Rating: 5 out of 5 stars
5/5
Ebook159 pages1 hour
Nine Steps to Success: An ISO27001:2013 Implementation Overview
By Alan Calder and Liam Gerrard
Rating: 3 out of 5 stars
3/5
()
About this ebook
Aligned with the latest iteration of the Standard – ISO 27001:2013 – this new edition of the original no-nonsense guide to successful ISO 27001 certification is ideal for anyone tackling ISO 27001 for the first time, and covers each element of the ISO 27001 project in simple, non-technical language
Author
Alan Calder
Alan Calder is a leading author on IT governance and information security issues. He is the CEO of GRC International Group plc, the AIM-listed company that owns IT Governance Ltd. Alan is an acknowledged international cyber security guru. He has been involved in the development of a wide range of information security management training courses that have been accredited by the International Board for IT Governance Qualifications (IBITGQ). He is a frequent media commentator on information security and IT governance issues, and has contributed articles and expert comment to a wide range of trade, national and online news outlets.
Read more from Alan Calder
ISO 22301:2019 and business continuity management - Understand how to plan, implement and enhance a business continuity management system (BCMS) Information Security Risk Management for ISO 27001/ISO 27002, third edition Rating: 4 out of 5 stars4/5IT Governance: Implementing Frameworks and Standards for the Corporate Governance of IT Rating: 4 out of 5 stars4/5ISO 27001/ISO 27002: A guide to information security management systems Rating: 0 out of 5 stars0 ratingsPCI DSS: A Pocket Guide Rating: 2 out of 5 stars2/5Information Security Risk Management for ISO27001/ISO27002 Rating: 4 out of 5 stars4/5PCI DSS: A pocket guide, sixth edition Rating: 0 out of 5 stars0 ratingsIT Governance: A Pocket Guide Rating: 3 out of 5 stars3/5Risk Assessment for Asset Owners Rating: 4 out of 5 stars4/5ISO/IEC 38500: The IT Governance Standard Rating: 5 out of 5 stars5/5EU GDPR - A pocket guide, second edition Rating: 0 out of 5 stars0 ratingsCyber Essentials: A Pocket Guide Rating: 5 out of 5 stars5/5Nine Steps to Success: North American edition: An ISO 27001 Implementation Overview Rating: 0 out of 5 stars0 ratingsSelling Information Security to the Board: A Primer Rating: 0 out of 5 stars0 ratingsPCI DSS: A Pocket Guide, fourth edition Rating: 0 out of 5 stars0 ratingsNetwork and Information Systems (NIS) Regulations - A pocket guide for digital service providers Rating: 0 out of 5 stars0 ratingsCyber Essentials: A guide to the Cyber Essentials and Cyber Essentials Plus certifications Rating: 0 out of 5 stars0 ratingsThe Case for ISO27001:2013 Rating: 1 out of 5 stars1/5The Green Office: A Business Guide Rating: 0 out of 5 stars0 ratingsNetwork and Information Systems (NIS) Regulations - A pocket guide for operators of essential services Rating: 0 out of 5 stars0 ratingsThe EU Data Protection Code of Conduct for Cloud Service Providers: A guide to compliance Rating: 0 out of 5 stars0 ratingsIT Governance Critical Issues Series: Cyber Security Rating: 0 out of 5 stars0 ratingsCompliance for Green IT: A Pocket Guide Rating: 5 out of 5 stars5/5A concise introduction to the NIS Directive: A pocket guide for digital service providers Rating: 0 out of 5 stars0 ratingsIT Regulatory Compliance in the UK Rating: 0 out of 5 stars0 ratingsThe Green Agenda: A Business Guide Rating: 0 out of 5 stars0 ratingsPCI DSS: A Pocket Guide - 3rd edition Rating: 0 out of 5 stars0 ratings
Related to Nine Steps to Success
Related ebooks
