Practical Guide to ISO27001 Compliance (UK)

Note: Links to our free templates are at the bottom of this long guide.
Also note: This is not legal advice

Introduction

The digital world is rapidly advancing, and with it, the need for robust data protection measures is becoming increasingly important for businesses of all sizes. The ISO 27001 standard offers an internationally recognized information security management system (ISMS), a comprehensive set of requirements designed to protect data from unauthorized access, accidental loss and malicious attack. Adopting this standard is essential for organizations wanting to ensure the security of their data while also demonstrating commitment to protecting their customers’ and employees’ privacy.

The ISO 27001 standard provides a framework which covers every aspect of establishing and maintaining an ISMS; including best practices on implementation, ongoing management, risk assessment -identifying potential threats or vulnerabilities- employee training and awareness. Furthermore, proving your compliance with this standard through certification helps you gain trust from customers, partners and suppliers; showing that your organization takes data security seriously.

Investing in measures that follow the ISO27001 standard not only protects your data but prepares you for the ever-changing security landscape by ensuring you are up to date with current regulations surrounding data protection. For those needing guidance in developing their own ISMS based on the ISO27001 standard without having to pay a lawyer, Genie AI’s open source legal template library offers millions of datapoints which teach its AI what a market-standard iso27001 looks like -allowing anyone to draft and customize high quality legal documents quickly without needing any prior experience in law or coding.

In conclusion, implementing an ISMS based on the ISO 27001 standards will help organizations protect their data as well as demonstrate their commitment to protecting customers’ privacy; providing trustworthiness among stakeholders while preparing them for future changes in technology within this field. To read on for our step-by-step guidance or find out how you can access Genie AI’s free template library today – look no further!

Definitions

ISO 27001: An international standard that provides a framework for organizations to protect the confidentiality, integrity, and availability of their information.
Risk Register: A list of all identified risks and the potential impact, likelihood, and owner of each risk.
Risk Thresholds: Decisions made to decide when a risk is unacceptable and should be mitigated or eliminated.
Risk Owners: Individuals responsible for managing and monitoring risks and taking corrective action when necessary.
Risk Mitigation Plans: Outlines of steps taken to reduce the likelihood or impact of a risk occurring.
Information Security Management System (ISMS): A system of controls and processes to ensure compliance with the ISO 27001 standard.
Objectives: Measurable and achievable goals for an ISMS to ensure it meets the requirements of the standard.
Scope: The areas of an organization covered by the ISMS, including all processes, systems, and data related to the organization’s operations.
Roles and Responsibilities: Assignments of tasks to individuals involved in the ISMS to ensure it is effectively implemented and maintained.
Processes: Systematic procedures for all aspects of the ISMS to ensure it is effectively implemented and maintained.
Inventory of Assets: A list of all assets covered by the ISMS, including physical and digital assets, systems, and data.
Access Control Requirements: Regulations to ensure that only authorized personnel have access to sensitive information.
Security Protocols: Rules for securing systems and data, such as encryption, virus protection, and patch management.
Incident Response Procedures: Steps to properly handle incidents and take corrective action, such as investigation, containment, and remediation.
Deploying Security Solutions: Installation of security solutions, such as firewalls, antivirus software, and intrusion detection systems.
Monitoring and Reporting: Logging and monitoring of system activity and reporting of security incidents.
Audit and Review Processes: Internal and external audits and reviews of policies and procedures.
Findings: Results of assessments and reviews.
Corrective Actions: Necessary actions to ensure compliance with the standard.
Preventive Measures: Actions taken to prevent non-compliance.
Corrective Action Plans: Plans outlining steps such as investigation, containment, and remediation to implement corrective actions.
Timescales: Deadlines for implementing corrective actions.
Improvement Plans: Plans to ensure continual improvement of the ISMS, including reviews of policies and procedures and internal and external audits.
Training Requirements: Specifications of what staff should be trained on.
Training Materials: Instructional material for staff to learn from.
Training Effectiveness: How successful staff training is in preparing them for the ISMS.

