!

STEP 9 Implementation

9.1 Implementation and Employee Training

The newly documented ISMS is now ready to be implemented throughout your organisation. Management and staff should be trained in the new or revised work processes, procedures and record keeping as set out in the ISMS.

9.2 Train Internal Auditors & undertake internal audits

ISO 27001 requires that you periodically perform an internal audit to evaluate the effectiveness of your ISMS and check that it complies both with ISO 27001 requirements and your organisation's documented work practices.

An audit is a 'systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled'

Internal audits help with the implementation of your ISMS and a complete internal audit is also required before you can pass your certification audit.

Your internal audit program should be planned taking into consideration the status and importance of the different processes making up your operations.

At least two of your employees will need to be trained as internal auditors. Internal auditors should be able to be objective and impartial and may not audit their own work.

9.3 Management Review

Management reviews are conducted to ensure the continuing suitability, adequacy and effectiveness of your ISMS. The review should include assessing opportunities for improvement and the need for changes to the ISMS, including the information security policy and objectives. Management Reviews should consider all aspects of the performance of the ISMS, including:

1. the results of audits
2. information security management system performance
3. emergency preparedness and response
4. status of preventive and corrective actions follow‐up actions from previous management reviews
5. changes that could affect the ISMS, and recommendations for improvements

It is useful to hold management reviews fairly frequently once the ISMS becomes operative and to only lengthen the periods between each review once you are confident the ISMS is operating satisfactorily as confirmed by both internal and external audits.

9.4 Choosing an ISMS Certifier

A certification body is an independent organisation that is officially accredited to issue ISMS certifications. If you intend going for certification, It is advisable to select a certification body that is suited to your organisation relatively early in your implementation program. The certifier will audit your company's ISMS and, if the audit is successful, issue a certificate confirming that your ISMS meets the requirements of ISO 27001:2013.

When choosing a certification body to carry out your ISO 27001 certification audit, consider the following:

1. is the certification body accredited and, if so, by whom?

• • Accreditation means that the certification body has been officially approved, by a national accreditation body, as competent to carry out certification**.

1. is the certification body recognised by your company's customers?
2. do the certification body's auditor(s) have experience in your organisation's business sector?

can they provide reference sites?

STEP 10 Practical advice on complying with ISO 27001

ISMS motto: 'the less you {own, do, manage, keep...}, the easier to comply!'

1. outsource non-essential services, leverage cloud services: email, antivirus, server monitoring, infrastructure and backups
2. do not keep data that is not necessary (data = burden)
3. automate, automate, automate - don't do things that the computer can do for you
4. don't get carried away, align with realistic and current security demands to ensure a minimal attack surface

KISS

1. simple policies can be understoo
2. simple procedures can be followed
3. small is beautiful in documenting ISMS

Statement of Applicability (SoA)

1. most controls apply to the full scope
2. tailor at the operational / functional levels (teams)
3. use the self-assessment checklists

STEP 11 Assessment and Certification

11.1 Pre-Assessment Audit

When your ISMS has been in operation for a few months and has stabilised, you can schedule an initial 'Pre-Assessment' certification audit to be undertaken by your selected certification body.

Your selected certification body will first carry out an audit of your documentation and then, if your documents meet the requirements of the standard, the certifier will visit your facility and perform a pre-assessment audit to ensure all applicable ISO 27001 requirements have been met.

11.2 Corrective Actions

Following your pre-assessment audit, you need to review the results and take any necessary corrective actions to correct any non-conformances (activities that are not in compliance with the requirements of the standard and/or your own documented work practices) flagged by the certification auditors during the pre-assessment audit.

11.3 Certification Audit

One you are satisfied that all non-conformances flagged during your pre-assessment have been addressed, ask your selected certifier to perform a full certification audit to ensure all applicable ISO 27001 requirements have been met.

Following the successful completion of a full certification audit you will be awarded an ISO 27001 Certificate, generally for a period of three years. During this three‐year period, your certification body will carry out periodic surveillance audits to ensure that the system is continuing to operate satisfactorily.