The Case for ISO27001:2013 Rating: 1 out of 5 stars1/5Nine Steps to Success: An ISO27001:2013 Implementation Overview Rating: 1 out of 5 stars1/5ISO27001:2013 Assessments Without Tears Rating: 3 out of 5 stars3/5ISO27001/ISO27002:2013: A Pocket Guide Rating: 4 out of 5 stars4/5Application security in the ISO27001:2013 Environment Rating: 4 out of 5 stars4/5Information Security Risk Management for ISO27001/ISO27002 Rating: 4 out of 5 stars4/5ISO 27001 Controls – A guide to implementing and auditing Rating: 5 out of 5 stars5/5An Introduction to Information Security and ISO27001:2013: A Pocket Guide Rating: 4 out of 5 stars4/5Implementing an Integrated Management System (IMS): The strategic approach Rating: 5 out of 5 stars5/5Selling Information Security to the Board: A Primer Rating: 0 out of 5 stars0 ratingsISO/IEC 27701:2019: An introduction to privacy information management Rating: 4 out of 5 stars4/5ISO27001 in a Windows Environment: The best practice implementation handbook for a Microsoft Windows environment Rating: 0 out of 5 stars0 ratingsBusiness Practical Security Rating: 0 out of 5 stars0 ratingsIT Induction and Information Security Awareness: A Pocket Guide Rating: 0 out of 5 stars0 ratingsInformation Security Breaches: Avoidance and Treatment based on ISO27001 Rating: 0 out of 5 stars0 ratingsApplication Security in the ISO27001 Environment Rating: 0 out of 5 stars0 ratingsWe Need To Talk: 52 Weeks To Better Cyber-Security Rating: 0 out of 5 stars0 ratingsRisk Assessment for Asset Owners Rating: 4 out of 5 stars4/5Information Security Governance: A Practical Development and Implementation Approach Rating: 0 out of 5 stars0 ratingsInfosec Management Fundamentals Rating: 5 out of 5 stars5/5ISO19770-1:2012 SAM Process Guidance: A kick-start to your SAM programme Rating: 3 out of 5 stars3/5ISO/IEC 38500: A pocket guide, second edition Rating: 4 out of 5 stars4/5ISO/IEC 38500: The IT Governance Standard Rating: 5 out of 5 stars5/5Secure Your Business: Insights to Governance, Risk, Compliance & Information Security Rating: 0 out of 5 stars0 ratingsISO/IEC 27001:2022: An introduction to information security and the ISMS standard Rating: 5 out of 5 stars5/5Information Security A Practical Guide: Bridging the gap between IT and management Rating: 5 out of 5 stars5/5Information Protection Playbook Rating: 0 out of 5 stars0 ratingsInformation Security for Small and Midsized Businesses Rating: 0 out of 5 stars0 ratings
Computers For You
SQL QuickStart Guide: The Simplified Beginner's Guide to Managing, Analyzing, and Manipulating Data With SQL Rating: 4 out of 5 stars4/5Mastering ChatGPT: 21 Prompts Templates for Effortless Writing Rating: 5 out of 5 stars5/5Creating Online Courses with ChatGPT | A Step-by-Step Guide with Prompt Templates Rating: 4 out of 5 stars4/5Procreate for Beginners: Introduction to Procreate for Drawing and Illustrating on the iPad Rating: 0 out of 5 stars0 ratings101 Awesome Builds: Minecraft® Secrets from the World's Greatest Crafters Rating: 4 out of 5 stars4/5The ChatGPT Millionaire Handbook: Make Money Online With the Power of AI Technology Rating: 0 out of 5 stars0 ratingsThe Self-Taught Computer Scientist: The Beginner's Guide to Data Structures & Algorithms Rating: 0 out of 5 stars0 ratingsDeep Search: How to Explore the Internet More Effectively Rating: 5 out of 5 stars5/5Childhood Unplugged: Practical Advice to Get Kids Off Screens and Find Balance Rating: 0 out of 5 stars0 ratingsArtificial Intelligence: The Complete Beginner’s Guide to the Future of A.I. Rating: 4 out of 5 stars4/5People Skills for Analytical Thinkers Rating: 5 out of 5 stars5/5Grokking Algorithms: An illustrated guide for programmers and other curious people Rating: 4 out of 5 stars4/5Ultimate Guide to Mastering Command Blocks!: Minecraft Keys to Unlocking Secret Commands Rating: 5 out of 5 stars5/5Network+ Study Guide & Practice Exams Rating: 4 out of 5 stars4/5Alan Turing: The Enigma: The Book That Inspired the Film The Imitation Game - Updated Edition Rating: 4 out of 5 stars4/5CompTIA Security+ Practice Questions Rating: 2 out of 5 stars2/5CompTIA IT Fundamentals (ITF+) Study Guide: Exam FC0-U61 Rating: 0 out of 5 stars0 ratingsRemote/WebCam Notarization : Basic Understanding Rating: 3 out of 5 stars3/5ChatGPT Ultimate User Guide - How to Make Money Online Faster and More Precise Using AI Technology Rating: 0 out of 5 stars0 ratingsGoing Text: Mastering the Command Line Rating: 4 out of 5 stars4/5Dark Aeon: Transhumanism and the War Against Humanity Rating: 5 out of 5 stars5/5Master Builder Roblox: The Essential Guide Rating: 4 out of 5 stars4/5The Professional Voiceover Handbook: Voiceover training, #1 Rating: 5 out of 5 stars5/5