Contents

1. Understanding the importance of ISO27001 and why it is necessary to comply
2. Identifying any existing security measures and gaps in compliance
3. Developing a comprehensive risk assessment strategy
4. Establishing a risk register
5. Establishing risk thresholds
6. Identifying risk owners
7. Creating risk mitigation plans
8. Creating an Information Security Management System (ISMS)
9. Establishing objectives
10. Establishing scope
11. Establishing roles and responsibilities
12. Defining processes
13. Establishing a clear set of policies, procedures, and controls
14. Creating an inventory of assets
15. Establishing access control requirements
16. Establishing security protocols
17. Defining incident response procedures
18. Implementing the ISMS and monitoring its progress
19. Deploying security solutions
20. Establishing monitoring and reporting
21. Establishing audit and review processes
22. Carrying out periodic assessments and reviews to ensure continued compliance
23. Identifying areas of non-compliance
24. Documenting findings
25. Raising corrective actions
26. Implementing necessary corrective actions and preventive measures
27. Developing corrective action plans
28. Establishing timescales
29. Ensuring actions are completed
30. Ensuring continual improvement of the ISMS
31. Establishing improvement plans
32. Implementing changes
33. Measuring effectiveness
34. Training staff in ISO27001 implementation and maintenance
35. Establishing training requirements
36. Developing and delivering training materials
37. Evaluating training effectiveness

Get started

Understanding the importance of ISO27001 and why it is necessary to comply

• Understand the importance of ISO27001 and the need to comply, including the benefits of compliance such as improved security, reduced risk, and enhanced customer trust.
• Research the requirements of ISO27001, including the 14 security principles, and the requirements for the implementation of controls.
• Determine the scope of the ISO27001 compliance program, including the specific areas to be covered and the timeline for completion.
• Identify any gaps in the existing security measures and processes, and develop a plan to address these gaps.
• When you have a thorough understanding of the importance of ISO27001 and why it is necessary to comply, you can move on to the next step.

Identifying any existing security measures and gaps in compliance

• Research existing security measures and policies in place
• Review any existing audit reports and recommendations
• Identify any gaps between existing security measures and ISO27001 requirements
• Document any gaps identified in an audit report
• Make a plan to address any gaps in compliance
• When you have completed all research, have identified any gaps and made a plan to address them, you can move on to the next step.

Developing a comprehensive risk assessment strategy

• Define the scope of the risk assessment and the asset being assessed
• Identify the risks associated with the asset, considering both internal and external threats
• Assess the likelihood of each risk occurring and the impact it would have if it did
• Use the risk assessment to develop a risk management strategy
• Implement the strategy and monitor the results
• Document the risk assessment process and results
• When you’ve completed the risk assessment, you can move onto establishing a risk register.

Establishing a risk register

• Identify potential sources of loss and the potential impact of each threat
• Create a risk register template to track potential risks and the appropriate actions to take in response
• Assign a risk score to each risk, based on the severity of the threat and the likelihood of it occurring
• Document the risk status, including any mitigating actions or controls that have been put in place
• Assign a risk owner to each risk and make sure they are responsible for monitoring and managing the risk
• Establish risk thresholds and triggers that must be met before any action is taken
• Review the risks periodically to ensure they are still relevant and up-to-date
• When the risk register is complete, you can check it off your list and move on to the next step.

Establishing risk thresholds

• Determine the acceptable levels of risk to the organization
• Consider the consequences of the risks and establish risk thresholds based on the organization’s risk appetite
• Document the risk thresholds in a Risk Acceptance Policy
• Review the risk thresholds with the appropriate stakeholders
• When stakeholders have agreed to the risk thresholds, the step is complete and you can move on to the next step.

Identifying risk owners

• Identify which individuals and/or departments are responsible for the risks associated with the assets being protected.
• Assign each risk to a risk owner and ensure they are aware of their responsibility.
• Document the risk owners in the risk register.
• Establish a communication strategy to ensure that all risk owners are aware of their responsibilities.
• Once all risks have been assigned to risk owners, this step is complete.

Creating risk mitigation plans

• Compile a list of identified risks and assign ownership
• Assess each risk in terms of potential impact, likelihood of occurrence and level of control
• Develop an action plan to mitigate each identified risk
• Assign a responsible party and timeline for each risk mitigation
• Monitor and review the effectiveness of the risk mitigation plans
• Update the risk register to reflect the new action plans

Once you’ve developed and implemented the risk mitigation plans, you can move on to the next step of creating an Information Security Management System (ISMS).

