Rating: 5 out of 5 stars
5/5
Ebook114 pages1 hour
Nine Steps to Success: An ISO27001:2013 Implementation Overview
By Alan Calder
Rating: 1 out of 5 stars
1/5
()
About this ebook
Completely up to date with ISO27001:2013, this is the new edition of the original
no-nonsense guide to successful ISO27001 certification. Ideal for anyone tackling ISO27001 for the first time, Nine Steps to Success outlines the 9 essential steps to an effective ISMS implementation. 9 critical steps that mean the difference between project success and abject failure.
Based on years of first-hand experience with ISO27001, Alan Calder covers each element of ISO27001 projects in simple, non-technical language, including how to:
- get senior managers and decision makers on side
- plan, manage and run the project for the greatest chance of success
- assess what you need to get from where you are to certification.
Author
Alan Calder
Alan Calder is a leading author on IT governance and information security issues. He is the CEO of GRC International Group plc, the AIM-listed company that owns IT Governance Ltd. Alan is an acknowledged international cyber security guru. He has been involved in the development of a wide range of information security management training courses that have been accredited by the International Board for IT Governance Qualifications (IBITGQ). He is a frequent media commentator on information security and IT governance issues, and has contributed articles and expert comment to a wide range of trade, national and online news outlets.
Read more from Alan Calder
ISO 22301:2019 and business continuity management - Understand how to plan, implement and enhance a business continuity management system (BCMS) PCI DSS: A pocket guide, sixth edition Rating: 0 out of 5 stars0 ratingsInformation Security Risk Management for ISO27001/ISO27002 Rating: 4 out of 5 stars4/5Information Security Risk Management for ISO 27001/ISO 27002, third edition Rating: 4 out of 5 stars4/5IT Governance: Implementing Frameworks and Standards for the Corporate Governance of IT Rating: 4 out of 5 stars4/5Risk Assessment for Asset Owners Rating: 4 out of 5 stars4/5ISO/IEC 38500: The IT Governance Standard Rating: 5 out of 5 stars5/5PCI DSS: A Pocket Guide, fourth edition Rating: 0 out of 5 stars0 ratingsISO 27001/ISO 27002: A guide to information security management systems Rating: 0 out of 5 stars0 ratingsCyber Essentials: A Pocket Guide Rating: 5 out of 5 stars5/5EU GDPR - A pocket guide, second edition Rating: 0 out of 5 stars0 ratingsIT Governance: A Pocket Guide Rating: 3 out of 5 stars3/5PCI DSS: A Pocket Guide Rating: 2 out of 5 stars2/5Selling Information Security to the Board: A Primer Rating: 0 out of 5 stars0 ratingsCyber Essentials: A guide to the Cyber Essentials and Cyber Essentials Plus certifications Rating: 0 out of 5 stars0 ratingsIT Regulatory Compliance in the UK Rating: 0 out of 5 stars0 ratingsThe EU Data Protection Code of Conduct for Cloud Service Providers: A guide to compliance Rating: 0 out of 5 stars0 ratingsNine Steps to Success: North American edition: An ISO 27001 Implementation Overview Rating: 0 out of 5 stars0 ratingsThe Case for ISO27001:2013 Rating: 1 out of 5 stars1/5Network and Information Systems (NIS) Regulations - A pocket guide for operators of essential services Rating: 0 out of 5 stars0 ratingsIT Governance Critical Issues Series: Cyber Security Rating: 0 out of 5 stars0 ratingsCompliance for Green IT: A Pocket Guide Rating: 5 out of 5 stars5/5A concise introduction to the NIS Directive: A pocket guide for digital service providers Rating: 0 out of 5 stars0 ratingsThe Green Office: A Business Guide Rating: 0 out of 5 stars0 ratingsNetwork and Information Systems (NIS) Regulations - A pocket guide for digital service providers Rating: 0 out of 5 stars0 ratingsPCI DSS: A Pocket Guide - 3rd edition Rating: 0 out of 5 stars0 ratings
Related to Nine Steps to Success
Related ebooks