Related podcast episodes
The Foolproof Way To Pass The CIPPE Exam In 2 Weeks 0% found this document useful#60 What is ISO 27017: Controls for Cloud Services 0% found this document useful064: Is Your Safety Management System ISO 45001 Ready?: Download the safety checklist 0% found this document useful#63 Epiq's Information Security Journey: With guest Dinesh Sharma 0% found this document usefulHow to Be Influential And Secure Buy-In for Your Security Programs 0% found this document useful083: SMS Pt 4 - What Does ISO 45001 Require?: Safety Management System overview 0% found this document usefulData protection principles: 7 principles that are critical to driving growth 0% found this document usefulCyber Governance 0% found this document usefulWhy Lean Portfolio Management? 0% found this document useful#117 - How to Establish SRE Foundations From Scratch - Vladyslav Ukis 0% found this document useful
Related articles
“DORA Is A Force For Good And Will Help Businesses To Make Better Decisions, Faster” PC Pro MagazineArticle
“DORA Is A Force For Good And Will Help Businesses To Make Better Decisions, Faster”
Apr 10, 2022
6 min readCyber Security IS A SHARED RESPONSIBILITY AT THE C-LEVEL Inc.Article
Cyber Security IS A SHARED RESPONSIBILITY AT THE C-LEVEL
Sep 21, 2016
Data breaches can have far-reaching repercussions; protecting against them is a companywide mandate
2 min readVulnerability Assessments PC Pro MagazineArticle
Vulnerability Assessments
Jan 7, 2021
3 min readWhy Leaders Need To Take A Risk-based Approach To Data Security NZBusiness and ManagementArticle
Why Leaders Need To Take A Risk-based Approach To Data Security
Jul 21, 2021
5 min readCybersecurity Made Simple: Taming The Password The European Business ReviewArticle
Cybersecurity Made Simple: Taming The Password
Mar 1, 2022
8 min readThe CYBERSECURITY CHALLENGE in a High Digital Density World The European Business ReviewArticle
The CYBERSECURITY CHALLENGE in a High Digital Density World
Feb 4, 2019
17 min readDigital Trust Is On The Horizon The European Business ReviewArticle
Digital Trust Is On The Horizon
Mar 1, 2022
11 min readCyber Safe Facility ManagementArticle
Cyber Safe
Dec 23, 2018
4 min readArthur Oyoo It Security Manager Msafiri MagazineArticle
Arthur Oyoo It Security Manager
Nov 26, 2021
I joined KQ in 2014, as an Enabling IT Security analyst, as part of the Dreamliner acquisition project. After which, I moved to the IT Security section and, in 2018,1 was promoted to IT Security manager. IT Security is tasked with protecting KQ's inf
1 min readArthur Oyoo It Security Manager Msafiri MagazineArticle
Arthur Oyoo It Security Manager
Nov 26, 2021
I joined KQ in 2014, as an Enabling IT Security analyst, as part of the Dreamliner acquisition project. After which, I moved to the IT Security section and, in 2018,1 was promoted to IT Security manager. IT Security is tasked with protecting KQ's inf
1 min readCreating And Leading A Future Ready Enterprise The European Business ReviewArticle
Creating And Leading A Future Ready Enterprise
Apr 3, 2019
As we head deeper into the year ahead, we strive to highlight the essential strategies and latest research studies that will enlighten and equip companies and their leaders to keep abreast with the advancements and stay ahead of the curve amongst dis
