This short post is the fifth in a series that explains in straightforward terms the process we follow to build an ISO 27001 certifiable Information Security Management System (ISMS). You can access our entire proven process here.
We hope you find these bite-sized posts useful for understanding how ISO 27001 certification is achieved, and what it could look like for your organization. You may want to read them in order, starting with Step 1. Enjoy!
A good risk treatment plan prioritizes the necessary risk treatments based on these interrelated factors:
- Level of effort
- Logical relationships between different treatments
This may seem obvious, but do not skip this step. In many cases your risk treatment plan will say you need to take action on more things than the bandwidth of your organization can handle. Prioritization is key, as well as realizing that security is a journey, not a destination.
“Prioritization is key, as well as realizing that security is a journey, not a destination.”
Successful execution and ongoing operationalization of your plan (“making it real”) positions you to verify the effectiveness of your existing and updated controls. We’ll cover how that happens in Step 6—stay tuned!
Have questions about ISO 27001 certification or the best way to achieve your information security goals? Contact Pivot Point Security—we specialize in advising organizations on how to manage information security risk.