ISO 27001 compliance is a structured process for managing information security within an organization. The standard comprises several domains, controls, and deliverables that must be implemented and managed effectively to achieve certification. Here’s a detailed overview of the project manager’s role in ISO 27001 and a summary of the 93 deliverables.

Role of the Project Manager in ISO 27001 Implementation

  1. Project Planning: Develop a detailed project plan for ISO 27001 implementation. This includes setting timelines, resources, and budget and aligning with business objectives.
  2. Stakeholder Engagement: Coordinate with stakeholders, including senior management, department heads, IT, and legal, to ensure alignment with compliance objectives and resource availability.
  3. Risk Assessment and Management: Oversee the risk assessment process to identify, evaluate, and prioritize information security risks.
  4. Control Implementation: Ensure that the necessary controls (outlined in ISO 27001 Annex A) are implemented effectively across the organization.
  5. Policy and Procedure Documentation: Manage the documentation process, ensuring policies, procedures, and standards meet ISO 27001 requirements.
  6. Training and Awareness: Organize training programs to ensure that employees understand their roles in maintaining ISO 27001 compliance.
  7. Monitoring and Review: Regularly review the effectiveness of implemented controls, oversee internal audits, and facilitate management reviews.
  8. Continuous Improvement: Address findings from audits and reviews, implementing improvements as necessary to maintain and enhance the Information Security Management System (ISMS).

Overview of ISO 27001 Deliverables

ISO 27001’s structure and Annex A contain 14 domains and 93 controls. Here’s a summary of each control (organized by domain) and some example templates for key deliverables:

1. Information Security Policies

  • Control A.5.1: Management direction for information security

2. Organization of Information Security

  • Controls A.6.1 – A.6.2: Information security roles and responsibilities, segregation of duties, contact with authorities, and special interest groups.

3. Human Resource Security

  • Controls A.7.1 – A.7.3: Screening, terms of employment, information security awareness, education, training, and disciplinary processes.

4. Asset Management

  • Controls A.8.1 – A.8.3: Inventory of assets, acceptable use, and return of assets.

5. Access Control

  • Controls A.9.1 – A.9.4: Business requirements, user access management, user responsibilities, and system access controls.

6. Cryptography

  • Control A.10.1: Policy on cryptographic controls and key management.

7. Physical and Environmental Security

  • Controls A.11.1 – A.11.2: Secure areas, equipment security, and protection from environmental threats.

8. Operations Security

  • Controls A.12.1 – A.12.7: Operational procedures, change management, capacity management, malware protection, backup, and logging.

9. Communications Security

  • Controls A.13.1 – A.13.2: Network security and information transfer policies.

10. System Acquisition, Development, and Maintenance

  • Controls A.14.1 – A.14.3: Security requirements for information systems, security in development, and testing and changes.

11. Supplier Relationships

  • Controls A.15.1 – A.15.2: Information security in supplier agreements and monitoring.

12. Information Security Incident Management

  • Controls A.16.1: Incident management procedures and reporting.

13. Information Security Aspects of Business Continuity Management

  • Controls A.17.1 – A.17.2: Information security continuity and redundancy.

14. Compliance

  • Controls A.18.1 – A.18.2: Compliance with legal and contractual requirements and information security reviews.

Key Templates

To aid in implementing these controls, here are downloadable templates commonly used in ISO 27001 implementation:

  1. Information Security Policy – Outline management’s approach and objectives.
  2. Risk Assessment Template – Identify, evaluate, and prioritize risks.
  3. Statement of Applicability (SoA) – Justify selected controls and exclusions.
  4. Asset Inventory Template – Document all information assets.
  5. Access Control Policy – Define access management standards.
  6. Incident Response Procedure – Steps for handling security incidents.
  7. Business Continuity Plan – Ensure resilience in disruptive events.
  8. Audit Checklist – Track and assess control effectiveness.

For templates and documents tailored to ISO 27001, the following sources offer reputable resources:

Contact Rob Gielen or Pieter Gielen for more information on the ISO27001 implementation track.

en_USEnglish