Iso 27001 Implementation Roadmap

ISO 27001

Implementation Roadmap Vulnerability Assessment/Penetration Test of Key Applications/Systems

Address ShortTerm Attestation Requirements

Provides substantiative evidence that the net security objectives (e.g., ensuring the confidentiality of information) are being achieved. * Cost Effective * Well Regarded * Early Identification of Critical Risks  Risks 

<1 Month

Secure Data Flow Diagram (SDFD) Proving that you are secure  while you are working towards  27001 Certification is crtical to the  success of your organization. Where stronger interim attestation  is required see Shared  Assessment Phase below.

Provides evidence that key client risks are being mitigated to an acceptable level by reasonable and appropriate security design. * Integral to Risk Assessment and Scoping Scoping * Facilitates Risk Identification  * Evidence of Secure Design and Substantiative Test Test is effective attestation  attestation 

 o n I     S   O

Preliminary 27001 Project Plan Where key clients have already requested 27001 compliance/certification, communicating a plan & progress towards it is critical to satisfying their requirements.

Define ISMS Scope Logically/physically limit the scope of the ISMS to the maximum extent possible consistent with initiative objectives. objectives. Optimizes likelihood of project project success (prevents “boil the ocean” exercises).

Assess Gaps

27005 Risk Assessment

Optimally scoping and  understanding the current gap  between the desired and current  state are integral to appropriately  allocating the resources  (personnel, third party support, expenditures, and time) necessary  to ensure the project achieves  objectives on time and on budget.

Identifies major risks (& impacts) the ISMS intended to mitigate. * Levera Leverages ges SDFD SDFD * Basis Basis of 27001 27001 * 

Risk Treatment Plan

1- 3 Months

Establish acceptance criteria and define treatments (avoid/control/transfer/accept) for all key risks.

Conduct Gap Assessment O R

Via documentation review, review, ICQ's and/or surveys determine where risk treatment gaps exist in: * Existence * Appropriateness * Completeness of Documentation & ISMS support 

Shared Assessment (BITS) Same functionality as Gap Assessment except produces a Shared Assessment worksheet works heet that may be accept accepted ed as interim attestation by clients clients (e.g. financial financial industry)

Prioritized Roadmap (Remediation Plan)

Develop & Execute the Roadmap

Develop a work plan based on a number of factors: * Risk * Ease of Mitigation to to an Acceptable Acceptable Level * Client Concerns Concerns *Reusability/Commonality * Resource and Skill Set Availability * Other Initiatives

Prioritize and execute the work  effort necessary to address the  issues identified.

3-18 Months

Execute the Plan * Correct Design Deficiencies * Close Close Compliance Gaps  * Update/Create Necessary Documentation * Implement New Controls 

Monitor the Environment

Operate the Environment

Integral to 27001 is ongoing monitoring of the ISMS. Tune control design/output to facilitate monitoring.

Assess efficacy of environment, monitor the ISMS, tune controls  accordingly,, and accumulate  accordingly audit evidence for  attestation and certification.

Respond to Incidents

1-12 Months

Integral to 27001 is demonstrable Incident Response. Tune Incident Response processes to facilitate ISMS improvements.

Implement Continuous Improvement Principles Integral to 27001 is demonstrable demonstrable Continuous Improvement. Improvement. Based on monitoring and Incident Response evolve the control environment in a demonstrable manner.

Pre-Certification Audit

Certify

"Friendly" pre-audit structured in accordance with certification audit (Tabletop (T abletop Review then Compliance Review).

While there are many significant  advantages to implementing  27001, most notably demonstrably  reducing risk and simplifying  Information Security Security,, for most entities certification  is the most important.

Certification Audit 27001 Certification Audit conducted by Certification Body resulting in issuance of ISO 27001 Certificate

F   o r    c   o n  s   u l     t    i    n   g

and Beyond

Surveillance Audit (Year 2) Mini-audit conducted by the Certification Body to validate ISMS efficacy.. ISMS scope extension possible. efficacy

Triennial Audit (Every 3rd year) Re-Certification Audit conducted by Certification Body

We make it simple to “know you’re secure and prove you’re com pliant” 

2  7   0   0  1   , v  i     s  i     t     u  s   a  t    w w w .   p i    v   o  t      p  o i    n  t     s   e  c   u r   i     t      y  .  c   o m  o r    c   a l    l    1  .  8   8   8  . P  I    V   O T  P   O I    N  T    (     8   8   8  . 7  4   8  .  6   8  7   6    )