2 min readBRIDGING THE GAP BETWEEN IT AND SECURITY TEAMS: Four Tips for Better Collaboration The European Business ReviewArticle
BRIDGING THE GAP BETWEEN IT AND SECURITY TEAMS: Four Tips for Better Collaboration
Jul 31, 2023
In today's corporate landscape, the relationship between Information Technology (IT) and security departments often mirrors a tangled web, marked by conflicting objectives and strained interactions. Yet, as digitalisation accelerates across all secto
5 min readEverything You Should Know About Cybersecurity Automation TechfastlyArticle
Everything You Should Know About Cybersecurity Automation
Jun 1, 2021
6 min readPrivacy: The Price Of Trust Inc.Article
Privacy: The Price Of Trust
Aug 17, 2021
How will cybersecurity and data privacy evolve over the next decade? We’re hearing from our customers that cybersecurity and data privacy are increasingly becoming board-level conversations. Companies will start to think about privacy, security, vend
1 min readHow Do You Know You Are Okay? NZBusiness and ManagementArticle
How Do You Know You Are Okay?
May 27, 2019
2 min readData Protection: Lightening The Load Of Compliance The European Business ReviewArticle
Data Protection: Lightening The Load Of Compliance
Sep 25, 2021
7 min readStarting a Successful Home Security Company: Step-By-Step Guide Home Business MagazineArticle
Starting a Successful Home Security Company: Step-By-Step Guide
Mar 30, 2023
4 min readFive Critical Aspects Of A Successful Transformation From Matrix To Agile The European Business ReviewArticle
Five Critical Aspects Of A Successful Transformation From Matrix To Agile
Jul 26, 2021
5 min readBuilding A Future-proof Company – Four Cornerstones Of Transformative Corporate Foresight The European Business ReviewArticle
Building A Future-proof Company – Four Cornerstones Of Transformative Corporate Foresight
Feb 25, 2021
5 min readExpert Advice: How to Up Your Cyber Security EntrepreneurArticle
Expert Advice: How to Up Your Cyber Security
Feb 1, 2015
2 min readIn Conversation with RAJIV JAYARAMAN Founder-CEO, Knolskape TechfastlyArticle
In Conversation with RAJIV JAYARAMAN Founder-CEO, Knolskape
Sep 1, 2021
14 min readARE YOU JUST ‘Doing Agile’ OR ‘Being Agile’ TechfastlyArticle
ARE YOU JUST ‘Doing Agile’ OR ‘Being Agile’
Mar 3, 2021
4 min readFirms Must Test Cyber Resilience Plans, Policies Business TodayArticle
Firms Must Test Cyber Resilience Plans, Policies
Jul 9, 2020
4 min readJobs Of The Future True LoveArticle
Jobs Of The Future
Jan 26, 2023
5 min readWhen To Upgrade From IT Staff To CIO EntrepreneurArticle
When To Upgrade From IT Staff To CIO
Sep 1, 2015
2 min readNext Phase Of Digital Business Revolution Set To Be Driven By Companies That Adopt Tech At Its Core Business TodayArticle
Next Phase Of Digital Business Revolution Set To Be Driven By Companies That Adopt Tech At Its Core
Feb 6, 2023
2 min readBusinesses Were Not Prepared For The Pandemic, Warns IBM Chief Executive Evening StandardArticle
Businesses Were Not Prepared For The Pandemic, Warns IBM Chief Executive
Sep 7, 2020
4 min readIBM Boss: Big Companies Were Not Prepared For The Pandemic Evening StandardArticle
IBM Boss: Big Companies Were Not Prepared For The Pandemic
Sep 4, 2020
Sreeram Visvanathan is the new chief executive of IBM UK and Ireland. The 53 year-old is from Bangalore in India and previously led IBM’s global Public Sector team. In the middle of London Tech Week, he talked to the Evening Standard about the future
4 min readThe Million Dollar Question The European Business ReviewArticle
The Million Dollar Question
May 22, 2018
More than a decade ago, the metaphor “data is the new oil” shook the world and left organisations scrambling for ways on how they could translate it into tangible value for their business. While others already reaped and are reaping the benefits emer
2 min readDETER, DETECT, DELAY: Thwarting The Digital Intruders The European Business ReviewArticle
