Here are some small steps to achieve ISO 27001 implementation. I believe ISO 27001/2 is a key to establish security in the organizations and help the companies to keep the whole ISMS program running aligned with continues improvement. As ISO 27001 has been identified by ICO and recognized by GCHQ/NCSC in the past as the key standard to support GDPR.

1. Steps to implement ISO
27001:2013 with effectiveness

2. Firstly get some knowledge about the importance of the
ISO. Several companies around the world are looking for
business reasons in order to getting the due value from the
customers because of the certification process.
The certification can be an adding value in your business,
so you can be aligned with good practices and continuous
improvement process.
The ISO 27001 also can help your company to be aligned
with the national and international regulators and it’s
mandatory for some kind of businesses.
There are many reasons to adopt ISO 27001

3. In Europe, you also need to get attention with GDPR –
General Data Protection Regulation, Cyber essentials and
have preparing some Awareness program.
Both are very important and in some cases mandatory to
be your company compliance with Information Security,
Governance and Regulators, covering 99% of your best
practices and mandatory stuffs of GRC and Cyber Security
threats.
Regulator details

4. An appropriated support from the top management is
mandatory to starting to working throught a successful
implementation of the ISO 27001:2013
Get an appropriate support from the management
Step 1

5. Choose very carefully an appropriated process not so big,
and not so small, but interesting over the business point
view.
In this fase is very important consider the environment,
geographically and do not forget the regulators and laws
suitable to your business.
Define a scopeChoosing the process and scope
Step 2

6. The information security police is one of the most
important document that one company must be in place
for any type of implementation. This will be the guidance
for the employees working aligned with the best practices
and legal, also to working with 3rd parties.
The information security police should be the “hat” about
what they can do or not !
Note: Have in mind to be in place baselines, procedures
and other standards too.
Write the security policy
Step 3

7. Understanding about your business assets, the cyber
threats, vulnerabilities and possible impacts is essential on
this fase. When define your assets, connect them with the
“risk owners” too.
Remember your risk methodology can be “quantitative” or
“qualitative”. You also can perform gusing some market
methodology (IRAM, OCTAVE, Cobit5) or just used ISO
31000, 27005…
Choosing the risk assessment methodology
Step 4

8. So choose a very good risk methodology and calculate your
risk factor.
E.g. Case you choose the “quantitative” mode, your risk
assessment can be easly defined (low, medium or high).
The risk assessment need to define the criteria to (Accept,
Tranfer, Avoid or Tranfer the risk).
Some people prefer to invest in softwares to perform the
risk assessments, others like to use excel. It is up to your
business and budget.
Perform proper the risk assessment
Step 5

9. The SOA (Statement of Applicatibility) is a key document for
an ISMS. Some companies wrote the SOA based on Gap
analysis.
The SOA should have:
•
Objective controls already selected must be applied
•
The risk assessment results associated with CIA
(Confidentiality, Integrity and Availability).
•
Legal obligations
•
Review by the organisation owners
Prepare the SOA
Step 6

10. The organisation should prepare a formal document
regarding the Risk Treatment Plan (RTP) aligned with
“security police” and define the approach of the risk
treatment plan.
On this fase you should identify:
•
The necessary controls to apply and exclude (Based on
risk assessment choose method)
Prepare an appropriated RTP
Step 7

11. Now we have to use the appropriated controls listed on
SOA in your organisation.
Prepare the necessary controls
Step 8

12. An effective and simple security awareness program,
aligned with the incident management process can be a
good start to encourage your employees as well as align
with your company's business strategy.
Many organizations in Europe have defined good
methodologies and processes already proven and
functional for various types of organizations. ENISA has a
series of documentation on this, but consider consulting
your national regulator and laws (E.G. FCA, ICO, etc ...)
Implement an awareness program
Step 9

13. So important as creating a safety and awareness program
for your company, it will also know how to measure KPIs as
well as measure and apply the controls needed to correct
the various issues that arise along the way.
Monitor the effectiveness of the program
Step 10

14. Have in mind that on the new ISO version 2013 the PDCA is
not longer required, so you don’t have to use the PDCA
model.
So, is very important monitor yours ISMS (Information
security management systems) properly.
Operate and monitor the ISMS
Step 11

15. In order to try your strategy and improve, you can adopt
several national models suggested as penetration test or
even cyber essentials and perform constant (Each 6 months
or quarterly), as well as audits that reinforce your risk
management strategy aligned with your company's
business strategy.
Perform an internal audit and checks
Step 12

16. As you may know, your management should be the media
sponsor for your ISO 27001 safety program. In this way,
ensure that your ISMS is aligned with the company's
objectives and has sufficient focus to ensure the controls
Required internally or by your regulator.
Submit to management review
Step 13

17. Using the appropriate support and based on your risk
management plan, appropriately apply corrective and
preventive actions, as well as try to align your strategy with
cyber security standards (NIST, Cobit, etc ...)
Apply corrective and preventive actions
Step 14

18. Ralf Sermatheu
ralfbraga@gmail.com
Thank you !