Creating an Information Security Management System (ISMS)

• Create a policy and procedures manual for your ISMS.
• Define roles and responsibilities for your Information Security team.
• Create an inventory of important data and documents stored and accessed within your organisation.
• Establish a process for identifying and evaluating threats and risks to your organisation.
• Establish a process for responding to security incidents.
• Create an audit plan to ensure your ISMS is functioning as expected.
• Develop a training plan to ensure that all staff members are aware of the importance of information security.

You’ll know when you can check this step off your list and move on to the next step when you have completed the listed steps and ensured that you have a working ISMS in place.

Establishing objectives

• Identify the key stakeholders and ensure they are included in the process
• Set specific, measurable, achievable, realistic and time-bound objectives for the ISMS
• Ensure that the objectives are determined in line with the needs and expectations of the stakeholders
• Document the objectives and make them available to all stakeholders
• Monitor progress towards the objectives and review them periodically

You will know you can move on to the next step when you have identified the key stakeholders, set the specific objectives for the ISMS, documented them and made them available to all stakeholders.

Establishing scope

• Identify the scope of the organization and system boundaries
• Identify the information assets held by the organization and their associated risks
• Define the scope of the ISMS and the objectives of the organization
• Document the scope of the ISMS, including any exclusions
• Update the scope of the ISMS as required
• When all the above steps are completed and documented, you can check this off your list and move on to the next step of establishing roles and responsibilities.

Establishing roles and responsibilities

• Assign a Data Protection Officer (DPO) to be responsible for the overall implementation of the ISO27001 standard.
• Identify any roles that must be filled in order to deliver the security objectives, such as Information Security Manager, Compliance Officer, and Security Officer.
• Create and document a detailed job description for each of the roles that have been identified.
• Ensure that each role has the authority and resources necessary to fulfil their tasks.
• Establish clear lines of responsibility and communication between the security roles and other departments.
• Define the responsibilities each role has in relation to the ISO27001 standard.

When you can check this off your list and move on to the next step:

• When you have identified the relevant roles and created job descriptions for them.
• When you have established clear lines of responsibility and communication between the security roles and other departments.
• When the responsibilities of each role in relation to the ISO27001 standard have been defined.

Defining processes

• Identify the existing processes in the organization and assess their effectiveness in achieving the objectives of the ISO 27001 standard
• Review the existing processes and implement any changes needed to meet the requirements of the standard
• Document the processes in a format that can be easily understood by all personnel involved in the process
• Make sure the processes are reviewed regularly and updated as needed
• Ensure that personnel are aware of the processes and trained on how to use them
• Evaluate the effectiveness of the processes and make necessary changes

Once all processes have been defined and documented, you can move on to the next step of establishing a clear set of policies, procedures, and controls.

Establishing a clear set of policies, procedures, and controls

• Establish what policies, procedures, and controls are needed to ensure ISO27001 compliance
• Identify any existing policies, procedures, and controls that need to be modified
• Develop a policy framework and create guidance documents to support the framework
• Create a document to record the roles and responsibilities of all parties involved in the process
• Get approval from senior management for the policy framework and any related documents
• Distribute the policy framework and any related documents throughout the organization
• Educate and train personnel on the policy framework and any related documents
• Monitor and review the policy framework and any related documents regularly
• You will know that this step is complete when you have received approval from senior management and have distributed the policy framework and any related documents throughout the organization.

Creating an inventory of assets

• Compile and maintain an inventory of all information assets within the scope of the ISMS
• Document all relevant information about the assets, such as name, description, owner, user, location, date of creation, date of last modification
• Ensure that the asset inventory is regularly reviewed and updated
• Consider the use of automation to facilitate the maintenance of the inventory
• When the inventory is complete, you can move on to the next step: Establishing access control requirements.

Establishing access control requirements

• Create a list of roles, privileges and access rights: Identify roles within the organization and assign access rights and privileges to each role.
• Establish a process for granting, changing and removing access rights: Ensure that access rights are granted in a timely manner, and that access is removed when no longer required.
• Set up user authentication and authorization processes: Establish processes to authenticate users and authorize access.
• Implement data logging and monitoring systems: Monitor user activity to detect any unauthorized access or activities.