Application Security in the ISO27001 Environment Rating: 0 out of 5 stars0 ratingsSelling Information Security to the Board: A Primer Rating: 0 out of 5 stars0 ratingsThe Case for ISO27001:2013 Rating: 1 out of 5 stars1/5Infosec Management Fundamentals Rating: 5 out of 5 stars5/5Nine Steps to Success: An ISO27001:2013 Implementation Overview Rating: 3 out of 5 stars3/5ISO 27001 Controls – A guide to implementing and auditing Rating: 5 out of 5 stars5/5Business Practical Security Rating: 0 out of 5 stars0 ratingsIT Induction and Information Security Awareness: A Pocket Guide Rating: 0 out of 5 stars0 ratingsInformation Security Governance: A Practical Development and Implementation Approach Rating: 0 out of 5 stars0 ratingsISO27001:2013 Assessments Without Tears Rating: 3 out of 5 stars3/5PCI DSS: A Pocket Guide, fourth edition Rating: 0 out of 5 stars0 ratingsApplication security in the ISO27001:2013 Environment Rating: 4 out of 5 stars4/5An Introduction to Information Security and ISO27001:2013: A Pocket Guide Rating: 4 out of 5 stars4/5The Chief Information Security Officer: Insights, tools and survival skills Rating: 1 out of 5 stars1/5Information Protection Playbook Rating: 0 out of 5 stars0 ratingsSecurity Risk Management: Building an Information Security Risk Management Program from the Ground Up Rating: 4 out of 5 stars4/5ISO27001/ISO27002:2013: A Pocket Guide Rating: 4 out of 5 stars4/5Security Operations: CISSP, #7 Rating: 0 out of 5 stars0 ratingsBuilding an Effective Cybersecurity Program, 2nd Edition Rating: 0 out of 5 stars0 ratingsAssessing Information Security: Strategies, Tactics, Logic and Framework Rating: 5 out of 5 stars5/5Building a Practical Information Security Program Rating: 5 out of 5 stars5/5Information Security for Small and Midsized Businesses Rating: 0 out of 5 stars0 ratingsThe Chief Security Officer’s Handbook: Leading Your Team into the Future Rating: 0 out of 5 stars0 ratingsCyber Essentials: A Pocket Guide Rating: 5 out of 5 stars5/5Building Effective Cybersecurity Programs: A Security Manager’s Handbook Rating: 4 out of 5 stars4/5The Information Systems Security Officer's Guide: Establishing and Managing a Cyber Security Program Rating: 0 out of 5 stars0 ratingsRisk Assessment for Asset Owners Rating: 4 out of 5 stars4/5How Cyber Security Can Protect Your Business: A guide for all stakeholders Rating: 0 out of 5 stars0 ratings
Security For You
How to Become Anonymous, Secure and Free Online Rating: 5 out of 5 stars5/5CompTIA Security+ Study Guide: Exam SY0-601 Rating: 5 out of 5 stars5/5Social Engineering: The Science of Human Hacking Rating: 3 out of 5 stars3/5How to Be Invisible: Protect Your Home, Your Children, Your Assets, and Your Life Rating: 4 out of 5 stars4/5Hacking: Ultimate Beginner's Guide for Computer Hacking in 2018 and Beyond: Hacking in 2018, #1 Rating: 4 out of 5 stars4/5CompTIA Network+ Review Guide: Exam N10-008 Rating: 0 out of 5 stars0 ratingsMike Meyers CompTIA Security+ Certification Passport, Sixth Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5Network+ Study Guide & Practice Exams Rating: 4 out of 5 stars4/5The Hacker Crackdown: Law and Disorder on the Electronic Frontier Rating: 4 out of 5 stars4/5Remote/WebCam Notarization : Basic Understanding Rating: 3 out of 5 stars3/5Cybersecurity For Dummies Rating: 4 out of 5 stars4/5Cybersecurity: The Beginner's Guide: A comprehensive guide to getting started in cybersecurity Rating: 5 out of 5 stars5/5Wireless Hacking 101 Rating: 4 out of 5 stars4/5Practical Lock Picking: A Physical Penetration Tester's Training Guide Rating: 5 out of 5 stars5/5Dark Territory: The Secret History of Cyber War Rating: 4 out of 5 stars4/5Hacking For Dummies Rating: 4 out of 5 stars4/5How to Hack Like a Pornstar Rating: 5 out of 5 stars5/5Hacking : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Ethical Hacking Rating: 5 out of 5 stars5/5The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers Rating: 4 out of 5 stars4/5CompTIA Network+ Certification Guide (Exam N10-008): Unleash your full potential as a Network Administrator (English Edition) Rating: 0 out of 5 stars0 ratingsMake Your Smartphone 007 Smart Rating: 4 out of 5 stars4/5CompTIA CySA+ Practice Tests: Exam CS0-002 Rating: 0 out of 5 stars0 ratingsUltimate Guide for Being Anonymous: Hacking the Planet, #4 Rating: 5 out of 5 stars5/5Mike Meyers' CompTIA Security+ Certification Guide, Third Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5Codes and Ciphers - A History of Cryptography Rating: 4 out of 5 stars4/5The Cyber Attack Survival Manual: Tools for Surviving Everything from Identity Theft to the Digital Apocalypse Rating: 0 out of 5 stars0 ratingsTor and the Dark Art of Anonymity Rating: 5 out of 5 stars5/5
