ISO27001 - Lead Implementer

Mandatory DOCUMENTS and records required by ISO 27001

(clause 4.3) Scope of the ISMS (clause 5.2, 6.2) Information security policy and objectives (clause 6.1.2) Risk assessment and risk treatment methodology (clause 6.1.3.d) Statement of Applicability (clause 6.1.3e , 6.2) Risk treatment plan (clause 8.2) Risk assessment report (control A.7.1.2, A.13.2.4) Definition of security roles and responsibilities (control A8.1.1) Inventory of assets (control A8.1.3) Acceptable use of assets (control A.9.1.1) Access control policy (control A.12.1.1) Operating procedures for IT management (control A.14.2.5) Secure system engineering principles (control A.15.1.1) Supplier security policy (control A.16.1.5) Incident management procedure (control A.17.1.2) Business continuity procedures (control A18.1.1) Statutory, regulatory, and contractual requirements

Mandatory RECORDS required by ISO27001

(clause 7.2) Records of training, skills, experience and qualifications (clause 9.1) Monitoring and measurement results (clause 9.2) Internal audit program (clause 9.2) Results of internal audits (clause 9.3) Results of the management review (clause 10.1) Results of corrective actions (control A.12.4.1 and A.12.4.3) Logs of user activities, exceptions, and security events

systematic checklist of what the top management must do

1) set their business expectations (objectives) for information security 2)publish a policy on how to control whether those expectations are met 3) designate main responsibilities for information security 4) provide enough money and human resources 5) regularly review whether all the expectations were really met

NON-mandatory documents for ISO27001

Procedure for document control (clause 7.5) Controls for managing records (clause 7.5) Procedure for internal audit (clause 9.2) Procedure for corrective action (clause 10.1) Bring your own device (BYOD) policy (clause A.6.2.1) Mobile device and teleworking policy (clause A.6.2.1) Information classification policy (clauses A.8.2.1, A.8.2.2, and A.8.2.3) Password policy (clauses A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, and A.9.4.3) Disposal and destruction policy (clauses A.8.3.2 and A.11.2.7) Procedures for working in secure areas (clause A.11.1.5) Clear desk and clear screen policy (clause A.11.2.9) Change management policy (clauses A.12.1.2 and A.14.2.4) Backup policy (clause A.12.3.1) Information transfer policy (clauses A.13.2.1, A.13.2.2, and A.13.2.3) Business impact analysis (clause A.17.1.1) Exercising and testing plan (clause A.17.1.3) Maintenance and review plan (clause A.17.1.3) Business continuity strategy (clause A.17.2.1)

Four key benefits of ISO 27001 implementation

1. Compliance quickest "return on investment" - if an organization must comply to various regulations regarding data protection, privacy and IT governance (particularly if it is a financial, health or government organization), then ISO 27001 can bring in the methodology which enables to do it in the most efficient way. 2. Marketing edge ISO 27001 could be indeed a unique selling point, especially if you handle clients' sensitive information. 3. Lowering the expenses financial gain if you lower your expenses caused by incidents. You probably do have interruption in service, or occasional data leakage, or disgruntled employees. Or disgruntled former employees. 4. Putting your business in order ISO 27001 is particularly good in sorting these things out - it will force you to define very precisely both the responsibilities and duties, and therefore strengthen your internal organization.