Once you have completed the steps above, you can check this off your list and move on to the next step of establishing security protocols.

Establishing security protocols

• Develop a security policy document, outlining all relevant security protocols
• Review and approve the security policy document
• Communicate the security policy and protocols to all relevant staff
• Ensure all staff are aware of their responsibilities regarding security protocols
• Develop, review and approve any necessary security procedures and controls
• Assign responsibility for security protocols to an individual or team
• Monitor any changes to the security policy and procedures, and ensure they are communicated to all relevant staff
• You will know you have completed this step when the security policy and protocols have been developed, reviewed, approved and communicated to all relevant staff.

Defining incident response procedures

• Create a plan that defines the procedures for responding to security incidents, including who is responsible for responding and how they should be notified.
• Establish guidelines for evaluating the severity of incidents and the corresponding response.
• Document the incident response plan and distribute it to relevant personnel.
• Train personnel on the incident response plan, including expected timeframes and processes.
• Test the incident response plan by simulating security incidents.

You can check this off your list and move on to the next step when all steps above have been completed, tested, and documented.

Implementing the ISMS and monitoring its progress

• Appoint an ISMS manager, and create an ISMS team to oversee the implementation of the ISMS
• Develop a plan for the implementation of the ISMS, including timelines and responsibilities
• Develop a communication strategy to ensure that everyone is aware of the ISMS
• Implement the policies and procedures of the ISMS
• Identify the resources needed, including hardware and software
• Assign roles and responsibilities for implementing the ISMS
• Train employees on the ISMS and raise their awareness of security policies
• Monitor the ISMS and regularly review its performance
• Identify areas for improvement and update the ISMS accordingly

You can check this off your list and move on to the next step when you have successfully implemented the ISMS, trained employees on it, and monitored its progress.

Deploying security solutions

• Identify the security solutions that are necessary for your company to meet the requirements of ISO 27001
• Install the security solutions required to meet the requirements of ISO 27001
• Configure the security solutions to meet the requirements of ISO 27001
• Test the security solutions to ensure they are functioning as expected and meeting the requirements of ISO 27001
• Monitor the security solutions to ensure they are meeting the requirements of ISO 27001
• Document the security solutions and their configuration

Once the security solutions are installed, configured, tested and monitored, you can move on to the next step of establishing monitoring and reporting.

Establishing monitoring and reporting

• Create a system for monitoring and reporting on compliance with ISO27001
• Define what kind of reports you need to be able to provide
• Establish metrics and KPIs to measure and track progress against the defined requirements
• Design and implement a process to review, evaluate, and report on the performance of the security system
• Identify the personnel responsible for generating and reviewing the reports
• Develop procedures to define when and how reports should be generated and submitted
• When all reports are generated and reviewed, the process of monitoring and reporting on compliance can be considered complete and checked off the list.

Establishing audit and review processes

• Establish policies and procedures on how to audit and review the Information Security Management System (ISMS).
• Establish internal systems for conducting regular audits and reviews of the ISMS.
• Allocate sufficient resources to carry out the audits and reviews.
• Collect evidence and information to assess the adequacy of the ISMS.
• Analyze the evidence and information gathered and identify areas of improvement.
• Record the findings and results of the audit/review process and record any corrective/preventive actions.

You will know when this step is complete when you have established policies and procedures on how to audit and review the ISMS, allocated sufficient resources to carry out the audits and reviews, collected evidence and information to assess the adequacy of the ISMS, analyzed the evidence and information gathered and identified areas of improvement, recorded the findings and results of the audit/review process and recorded any corrective/preventive actions.

Carrying out periodic assessments and reviews to ensure continued compliance

• Develop a schedule for your periodic assessments and reviews for ISO27001 compliance.
• Conduct reviews of internal activities, processes and documents to ensure that they are meeting the requirements of ISO27001.
• Make sure that any changes made to processes, documents or systems are reviewed to ensure they remain compliant with ISO27001.
• Make sure that any non-compliances are addressed and corrected in a timely manner.
• Put in place a system to track the progress of reviews and assessments.
• When all reviews and assessments have been completed, you can move on to the next step of identifying any areas of non-compliance.