11.4 Continual Improvement

Certification to ISO 27001 is not the end of the story. As required by the standard, you should continually seek to improve the effectiveness and suitability of your ISMS through the use of your:

1. Information Security policy
2. Information Security objectives
3. audit results
4. analysis of data
5. corrective and preventive actions
6. management review

12 Paperless Documentation

Cetbix helps you to create and maintain the accompanying reports and records to demonstrate your compliance with the standard. Your certification body will probably need to see each report:

1. Scope of the ISMS (4.3)
2. Information security policy (5.2 e)
3. Information security risk assessment process (6.1.2)
4. Information security risk treatment process (6.1.3)
5. Statement of Applicability (SoA) (6.1.3 d)
6. Information security objectives (6.2)
7. Evidence of competence (7.2)
8. Documentation necessary for the effectiveness of the ISMS (7.5.1 b)
9. Documentation necessary to have confidence that the processes required for operational planning and control have been carried out as planned (8.1)
10. Results of information security risk assessments (8.2)
11. Results of information security risk treatments (8.3)
12. Evidence of the information security performance monitoring and measurement results (9.1)
13. Internal audit programme(s) and audit results (9.2 g)
14. Evidence of the results of management reviews (9.3)
15. Evidence of nonconformities and any subsequent actions taken, and the results of any corrective actions (10.1)

Cetbix also automatically generates the following documents for you: scope, information security policy (section 5.2 of ISO 27001), risk assessment process according to section 6.1.2 and the SoA (Statement of Applicability).

13 Policies, Forms, Process Documentation

Cetbix has all the documentation you need for your ISO27001 certification and other compliance issues.

14 ISO 27001 requirements

• 4.1 Understanding the organisation and its context
• 4.2 Understanding the needs and expectations of interested parties
• 4.3 Determining the scope of the ISMS
• 4.4 Information security management system (ISMS)
• 5.1 Leadership and commitment
• 5.2 Information Security Policy
• 5.3 Organisational roles, responsibilities and authorities
• 6.1 Actions to address risks and opportunities
• 6.2 Information security objectives and planning to achieve them
• 7.1 Resources
• 7.2 Competence
• 7.3 Awareness
• 7.4 Communication
• 7.5 Documented information
• 8.1 Operational planning and control
• 8.2 Information security risk assessment
• 8.3 Information security risk treatment
• 9.1 Monitoring, measurement, analysis and evaluation
• 9.2 Internal audit
• 9.3 Management review
• 10.1 Nonconformity and corrective action
• 10.2 Continual improvement

15 ISO 27001 Annex A Controls

1. A.5 Information security policies
2. A.6 Organisation of information security
3. A.7 Human resource security
4. A.8 Asset management
5. A.9 Access control
6. A.10 Cryptography
7. A.11 Physical and environmental security
8. A.12 Operations security
9. A.13 Communications security
10. A.14 System acquisition, development, and maintenance
11. A.15 Supplier relationships
12. A.16 Information security incident management
13. A.17 Information security aspects of business continuity management
14. A.18 Compliance

16 Guidance on ISMS Internal Auditing

1. Introduction

Audits should be performed using a “Process Approach” where they do more than check whether people “are following their procedures / work instructions”. Each process making up your ISMS must be scheduled for audit.

Clause 9.2 of ISO 27001:2013 sets out the objectives for your internal auditing:

“The organisation must conduct internal audits at planned intervals to provide information on whether the environmental management system:

1. conforms to:
   1. the organisation’s own requirements for its environmental management system
   2. the requirements of this International Standard (ISO 27001:2015)
2. Is effectively implemented and maintained”

Information security is a particularly dynamic field with frequent changes to the risks (i.e. the threats, vulnerabilities and/or impacts), controls and environment. It is therefore important that auditors auditing information security controls should maintain knowledge of the state of the art (e.g. emerging information security threats and currently-exploited vulnerabilities) and the organisational situation (e.g. changing business processes and relationships, technology changes).

2. Audit Rating System

A risk-based internal audit approach allows the internal audit to concentrate on reviewing all significant risks to your organisation so as to ensure that they are well controlled.

Ratings range from “compliant” to “major non-conformance” to convey a concise and consistent method for rating each audit finding.

3. Audit Rating System

Auditing has two, related, key objectives:

• to support your organisation’s quality management system
• to provide objective information that you can act upon to continually improve its performance

To achieve these objectives, it is necessary to adhere to the following principles, if the conclusions derived from the audit are to be accurate, objective and sufficient.

• Ethical conduct - trust, integrity, confidentiality and discretion are essential to auditing
• Fair presentation - audit findings, conclusions and reports must truthfully and accurately reflect the audit activities
• Professional care - auditors must exercise a level of care that reflects the importance of the task they perform
• Independence and objectivity - auditors must be independent of the activity being audited and be objective
• Evidence-based approach - evidence must be verifiable and based on samples of the available information

4. Audit Methodology

4.1. Audit Methodology

Just like the internal audit process required by ISO 9001 and other management standards, the main steps required for an ISO 27001 audit are to plan, perform, and follow up on internal audits for the processes. This methodology of internal audit works equally well when applied to the ISO 27001 environmental management system (ISMS), but the focus is slightly different.

