In our first episode in the ISO 27001 Steps to Success podcast series, we take you through how to implement ISO 27001 with Steve Mason, Senior Information Security Consultant with Blackmores. Steve shares his experience and provides tips on how to implement ISO 27001 within your organisation covering the key aspects – IT, employees and physical security. Steve provides an overview of the structure of the standard which sections of the standard you need to implement and why.
The Gap Analysis is the beginning of your Information Security journey. This helps you to understand which controls you’ve got in place (both documented and non-documented). Steve typically finds that companies tend to have an asset register and anti-virus, fire-walls and back-ups, however what is usually missing are documented controls to support them.
So for example you may back-up data, but you may not necessarily have any controls that clearly state:-
- What data are you backing-up?
- When is the data backed-up?
- How is the data backed-up?
- Who is responsible for making sure that the back-ups happen and can retrieve data?
Who should be involved with the Gap Analysis? Ideally, a cross-representation of functions to understand what type of data assets are received, processed, protected and communicated within your organisation. This can include a representative from operations, HR, Office Management, IT, procurement and supplier/contractor management.
What is the scope of your Information Security Management System? Is it the entire business, or only certain locations or services?
Once the scope is understood, the next stage is the Information Security Risk Assessment to understand the type of information assets your business has, owners of the assets and the risks associated. At Blackmores, we have a simplistic but very effective approach to Risk Assessment which Steve explains the methodology behind it and how it rates the risks in your business.
To hear about the Risk Assessment methodology and other interesting information such as Why can CCTV footage let you down in an assessment? Download our ISO Show Podcast and join Steve and I on our ISO 27001 Steps to Success Journey.
And click HERE for further information on how we can help you with ISO 27001.
To help out the ISO Show: