ISO 27001 compliance is a structured process for managing information security within an organization. The standard comprises several domains, controls, and deliverables that must be implemented and managed effectively to achieve certification. Here’s a detailed overview of the project manager’s role in ISO 27001 and a summary of the 93 deliverables.
Role of the Project Manager in ISO 27001 Implementation
- Project Planning: Develop a detailed project plan for ISO 27001 implementation. This includes setting timelines, resources, and budget and aligning with business objectives.
- Stakeholder Engagement: Coordinate with stakeholders, including senior management, department heads, IT, and legal, to ensure alignment with compliance objectives and resource availability.
- Risk Assessment and Management: Oversee the risk assessment process to identify, evaluate, and prioritize information security risks.
- Control Implementation: Ensure that the necessary controls (outlined in ISO 27001 Annex A) are implemented effectively across the organization.
- Policy and Procedure Documentation: Manage the documentation process, ensuring policies, procedures, and standards meet ISO 27001 requirements.
- Training and Awareness: Organize training programs to ensure that employees understand their roles in maintaining ISO 27001 compliance.
- Monitoring and Review: Regularly review the effectiveness of implemented controls, oversee internal audits, and facilitate management reviews.
- Continuous Improvement: Address findings from audits and reviews, implementing improvements as necessary to maintain and enhance the Information Security Management System (ISMS).
Overview of ISO 27001 Deliverables
ISO 27001’s structure and Annex A contain 14 domains and 93 controls. Here’s a summary of each control (organized by domain) and some example templates for key deliverables:
1. Information Security Policies
- Control A.5.1: Management direction for information security
2. Organization of Information Security
- Controls A.6.1 – A.6.2: Information security roles and responsibilities, segregation of duties, contact with authorities, and special interest groups.
3. Human Resource Security
- Controls A.7.1 – A.7.3: Screening, terms of employment, information security awareness, education, training, and disciplinary processes.
4. Asset Management
- Controls A.8.1 – A.8.3: Inventory of assets, acceptable use, and return of assets.
5. Access Control
- Controls A.9.1 – A.9.4: Business requirements, user access management, user responsibilities, and system access controls.
6. Cryptography
- Control A.10.1: Policy on cryptographic controls and key management.
7. Physical and Environmental Security
- Controls A.11.1 – A.11.2: Secure areas, equipment security, and protection from environmental threats.
8. Operations Security
- Controls A.12.1 – A.12.7: Operational procedures, change management, capacity management, malware protection, backup, and logging.
9. Communications Security
- Controls A.13.1 – A.13.2: Network security and information transfer policies.
10. System Acquisition, Development, and Maintenance
- Controls A.14.1 – A.14.3: Security requirements for information systems, security in development, and testing and changes.
11. Supplier Relationships
- Controls A.15.1 – A.15.2: Information security in supplier agreements and monitoring.
12. Information Security Incident Management
- Controls A.16.1: Incident management procedures and reporting.
13. Information Security Aspects of Business Continuity Management
- Controls A.17.1 – A.17.2: Information security continuity and redundancy.
14. Compliance
- Controls A.18.1 – A.18.2: Compliance with legal and contractual requirements and information security reviews.
Key Templates
To aid in implementing these controls, here are downloadable templates commonly used in ISO 27001 implementation:
- Information Security Policy – Outline management’s approach and objectives.
- Risk Assessment Template – Identify, evaluate, and prioritize risks.
- Statement of Applicability (SoA) – Justify selected controls and exclusions.
- Asset Inventory Template – Document all information assets.
- Access Control Policy – Define access management standards.
- Incident Response Procedure – Steps for handling security incidents.
- Business Continuity Plan – Ensure resilience in disruptive events.
- Audit Checklist – Track and assess control effectiveness.
For templates and documents tailored to ISO 27001, the following sources offer reputable resources:
- ISOTemplates – Paid templates for ISO 27001.
- CertiKit – Complete toolkits for ISO 27001.
- ComplianceForge – Comprehensive documentation templates.
Contact Rob Gielen or Pieter Gielen for more information on the ISO27001 implementation track.