Just as with any good internal audit process for any management system, the first important thing is to have an overall schedule of when you are planning to audit each process that will be audited for system conformance. The cycle for this is often a year, but can be whatever you like, and the frequency of audits on any given process is linked to criteria like the information security importance of the process and past audit conformance. If you have a process that has critical information security aspects associated with it, you may want to look at this process more often than one that can have only minor impact on the environment. The audit schedule should be available to employees and managers, because you don’t want to have surprise audits.

Review of the process is critical for this – in particular, understanding the information security risks associated with the process.

As part of the process approach, process audits must be scheduled in accordance with your ISMS.

The audit should be based on a three stage process:

1. preparing for the audit (desk review)
2. auditing the process
3. preparing the executive summary and audit report

4.2. Preparation

Thorough preparation is essential to an efficient and accurate audit!

Gather all relevant documents and records for the process you are auditing and review these documents thoroughly, and mark what you plan to audit. By marking directly on the documents, they become audit records.

Also, review relevant sections of the ISO standard. Your organisation’s documents may not include all the ISO requirements, and this is how you would discover that. If certain information is not available, it may become an audit finding, even during the preparation stage.

Remember that in performing the audit is that you are not using the internal audit to judge the legal compliance of the process.

• Don’t forget to include:

1. Audit Scope, Audit Objectives, Audit Criteria:
2. the “audit scope” defines which areas are included and which excluded from the audit.
3. the “audit objectives” define the purpose of the audit and what it should achieve.
4. “audit criteria” define which ISMS, standards, and documents are to be audited

ISO requires that this information is defined and documented. Often this is routine information, but when there are exclusions or unique situations, it can be significant.

• Previous audit findings

Verify that previous corrective actions remain effective. Past areas of concern may yield more opportunities for improvement or may require re-auditing.

• Relevant Sections of the ISO Standards

Identify those sections in the applicable ISO Standard that are relevant to the process. Print those pages and mark significant requirements to ensure they are documented correctly within the ISMS, and that they get audited.

• Links to Skills, Competencies and Training

Skill requirements should be documented. Review skill lists for the process being audited. Are there clear lists of skills, with sufficient detail, for each position? This is a common failure where lists are generic and the detail is inadequate. Training is a key process of any system. Are there specific people or new members of staff that you wish to review? Are there particular skills you wish to evaluate? Identify the names of those you wish to review later.

Prepare these documents and audit materials carefully as it is faster and easier to audit if you have well organised and marked up information at hand. A well prepared auditor is a confident and authoritative auditor. Using the documented information in this way ensures they become audit records.

Use your preparatory work to develop an audit checklist for use in the future.

An audit checklist is just one of the various tools available to help ensure that your audits address the necessary requirements. The checklist creates a basic reference point before, during and after the audit process and provides the following benefits:

• ensures the audit is conducted thoroughly, systematically and provides objective evidence
• promotes audit planning
• ensures a consistent audit approach
• provides clear support for your audit process
• ensures that different auditors audit uniformly

Your organisation’s documented information may not cover all of the requirements that may be relevant to the process. If certain information is not available, it may become your first audit finding, not bad for the pre-audit review!

4.3 Performing the Audit

Probably the first thing to remember about performing the ISMS audit is that you are not using the internal audit to judge the legal compliance of the process. While a compliance audit is a good idea, and sometimes a legal requirement, this is not the goal of the internal audit programme. The internal audit is looking at the process in the context of the information security controls that the company identified for the process.

Technical compliance tests may be necessary to verify that IT systems are configured in accordance with the organisation’s information security policies, standards and guidelines. Automated configuration checking and vulnerability assessment tools may speed up the rate at which technical compliance checks are performed but potentially introduce their own security issues that need to be taken into account*.

4.4 Review the Findings

Mark findings and issues as you go. When you finish auditing, you should have a collection of various findings to review. Organise the notes you made, these findings need to be reported to management. As you audited, you should have noted the issues and potential improvements you observed. These should have been marked clearly so you are now able to quickly review and capture them as you write the report. When you have completed the audit, you will usually have “findings”. Findings can be both problems and opportunities for improvement. Review your notes and collect the findings into the audit report. Audit teams should review findings with the lead auditor and/or management representative as it important to calibrate the findings and the review also acts a learning process. If there is disagreement over some findings, the Lead Auditor has the final vote!

4.5 Prepare the Report

A good summary report is the output which is the value of the audit. It deserves an appropriate amount of attention and effort. Your summary report should describe findings objectively, provide objective evidence to support the findings, and determine whether they should be classified as Corrective Actions, Preventive Actions, or Opportunities for Improvement.

Too often, the audit report only recites back facts and data the managers already know. The value is in identifying issues and opportunities they don’t know! This summary should be reviewed first with the Lead Auditor, then the Process Owner and Management Team. Make final revisions, and file the final audit report and all supporting audit materials and notes.