At the end of 2019, Axenic’s leadership team agreed to implement our strategy to achieve ISO 27001 certification. This took the form of setting aside resources to spend time on designing and implementing our Information Security Management System (ISMS). In this blog series, we will be taking you through Axenic’s journey to certification – to catch up on Part One of the series click here. In our second blog of the Axenic ISO 27001 certification journey, we take a look at the planning stage and what was involved in this important step.
First steps to ISMS
1) As a starting point we had to show leadership support by making available the resources we needed. The leadership team first made the decision on who would be the project sponsor; the team selected Axenic’s Board Chairman and Director, Jim Shaw. Sitting at the top of the organisation hierarchy, the ISMS sponsor can help remove any roadblocks down the line.
2) Martin Pretorius was assigned the role of the Information Security Manager (ISM), setting aside two days a week to focus on establishing the ISMS. Establishing the ISMS involved the following:
- Having a subject matter expert to build and implement the ISMS – it’s important to choose someone with experience implementing information security management systems based on ISO/IEC 27001:2013 standard.
- Getting a copy of the standard as this represents the ISMS blueprint.
3) Once we had an ISM and a Sponsor, we were able to start building our ISMS. Here is how we did it:
- We needed a management team for our management system, and the authority to make decisions as this would help with the approvals of our frameworks, policies, processes, procedures, standards and guidelines. With authority granted from the Board, we were able to start creating the relevant artefacts.
- An Information Security Steering Group (ISSG) was established, and the first written document created was the ISSG Terms of Reference. This gives the ISSG the teeth it needs to get the job done. In our case, we established our ISSG with the roles of ISMS Sponsor, Managing Director (MD), Chief Information Security Officer (CISO) and ISM. Note this is a leadership group that is capable of making business decisions.
- We decided to setup monthly ISSG meetings during the implementation of the ISMS and to change the frequency to quarterly after the ISMS was up and running.
Building our ISMS
With the right planning and set up underway we were now ready to get stuck into building our ISMS with the following steps undertaken:
- The ISM defined the ISMS Charter, explaining what the ISMS is about and what it will do. This sets the scene and approach to establishing the ISMS.
- The ISM drafted the Organisational Context document. Our approach was to first define the scope (as per the standard) and document an understanding of our business in one document. This context document is one of the cornerstones of our ISMS and informs what our business looks like and what it involves.
- At this stage, we could say that we have planted the ISMS seed. It does not do anything yet, but it feels good that it exists.
Because we had our scope for the ISMS and we had a direction, we could now start digging into the details as follows:
- The risk-based approach: we started with a business-wide Security Risk Assessment (SRA) to identify . We then defined our Security Risk Management Plan (SRMP) (also called a Risk Treatment Plan). These allowed us to set our risk management priorities; an essential requirement for a risk-based approach to information security.
- We aligned our controls directly with ISO 27001 Annex A controls.
- We knew what controls we needed to implement, but remember an ISMS is not about the controls – it is about having a system in place to manage your security. As a starter, we focused on our Information Security Policy.
- At this stage, we were starting to accumulate some documents. We formalised our document repository by creating a folder structure resembling the ISO 27001 clauses and wrote a document control procedure to tell everyone where and how to manage their documents and records. This also helped set a standard document control section in all our formal documents, helping us meet the document management requirements of the standard.
ISMS Building Supplies
Now we had enough information to know what we needed to to build our ISMS. We had a risk assessment, a risk management plan and an organisational context. Armed with the standard, we were ready to do some project management activities.
We decided to use a KANBAN board to plan and manage our tasks; our ISMS KANBAN board was born. The ISM filled the KANBAN board with a backlog of items based on the standard requirements and the outcomes of the risk assessment. This became our main list of activities to complete the establishment of our ISMS. As part of the ongoing delivery, the ISM established weekly 15-minute project meetings to discuss what is going to be done next. We planned 2 weeks in advance and had a health check in the middle of each sprint. At this stage we had a very long backlog of activities, however, we were ready to generate some artefacts and corresponding operational activities for our ISMS.
If you want to keep up with this series, lookout for our Part 3 where we will discuss a few bumps we had on our journey to certification.
Contact us today if you would like help to implement and certify your ISO 27001 ISMS!