DETER, DETECT, DELAY: Thwarting The Digital Intruders
Nov 25, 2021
6 min read
Reviews for Nine Steps to Success
Rating: 3 out of 5 stars
3/5
2 ratings2 reviews
- Rating: 1 out of 5 stars1/5A book written to promote their web site , waste of time
- Rating: 5 out of 5 stars5/5This is an awesome read. I recommend this for anyone thinking of implementing ISO27001
Book preview
Nine Steps to Success - Alan Calder
Resources
INTRODUCTION
Cyber risk has become a critical business issue, with senior management increasingly under pressure – from customers, regulators and partners – to ensure their organisation can defend against, respond to and recover from cyber attack.
Resilience against cyber attack requires an organisation to do more than just erect digital defences; a significant percentage of successful attacks originate in the analogue, physical world, or are aided and exacerbated by physical and environmental vulnerabilities. Effective cyber security therefore requires a comprehensive, systematic and robust information security management system; boards, customers and regulators all seek assurance that information risks have been identified and are being managed.
The international standard ISO/IEC 27001:2013 Information technology – Security techniques – Information security management systems – Requirements is the blueprint for managing information security in line with an organisation’s business, contractual and regulatory requirements, and its risk appetite. Information security has always been an international issue and this version of the Standard reflects eight years of improvements in the understanding of effective information security management. It also takes account of the evolution in the cyber threat landscape over that period and allows for a wide range of best practice controls.
Information security is now clearly also a management issue, a governance responsibility. The design and implementation of an information security management system (ISMS) is a management role, not a technological one.
It requires the full range of managerial skills and attributes, from project management and prioritisation through communication, sales skills and motivation to delegation, monitoring and discipline. A good manager who has no technological background or insight can lead a successful ISMS implementation, but without management skills, the most technologically sophisticated information security expert will fail at the task.
This is particularly so if the organisation wants to derive maximum, long term business value from the implementation of an ISMS. Achieving external certification is increasingly a standard cost of doing business; achieving the level of information security awareness and good internal practice that enables an organisation to safely surf the stormy, cruel seas of the information age requires a level of culture change no less profound than that required to shift from industrial to post-industrial operations.
I know all this because my background is as a general manager, not as a technologist. I came to information security in 1995 because I was concerned about the information security exposures faced by a company of which I was CEO. When you’re the CEO, and you’re interested in it, you can make an ISMS happen – as I’ve proved a number of times. While this book will shorten the learning curve for other CEOs in my position, it’s really aimed at the manager – often an IT or information security manager, sometimes a quality manager – who is charged with tackling an ISO 27001 implementation and who wants to understand the route to a positive outcome. It builds on the experience of many ISO 27001 implementations and reflects the nine step implementation methodology that now underpins all the ISO 27001 products and services that can be accessed through IT Governance Ltd, the company I founded back in 2005.