Identifying areas of non-compliance

• Identify any areas of non-compliance by carrying out an audit of the current operational and security practices.
• Evaluate the gaps between the current practices and those required by ISO27001 to ensure compliance.
• Record any non-compliant areas and determine the potential impact of these non-compliant areas on the organisation.
• Prioritise any areas of non-compliance and develop a plan to remediate any issues.
• When all areas of non-compliance have been identified and appropriate action taken, this step can be checked off the list.

Documenting findings

• Document any non-compliances identified in the previous step in a report detailing the findings
• Include the areas of non-compliance, the risks associated with these areas, and the recommended corrective action
• Ensure that the report is reviewed by a relevant external or internal auditor to verify the findings
• Make sure that the report is approved by the appropriate management or governance team
• You will know when you can check this step off the list when the report has been reviewed and approved.

Raising corrective actions

• Identify the corrective action required to address the security control gap and/or non-conformity
• Assign responsibility for completing the corrective action to the relevant individual or team
• Set a timeframe for the completion of the corrective action
• Monitor the implementation of the corrective action and review the results
• Once the corrective action has been completed, document the results and review them to ensure they have been effective
• When the corrective action has been completed and approved, mark the item as resolved and move on to the next step.

Implementing necessary corrective actions and preventive measures

• Obtain approval from the Information Security Manager or other responsible party for the proposed corrective action plans
• Assign responsibility for implementing corrective actions and preventive measures to the relevant personnel
• Implement the corrective action plans and preventive measures within the agreed-upon timescales
• Monitor the implementation of corrective action plans and preventive measures for their effectiveness
• Document any changes made to the corrective action plans and preventive measures
• Notify users of any changes made to the corrective action plans and preventive measures

You can check this off your list and move on to the next step once you have implemented all corrective action plans and preventive measures and documented any changes made.

Developing corrective action plans

• Identify the corrective action needed to address any non-compliance issues and document them in the corrective action plan
• Ensure the corrective action plan is communicated to the relevant staff and that they understand their responsibilities
• Monitor the progress of corrective actions and take any necessary measures to ensure they are completed as scheduled
• Determine if any additional resources are needed to complete them and make sure they are available
• Review the corrective action plan periodically to ensure it is up to date and relevant
• When all corrective actions have been completed, you can check this step off your list and move on to establishing timescales.

Establishing timescales

• Set realistic deadlines for each corrective action identified
• Discuss with stakeholders to agree on the most suitable timescales
• Identify and document any dependencies that could affect timescales
• Allocate resources to ensure deadlines are met
• Document the timeline for implementing corrective actions
• Set up regular reviews to monitor progress
• Once the timeline is established and progress is being tracked, you can move on to the next step of ensuring actions are completed.

Ensuring actions are completed

• Document the actions that need to be completed to ensure compliance with ISO27001
• Assign responsibility and set deadlines for completion of each action
• Monitor the progress of each action and ensure it is completed within the specified timeframe
• Create a system to regularly report on the progress of each action
• Document any lessons learned and ensure any issues are addressed
• Ensure any unresolved issues are escalated to the appropriate level
• When all the actions are completed, review the results and document the outcomes
• Check off this step and move on to the next step, Ensuring continual improvement of the ISMS.

Ensuring continual improvement of the ISMS

• Set up a system to identify areas of the ISMS that need improvement
• Develop a process to review and evaluate the performance of the ISMS
• Establish a system to track the performance of the ISMS
• Set up a system to measure the effectiveness of the ISMS
• Regularly review ISMS performance, identify trends and areas for improvement
• Analyze the impact of ISMS improvements and decide on the best course of action
• Implement corrective and preventive actions to address any ISMS weaknesses
• Establish a system to measure the effectiveness of the corrective measures
• Review the effectiveness of the corrective measures and implement any required adjustments

You’ll know you can check this off and move on to the next step when you have a system in place to measure the effectiveness of the ISMS, track performance, analyze trends, and implement corrective and preventive actions.

