February 28, 2012

Last Updated on February 28, 2012

View our free ISO 27001 downloadable resources »

Comparing the ISO 27001 Roadmap to the ISO 27003 Guidance for Implementation

One of the most frequently asked questions Pivot Point Security gets when speaking with clients about implementing ISO 27001 is, “What do we need to do to implement security policies and procedures for certification?”
The Pivot Point Security ISO 27001 Implementation Roadmap outlines the steps we take to implement an Information Security Management System for ISO 27001 certification.  The ISO organization provides its own guidance in the ISO 27003 standard.  According to the ISO body, “This International Standard focuses on the critical aspects needed for successful design and implementation of an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2005.”
A prospective client recently asked how the Pivot Point Security ISO 27001 Implementation Roadmap aligned with ISO 27003.  The Implementation Roadmap outlines four phases to implement the ISMS:

  • Assess Short-Term Attestation Requirements
  • Assess Gaps
  • Develop & Execute the Roadmap
  • Operate the Environment

The ISO 27003 standard outlines five phases in its five clauses:

  • Obtaining management approval for initiating an ISMS project (Clause 5)
  • Defining ISMS Scope and ISMS Policy (Clause 6)
  • Conducting Organization Analysis (Clause 7)
  • Conducting Risk Assessment and Risk Treatment planning (Clause 8)
  • Designing the ISMS (Clause 9)

A high-level review shows that the Implementation Roadmap is consistent with ISO 27003 and aligns with the standard very well, as illustrated in the table below.  So if you’re concerned about whether or not your organization is taking the right steps toward ISO 27001 certification, then a comparison to Pivot Point’s ISO 27001 Implementation Roadmap will let you know whether you’re going in the right direction.

ISO 27003 ISMS Guidance ISO 27001 Implementation Roadmap Alignment
Clause 5 Obtaining management approval for initiating an ISMS project Address Near Term Attestation Requirements The vulnerability assessments and penetration tests conducted in this phase illustrate the need for an ISMS to management and the findings help clarify an organization’s security priorities.The Secure Data Flow Diagram (SDFD) and Preliminary 27001 Project Plan delivered in this phase define the preliminary scope of the ISMS and outline the business case and project plan for management approval.
Clause 6 Defining ISMS scope, boundaries and ISMS policy Assess Gaps The first deliverable for this phase of the Roadmap is an ISMS scope defined in an ISMS Policy based on the work done for the SDFD.
Clause 7 Conducting information security requirements analysis Assess Gaps Information security requirements and assets for the ISMS scope were identified in the SDFD. This phase includes a Security Assessment to evaluate gaps between the inherent security risks and ideal security controls.
Clause 8 Conducting risk assessment and planning risk treatment Assess Gaps This phase uses the SDFD to deliver a:

  • Rapid Risk Assessment that identifies the major security risks and business impacts
  • Risk Treatment Plan that establishes acceptance criteria for risk and a response plan (i.e. avoid, control, transfer, accept)
  • Statement of Applicability that selects the controls approved by management to mitigate the identified risks
Clause 9 Designing the ISMS Develop and Execute the Roadmap This phase delivers a prioritized work plan for:

  • Designing organizational information security
  • Designing IT and physical security
  • Designing ISMS-specific information security

ISO 27001

ISO 27001 is manageable and not out of reach for anyone! It’s a process made up of things you already know – and things you may already be doing.
Get your ISO 27001 Roadmap – Downloaded over 4,000 times