An organization can avoid information security risks by following the holistic guidelines for a management process that will address all the risk treatment areas such as risk transfer or risk avoidance. ISO 27001 puts management processes in place that address all the areas of risk management and control.
In order to implement the guidelines provided by ISO 27001, it should also be read in combination with ISO 27002 which is a Code of Practice for Information Security Management. Together they provide the guidelines needed to become ISO 27001 compliant, as well as further information, advice and implementation guidance.
The standard was written and published to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System". In order to meet these objectives, the organisation should follow the following process:
The first step is to make a conscious decision to adopt the ISO 27001 standard.
The next step is to obtain Management commitment and to assign the project responsibilities to the various managers.
There should also be a policy in place that supports the protection and security of information and knowledge.
Next the organisation should define the scope of the Information Security Management System (ISMS).
Identify the main risks and threats that could impact of the security system to establish the scope of the ISMS.
The company should then decide how the management of the identified risks should be handled.
After the scope has been defined, the company needs to decide about the objectives and controls that need to be implemented. More guidance on this can be found in the standard statements of ISO 17799. There are also controls that are not written into ISO 17799 that should also be considered. For further implementation advice and guidance the ISO 27002 can also be consulted.
Once all of the above has been accomplished, the practical part of the implementation process begins. Here the first logical step is to implement the controls decided on in the preceding steps.
As the project proceeds, the organisation should also prepare for the audit that will represent the certification process. If this audit is passed, this will lead to a compliance certificate being issued.
Should the organisation not pass the first audit, they will have to follow the recommendations made by the auditors in order to take the appropriate corrective action.
After taking the corrective action the organisation now, once again, prepares for an audit. Once this is passed, the certificate of compliance is issued.
The certificate of compliance allows the organisation to advertise the fact that they are following the standards set out by ISO 27001. The fact that the information and knowledge held by that organisation could be a convincing selling point for potential clients of the organisation.
ISO 27001 provides organisation with enough guidance to make their clients and shareholders feel secure about the information being held by the organisation.