Establishing improvement plans

• Set measurable objectives for improvement and review the risk assessment process
• Identify areas of the ISMS that could be improved and the objectives that need to be met
• Determine the best way to implement ISO27001 standards and review the process
• Establish a timeline and plan for the implementation of the improvements
• Monitor and measure the progress of the improvement plans
• When all objectives have been met, review the progress and move on to the next step.

Implementing changes

• Develop a timeline for implementing the changes in the improvement plan.
• Allocate resources to complete the changes.
• Monitor progress of each change and provide support to ensure successful implementation.
• Communicate with stakeholders and keep them updated on progress.
• Ensure all changes are documented and updated in the improvement plan.
• When all changes have been implemented, move on to the next step, Measuring effectiveness.

Measuring effectiveness

• Establish key performance indicators and set up processes to monitor and measure the success of ISO27001 compliance
• Develop a system to measure the effectiveness of the organisation’s security management system
• Implement ongoing audits and reviews to ensure processes and controls remain effective
• Analyse audit results to identify and address any weaknesses
• Educate staff on the importance of ISO27001 compliance and the need for regular reviews
• When all systems and processes remain compliant and effective, you can move on to the next step.

Training staff in ISO27001 implementation and maintenance

• Identify individuals who need to be trained on ISO27001 implementation and maintenance
• Develop and deliver training programs, such as in-house sessions, e-learning and/or online tutorials
• Ensure that the training is tailored to the roles and responsibilities of the individuals
• Monitor and evaluate the training to ensure that it is effective
• Ensure that training records are kept and updated
• When all relevant staff have been trained and have a good understanding of the ISO27001 requirements, you can move on to the next step.

Establishing training requirements

• Identify which staff roles and departments need to receive ISO27001 training
• Assess current knowledge levels of staff and identify gaps
• Specify the training requirements for each role/department
• Develop a training plan for staff, setting out expected timelines and objectives
• Implement the training plan
• Monitor the progress of staff training and evaluate the effectiveness of the training program
• When all required staff have completed the training program, you can move on to the next step: Developing and delivering training materials.

Developing and delivering training materials

• Create training materials that cover the requirements of ISO 27001 for all personnel in the organization
• Identify any existing training materials that can be used or adapted for the ISO 27001 training
• Develop or update any existing training materials as needed
• Ensure that all training materials are reviewed and approved by the relevant personnel
• Develop a timetable for delivering the ISO 27001 training
• Assign personnel to deliver the training and ensure they are familiar with the content
• Deliver the ISO 27001 training to all personnel in the organization
• Follow up with additional training sessions as needed
• Monitor and document the effectiveness of the training

You will know when you can check this off your list when:

• All personnel have completed the ISO 27001 training
• All training materials have been reviewed and approved
• After follow-up training sessions have been completed
• The effectiveness of the training has been monitored and documented

Evaluating training effectiveness

• Monitor trainees throughout the day and observe how they apply the materials that were just taught that day
• Review any feedback forms and/or surveys that were completed by the trainees and use this to evaluate the effectiveness of the training materials
• Evaluate the trainees’ performance in any activities or tests that were conducted after the training was completed and use this to gauge the effectiveness of the training
• Use the results of the monitoring, surveys, and activities/tests to make any necessary changes to the training materials or delivery
• Once you are satisfied with the results and feel that the training materials and delivery have been effective, you can move on to the next step.

FAQ

Example dispute

Lawsuits referencing ISO27001

• The plaintiff may raise a lawsuit to seek damages for a breach of the ISO27001 standards, if a company’s information security practices were found to be inadequate and resulted in a data breach or other security incident.
• The plaintiff should reference relevant civil law, regulations, and legal documents in the lawsuit.
• The lawsuit should provide evidence of the inadequate security practices and how they resulted in a data breach or other security incident.
• The plaintiff may be able to seek damages for any harm caused by the security incident, such as lost business, lost customers, lost data, etc.
• Settlement of the lawsuit may be reached through a negotiated agreement between the parties, or through a court order.
• Damages may be calculated based on the actual harm caused by the security incident, such as the cost of remediation or lost business.

Templates available (free to use)

Information Security Policy
Information Security Policy
Written Information Security Program Wisp

‍