Related podcast episodes
083: SMS Pt 4 - What Does ISO 45001 Require?: Safety Management System overview 0% found this document usefulCISSP Training - Domain 1 - Lecture 1 0% found this document useful#60 What is ISO 27017: Controls for Cloud Services 0% found this document usefulcybersecurity maturity model certification (CMMC) (noun) [Word Notes] 0% found this document usefulHow To Overcome Challenges Every DPO Faces 0% found this document usefulCyber Resiliency with Sounil Yu 0% found this document usefulIs enhanced hardware security the answer to ransomware? [CyberWire-X] 100% found this document usefulThe Foolproof Way To Pass The CIPPE Exam In 2 Weeks 0% found this document usefulHow To Succeed With Privacy By Design 0% found this document usefulEpisode 31: Challenging the Privacy narrative 0% found this document usefulNIST Cybersecurity Framework [Special Edition]: NIST Cybersecurity Framework 0% found this document usefulBig breaches (and how to avoid them): with Neil Daswani 0% found this document useful
Related articles
Cyber Security IS A SHARED RESPONSIBILITY AT THE C-LEVEL Inc.Article
Cyber Security IS A SHARED RESPONSIBILITY AT THE C-LEVEL
Sep 21, 2016
Data breaches can have far-reaching repercussions; protecting against them is a companywide mandate
2 min readWhy Leaders Need To Take A Risk-based Approach To Data Security NZBusiness and ManagementArticle
Why Leaders Need To Take A Risk-based Approach To Data Security
Jul 21, 2021
5 min readCyber Safe Facility ManagementArticle
Cyber Safe
Dec 23, 2018
4 min readVulnerability Assessments PC Pro MagazineArticle
Vulnerability Assessments
Jan 7, 2021
3 min readCybersecurity: It Might Be The Small Stuff That Gets You NZBusiness and ManagementArticle
Cybersecurity: It Might Be The Small Stuff That Gets You
Jan 16, 2020
2 min readCybersecurity Firm Fireeye Says Was Hacked By Nation State TechLife NewsArticle
Cybersecurity Firm Fireeye Says Was Hacked By Nation State
Dec 12, 2020
3 min readHow to Protect Your Small Business Against a Cyber Attack EntrepreneurArticle
How to Protect Your Small Business Against a Cyber Attack
Feb 1, 2013
8 min readThe Weakest Link Facility ManagementArticle
The Weakest Link
Jun 24, 2018
7 min readTaking Guard Business TodayArticle
Taking Guard
Sep 2, 2021
6 min readAct, Don't React: A Leader's Guide to Cybersecurity Rotman ManagementArticle
Act, Don't React: A Leader's Guide to Cybersecurity
Sep 1, 2019
9 min readSecurity And Access Guide Facility ManagementArticle
Security And Access Guide
Feb 25, 2018
8 min readBRIDGING THE GAP BETWEEN IT AND SECURITY TEAMS: Four Tips for Better Collaboration The European Business ReviewArticle
BRIDGING THE GAP BETWEEN IT AND SECURITY TEAMS: Four Tips for Better Collaboration
Jul 31, 2023
In today's corporate landscape, the relationship between Information Technology (IT) and security departments often mirrors a tangled web, marked by conflicting objectives and strained interactions. Yet, as digitalisation accelerates across all secto
5 min readCybersecurity Made Simple: Taming The Password The European Business ReviewArticle
Cybersecurity Made Simple: Taming The Password
Mar 1, 2022
8 min readPrivacy: The Price Of Trust Inc.Article
Privacy: The Price Of Trust
Aug 17, 2021
How will cybersecurity and data privacy evolve over the next decade? We’re hearing from our customers that cybersecurity and data privacy are increasingly becoming board-level conversations. Companies will start to think about privacy, security, vend
1 min readEverything You Should Know About Cybersecurity Automation TechfastlyArticle
Everything You Should Know About Cybersecurity Automation
Jun 1, 2021
6 min readStarting a Successful Home Security Company: Step-By-Step Guide Home Business MagazineArticle
Starting a Successful Home Security Company: Step-By-Step Guide
Mar 30, 2023
4 min read“DORA Is A Force For Good And Will Help Businesses To Make Better Decisions, Faster” PC Pro MagazineArticle
“DORA Is A Force For Good And Will Help Businesses To Make Better Decisions, Faster”
Apr 10, 2022
6 min readWeb App Security Linux FormatArticle
Web App Security
Jun 29, 2021
8 min readHow Do You Know You Are Okay? NZBusiness and ManagementArticle
How Do You Know You Are Okay?