These nine steps work in any organisation – public sector, voluntary sector or private – anywhere in the world. Technology infrastructure, business model, organisational architecture and regulatory requirements all inform the context for implementation of an ISO 27001 ISMS but don’t limit its applicability. We’ve helped implement an ISO 27001 ISMS in businesses with as few as two people, in mammoth, multi-country global enterprises, and in organisations of all sizes and types in between.
The second-biggest challenge that, in my experience, is faced by information security technologists everywhere in the world is getting – and keeping – the board’s attention. The biggest challenge is gaining – and maintaining – the organisation’s interest in and application to the project. Ongoing press and public attention regarding cyber risk is driving the issue onto board agendas and, when boards do finally understand they need to act – systematically and comprehensively – against information security threats, they become very interested in hearing from their information security specialists. They even develop an appetite for investing organisational dollars into hardware and software solutions, and for mandating the development of a new ISMS – or the tightening up of an existing one.
A successful ISMS project stems from and depends on genuine top management support. Progress is quicker if the project is seen as having a credible business need: to win an outsourcing or other customer contract, for instance, or to comply with a public funding requirement, improve competitiveness or reduce regulatory compliance costs and exposures.
When we first decided to tackle information security, way back in 1995, my organisation was required to achieve both ISO 9001 certification and Investor in People (IiP) recognition as a condition of its branding and trading licence. We also intended to sell information security and environmental management services and – out of a desire to practice what we preached, as well as from a determination to achieve the identifiable benefits of tackling all these components of our business – we decided to pursue both BS 7799 and ISO 14001 at the same time.
BS 7799 certification only existed then in an unaccredited form and was, essentially, a Code of Practice. There was only one part to it and, while certification was technically not possible, some Certification Bodies were interested in issuing statements of conformity. The other standards that we were interested in did all exist but, at that time, it was generally expected that an organisation would approach each standard on its own, developing standalone manuals and processes. This was hardly surprising, as it was unusual for any organisation to pursue more than one standard at any time!
We made the momentous decision to approach the issue from primarily a business perspective, rather than a quality one. We decided that we wanted to create a single, integrated management system that would work for our business, and that was capable of achieving multiple certifications. While this seemed to fly in the face of standard practice around management system implementation, it seemed to be completely in line with the spirit of the standards themselves.
We also decided that we wanted everyone in the organisation to take part in the process of creating and developing the integrated management system that we envisioned. We believed that was the fastest and most certain way of getting them to become real contributors to the project, both in the short and long term. We used external consultants for part of the ISO 9001 project but there simply was no BS 7799 expertise available externally.
This lack of BS 7799 experts was a minor challenge compared with the lack of useful books or tools. Today, you can purchase books such as An Introduction to ISO27001 and Information Security; back then there were bookshelves full of thick, technologically-focused books on all sorts of information security issues, but nothing that might tell a business manager how to systematically implement an information security management system. We had no option but to try to work it out for ourselves.
We actually did the job twice, once under the unaccredited scheme and the second time after the Standard had become a two-parter and had been accredited (the earlier, single part had become a Code of Practice and a new part, a specification for an information security management system, had been introduced). In fact, our accredited audit was also our certification body’s first observed audit for its own UKAS accreditation. While that was an interesting experience, it did mean that our systems had to be particularly robust if they were to stand the simultaneous scrutiny of two levels of external auditors!
We underwent external examination on five separate occasions within a few months and our integrated management system achieved all the required external certifications and recognitions. We did this without anything more than the part time assistance of one ISO 9001 consultant and an internal quality management team of one person. Steve Watkins, now a director of IT Governance Ltd and a UKAS Technical Assessor for ISO 27001, was that quality manager, and he did most of the real work to create our integrated, multi-standard management system. Admittedly, the organisation was a relatively small one but, although we only employed
Enjoying the preview?
Page 1 of 1