How to Build an ISO 27001 Information Security System

For a full picture of what it takes to build an ISO 27001 information security management system, contact Sistem Patent Kalite, the ISO 27001 certification firm.

How to build an ISO 27001 information security system is set out in the stages below.

• Valuation of information assets against the integrity, confidentiality, and availability criteria
• Risk assessment
• Definition of the controls that will address the risk analysis outputs
• Creation of the system documentation that the standard requires
• Theoretical application of the controls
• Internal audit
• Retention of records
• Management review
• Certification activities
• Information Security Management System operations

Before the build stages, a few points deserve a direct statement. First, for the ISMS to deliver value and to operate cleanly, the build has to be accepted and sponsored by senior management. The support from top management is vital to the success of the ISMS. Senior leadership has to believe that the ISMS is necessary and useful. That is the first condition. Another important condition is that the ISMS build must not be confused with the installation of an IT system or product. The ISMS is a deep system that affects how the organisation operates and touches every function. It requires people at every level to act on information security principles as they do their work. Building that awareness and moving it into operation is the outcome of a gradual development process. As noted above, the ISMS is a continuous improvement process. Another common misunderstanding is the idea that the ISMS is solely the responsibility of the IT function. The ISMS is not a technical matter or a technology issue. It is a system that can only reach its goal with the active participation of the whole organisation. From senior management to the most junior team member, participation and support are needed. Without that, the ISMS will not deliver what is expected of it. One of the things that must be done to build an effective ISMS is to set up an Information Security Committee inside the organisation.

The Information Security Committee (also called the Security Forum) is made up of representatives from every function of the organisation. Representatives from IT, finance, internal audit, human resources, security, and every other function take a seat on the committee. Committee members should be knowledgeable and experienced in information security and should have the authority to represent their function. Where committee members do not have sufficient background in information security, they must attend ISMS training before starting work.

Having representatives from every function on the committee raises the likelihood of success for the ISMS. It helps the ISMS to reach every part of the organisation. Security requirements across the whole organisation become visible and easier to address. This is vital for the correct planning and the healthy operation of the ISMS.

An active representative from every function also helps close the communication gap between management and technical staff. People who live with the problems and the requirements every day can explain the case to management more effectively on specific points. As a result of the Information Security Committee, the authority and responsibilities linked to the ISMS are distributed evenly across the organisation. As we noted earlier, the ISMS is not just an IT matter.

Since 1999, Sistem Patent Kalite has grown into one of Turkey's leading quality certification firms. The certification and testing consultancy runs consultancy offices in Istanbul, Izmir, Ankara, Bursa, Adana, Antalya, Konya, Kayseri, and Eskisehir, so clients can meet the team close to their site.