May 27, 2019
2 min readDigital Trust Is On The Horizon The European Business ReviewArticle
Digital Trust Is On The Horizon
Mar 1, 2022
11 min readWorkplace Health And Safety Australasian Transport News (ATN)Article
Workplace Health And Safety
May 13, 2019
It has to be faced, our industry has a poor safety record. Transport, postal and warehousing is rated the second most dangerous industry to be working in and records the worst numbers of accidents and fatalities, 54 deaths in 2017 – an increase of 15
3 min readDETER, DETECT, DELAY: Thwarting The Digital Intruders The European Business ReviewArticle
DETER, DETECT, DELAY: Thwarting The Digital Intruders
Nov 25, 2021
6 min readData Protection: Lightening The Load Of Compliance The European Business ReviewArticle
Data Protection: Lightening The Load Of Compliance
Sep 25, 2021
7 min readExpert Advice: How to Up Your Cyber Security EntrepreneurArticle
Expert Advice: How to Up Your Cyber Security
Feb 1, 2015
2 min read5 KEYS TO RESOLVING Cross-Functional Rivalries IN YOUR DIGITAL TRANSFORMATION The European Business ReviewArticle
5 KEYS TO RESOLVING Cross-Functional Rivalries IN YOUR DIGITAL TRANSFORMATION
Sep 30, 2020
The challenge is as old as business itself: How do you get people in different parts of an organization to work together to solve common problems? Yes, COVID-19 has hastened a great coming together – across functions, disciplines, industries, geograp
4 min readArthur Oyoo It Security Manager Msafiri MagazineArticle
Arthur Oyoo It Security Manager
Nov 26, 2021
I joined KQ in 2014, as an Enabling IT Security analyst, as part of the Dreamliner acquisition project. After which, I moved to the IT Security section and, in 2018,1 was promoted to IT Security manager. IT Security is tasked with protecting KQ's inf
1 min readArthur Oyoo It Security Manager Msafiri MagazineArticle
Arthur Oyoo It Security Manager
Nov 26, 2021
I joined KQ in 2014, as an Enabling IT Security analyst, as part of the Dreamliner acquisition project. After which, I moved to the IT Security section and, in 2018,1 was promoted to IT Security manager. IT Security is tasked with protecting KQ's inf
1 min readBuilding A Future-proof Company – Four Cornerstones Of Transformative Corporate Foresight The European Business ReviewArticle
Building A Future-proof Company – Four Cornerstones Of Transformative Corporate Foresight
Feb 25, 2021
5 min readThe Role Of AI In Cybersecurity NZBusiness and ManagementArticle
The Role Of AI In Cybersecurity
Apr 18, 2023
4 min readThe CYBERSECURITY CHALLENGE in a High Digital Density World The European Business ReviewArticle
The CYBERSECURITY CHALLENGE in a High Digital Density World
Feb 4, 2019
17 min read
Reviews for Nine Steps to Success
Rating: 1 out of 5 stars
1/5
1 rating0 reviews
Book preview
Nine Steps to Success - Alan Calder
Resources
INTRODUCTION
The International Standard ISO/IEC 27001:2013 Information technology – Security techniques – Information security management systems – Requirements has now replaced the earlier 2005 version. Information security has always been an international issue, and this new version of the Standard reflects eight years of improvements in the understanding of effective information security management. It also takes account of the evolution in the cyber threat landscape over that period, and allows for a new range of best practice controls.
Information security is also a management issue, a governance responsibility. The design and implementation of an Information Security Management System (‘ISMS’) is a management role, not a technological one. It requires the full range of managerial skills and attributes, from project management and prioritisation, through communication, sales skills and motivation, to delegation, monitoring and discipline. A good manager who has no technological background or insight can lead a successful ISMS implementation, but without management skills, the most technologically sophisticated information security expert will fail at the task.
