Improving performance,

reducing risk

Ten Tips for implementing ISO 27001

www.lrqa.co.uk/iso-27001

To help you implement an Information

Security Management System (ISMS),
LRQA has pulled together 10 tips for you
to consider when implementing ISO 27001.
This article has been updated by Jonathan
Alsop, LRQA ISO 27001 Lead Assessor.

1 Management commitment

and support

There is a requirement for the motivation

and direction to come from top
management. They have to be actively
engaged in ensuring the direction of
your ISMS and that it is compatible with
your organisations strategy, as well as
owning key aspects such as the policy
and objectives. Success will come if
management understands the reasons for
implementing an ISMS and fully support
its design and operation.

2 Develop a plan
Success is all the more likely if you
develop a meaningful and realistic plan,
measure performance against that plan
and then be prepared to change it in the
event of unforeseen circumstances.

3 Understand the standard and

your stakeholders

As with any project, to implement an

ISMS you need to familiarise yourself with
the standard. Understand the criteria
that you have to meet, the structure of
the standard and hence the structure of
your ISMS and associated documentation.
Having a clear understanding of why you
are implementing the standard, as well
as those who may impact or be impacted
by your ISMS, will provide you with a
clear insight into how your management
system should be designed.

4 Management processes
These processes and top managements
understanding of these processes, are
critical to the effective implementation of
your ISMS:
Having a clear understanding of your
market, stakeholders, risks, objectives
and strategy will help you dene and
understand your context whilst helping
to drive your ISMS and the ethos of
continual improvement
Adequate resources (people,
equipment, time and money) should
be allocated to the development,
implementation and monitoring of
your ISMS
Internal audit veries that your
management system is operating as
intended and is identifying system nonconformities and any opportunities for
improvement
Management review provides the
opportunity for top management to
assess how well your management
system is operating and supporting the
business
Make sure you have correctly trained
and competent individuals within your
organisation.

5 Dene scope
It is essential that the logical and
geographical scope of your ISMS is
accurately dened so that the boundaries
of your information security management
system and security responsibilities can be
identied.

6 ISMS policy
Dene your ISMS policy in terms of
the characteristics of the business, the
organisation, its location, assets and
technology.

7 Risk assessment and risk

management

The risk assessment is the foundation on

which an ISMS is built. It provides the
focus for the implementation of security
controls and ensures that they are applied
where they are most needed and most
cost effective.
The process should consider the threats
and vulnerabilities and any opportunities
associated with the assets and the impact
of their exploitation. Finally, you must
determine the level of risk and identify
the controls to be implemented to
manage those risks.

8 Risk treatment
The risk assessment identies risk
levels which are then compared to the
acceptable level of risk determined by
your organisations security policy. Once
they have been determined, implement
controls to mitigate these risks.

9 Gap analysis
This assessor delivered activity offers the
opportunity to focus on critical, high risk
or weak areas of your system in order to
create a certiable system. It can also look
at how existing management systems
or procedures can be used within your
chosen standard.

10 Certication
Certication is an external assessment of
your information security management
system to ensure that it meets the
requirements of ISO 27001. It is typically a
two stage process consisting of a system
appraisal and an initial assessment, the
duration of which is dependent on the
size, complexity and nature of your
organisation.

About us
Ever tougher stakeholder demands,
changing business conditions and
increased competition means you need
better operational control, performance
and risk management.
To help you, we continue to enhance our
services. We dont just verify against the
requirements of a standard, but go even
further.
Our eld-based business development
managers tailor our certication,
validation, verication and training
services to better meet your needs, giving
added value beyond the traditional
assessment process.

Our expertise
Your choice of certication body says a
lot to your customers about how seriously
you take your information security
management system (ISMS). You need to
choose a certication body that can help
you develop your management system to
realise its full potential.
LRQA has been at the forefront of
standards development and involved in
ISMS assessment and certication for a
number of years. We have high-prole
clients in the nance, telecommunications,
software, internet, consultancy, justice
and government sectors. They trust us
to deliver high quality, consistent and
impartial assessments with the full backup of a highly dedicated support package.

Our assessors are management systems

experts qualied in information security
and other aspects of IT. Their objective
view will give you increased condence
in your own security measures as judged
against best industry practice.
Choosing LRQA means youll be working
with one of the worlds most trusted
and respected management system
bodies providing you, your customers,
prospective customers, trading partners
and other stakeholders, with business
assurance.

Our services
Training
Whether you are in the early stages of
setting up an ISMS or looking to improve
what you have, we have a course to suit.
Our public courses are held throughout
the UK and give you the added benet of
sharing experiences with other delegates.
We can also deliver any of our standard
published courses in-house or tailor an
event to meet your specic needs.
More from: www.lrqa.co.uk/training
Optional gap analysis
This assessor-delivered activity offers the
opportunity to focus on critical, high risk
or weak areas of your system in order to
create a certiable system. It can also look
at how existing management systems
or procedures can be used within your
chosen standard.

Whether you are in the early stages of

implementing your management system
or looking to go for a dry run before
the assessment visit, the scope of the
gap analysis can be decided with either
your business development manager or
assessor and gives you more exibility
in choosing the scope and duration of
the visit.
Certication
This typically is a two stage process
consisting of a system appraisal and an
initial assessment, the duration of which is
dependent on the size and nature of your
organisation.
Your business development manager will
design a solution to meet your specic
needs while your assessors will be open,
helpful and take a practical approach. We
feel this is one of the ways for us to add
real value to the assessment process.
Surveillance
Once weve approved your ISMS, we
carry out regular surveillance visits where
we check its ongoing effectiveness. This
gives you, and your top management, the
assurance the management systems are
on track and continually improving.
Integrated management
system assessment
Companies looking to combine their
management system with an existing
management system (such as quality) can
benet from a co-ordinated assessment
and surveillance programme. This service
is continually being developed. If you are
interested in this combined approach,
then please let us know when you
contact us.

Choosing LRQA means youll be working with a company that

is synonymous with the business of security.
To nd out more about how LRQA can help you with your requirements,
please call us on 0800 783 2179 or contact us at enquiries@lrqa.co.uk

www.lrqa.co.uk/iso-27001
LRQA, 1 Trinity Park, Bickenhill Lane, Birmingham, B37 7ES, United Kingdom
Care is taken to ensure that all information provided is accurate and up to date. However, LRQA accepts no
responsibility for inaccuracies in, or changes to, information. Lloyds Register and variants of it are trading names
of Lloyds Register Group Limited, its subsidiaries and afliates.
Lloyds Register Quality Assurance Limited 2016. A member of the Lloyds Register group. Pub March 2016