This is particularly so if the organisation wants to derive maximum, long-term business value from the implementation of an ISMS. Achieving external certification is an increasingly necessary cost of doing business. Achieving the level of information security awareness and good internal practice that enables an organisation to safely surf the stormy, cruel seas of the information age, requires a level of culture change no less profound than that required to shift from industrial to post-industrial operations.
I know all this because my background is as a general manager, not as a technologist. I came to information security in 1995 because I was concerned about the information security exposures faced by acompany of which I was CEO. When you’re the CEO, and you’re interested in it, you can make an ISMS happen – as I’ve proved a number of times. While this book will shorten the learning curve for other CEOs in my position, it is really aimed at the manager – often an IT or information security manager – who is charged with tackling an ISO27001 implementation, and who wants a sure routeto a positive outcome. It identifies what the experience of many ISO27001 implementations has taught me are the nine key steps to ISMS success. The lessons seem to apply in any organisation, public sector or private, and anywhere in the world. They start with recognising the challenges usually faced by anyone concerned to improve their organisation’s security posture.
The second biggest challenge that, in my experience, is faced by information security technologists everywhere in the world, is gaining – and keeping – the Board’s attention. The biggest challenge is gaining – and keeping – the organisation’s interest and application to the project. When boards do finally become aware of their need to act – and to act systematically and comprehensively – against information security threats, they become very interested in hearing from their information security specialists. They even develop an appetite for investing organisational poundsintohardware and software solutions, and to mandate the development of a new ISMS – or the tightening up of an existing one.
Of course, there’s usually no better than a 50:50 chance that the‘solution’ they want is anything more than the security flavour of the month – for instance, penetration testing sales increased when hacktivist successes hit the headlines. Once deployed, any single solution is unlikely to alter the overall security posture of an organisation by more than one degree, not least because anyeffective security solution requires an integrated combination of technology, procedure and user application. Integration of this order also requires more than just a knee-jerk reaction to a current threat.
The even greater certainty is that most initiatives to develop an ISMS are likely to be seen as either a current management ‘fad’ or, even worse, as an IT department ‘initiative’. Either branding meansthe ISMS will be still born. Almost everyone who works in any business believes that management fads just have to be endured until they go away, and that IT department initiatives just create more problems and barriers for people trying to do their everyday work. Scott Adams, the creator of Dilbert, does say after all that most of the ideas for his sketches are sent to him by people who are simply describing their daily working lives.
An ISMS project does slightly better if it is seen as having a credible business need: to win an outsourcing contract, for instance, or to comply with a public funding requirement. In fact, such short-term justifications for introducing an ISMS, for seeking external certification, infrequently bring the company any real long-term benefit, because the project rarely develops the sort of sustained momentum that will drive user awareness and good practice into all the reaches of the organisation.
When we first decided to tackle information security, way back in 1995, my organisation was required – as a condition of its branding and trading licence – to achieve both ISO9001certification and Investors in People (IiP) recognition. We intended to sell information security and environmental management services as well and, out of a desire to practice what we preached, as well as from a determination to achieve the identifiable business benefits of tackling all these components of our business, we decided to pursue both BS7799 and ISO14001 at the same time.
BS7799 existed then in only an unaccredited form and it was, essentially, a Code of Practice. There was only one part to it and, while certification was technically not possible, a statement of conformity was. The other standards that we were interested in did all exist but, at that time, it was generally expected that an organisation would approach each standard on its own, developing standalone manuals and processes. This was hardly surprising, as it was unusual for any organisation to pursue more than one standard at any time!
We made the momentous decision to approach the issue from primarily a business perspective, rather than a quality one. Wedecided that we wanted to create a single, integrated management system that would work for our business, and that was capable of achieving multiple certifications. While this seemed to go in the face of much of that time’s actual practice around management system implementation, it seemed to be completely in line with the spirit of the Standards themselves.
We also decided that we wanted everyone in the organisation to take part in the process of creating, and developing, the integrated management system that we envisioned, because we believed that was the fastest and most certain way of getting them to become real contributors to the project, both in the short and the long term. We used external consultants for part of the ISO9001 project but there simply was no BS7799 expertise available externally.
This lack of BS7799 experts was a minor challenge
Enjoying the preview?
Page 1 of 1