How to set up an ISMS according to ISO 27001

Information security is a key issue for every organisation, from SMEs to international corporations. Regardless of the size of the organisation, information security should be managed systematically and comprehensively as part of an Information Security Management System (ISMS). A static view of information security, for example as part of a project implementation, is not sustainable. An ISMS defines basic rules, processes and responsibilities to ensure, monitor and continuously improve the security of information within an organisation.

ISO 27001 is a globally recognised information security standard that provides the foundation for an ISMS.

Five steps to implementing an ISO 27001 ISMS

Step 1: Understand the context and requirements

The first step is for your organisation to understand the context in which the ISMS will be implemented. Therefore, one of the first tasks when implementing an ISMS is to determine the specific scope and to conduct a requirements and environment analysis of the organisation and its stakeholders. By considering the context of the organisation, an organisation can ensure that its information security measures are adapted to its specific needs and circumstances and are therefore effective. As a guide, the following questions can be answered:

• What is the scope of the ISMS?
• What regulatory requirements need to be considered?
• Which areas of the organisation are most at risk?
• Who are the stakeholders and what are their expectations?

The aim of analysing these questions is to embed the ISMS in the overall context and to determine the scope of the ISMS. Based on this, the ISMS should be adapted to changing external and internal circumstances.

Step 2: Risk assessment and management

Risk management is a key part of ISO 27001 implementation. It focuses on identifying potential risks and assessing their likelihood of occurrence and potential impact. Based on this analysis, the next step is to determine which risks are acceptable and what measures are required to improve information security.

Step 3: Select and implement security controls

ISO 27001 provides a wide range of security controls. These cover both technical and organisational aspects - from access rights to contingency plans. The controls and maturity levels that best match the identified risks and your organisation's requirements must be selected. These measures are designed to eliminate potential weaknesses and increase security at all levels.

Step 4: Monitoring and evaluation

The ISMS defines a number of requirements, e.g. information security objectives or guidelines and policies for their practical implementation. It is expected that compliance with these requirements is ensured on an ongoing basis, which must be ensured by appropriate monitoring. Monitoring and evaluation therefore also refer to the continuous monitoring and improvement of the ISMS. The aim of monitoring and measurement is to assess how effectively the processes of the ISMS implement their requirements and support the effectiveness of achieving the information security objectives.

Ideally, measurement can be carried out using pre-defined KPIs. In practice, formulating meaningful measurable objectives and implementing the necessary measurements is a challenging undertaking. It is therefore advisable to start by defining a small number of objectives that are appropriate to the organisation and balanced in terms of implementation costs and benefits.

Step 5: Continuous improvement

An ISMS thrives on constant adaptation and improvement. Following the Plan-Do-Check-Act (PDCA) cycle, the system is continually reviewed and, if necessary, optimised by using the results of monitoring and corrective actions to make further changes and adjustments. This helps to keep the ISMS up to date to effectively counter current threats and ensure information security in the long term.

Internal (ISMS) audits are an essential tool in the continuous improvement process of the management system. They are used to check whether the management system meets the organisation's own requirements and where there is potential for improvement. The audit programme ensures that all areas within the scope of the management system are effectively controlled.

Approaches and Methods: Different Ways to Get There

Depending on the size, structure and culture of an organisation, there are different approaches to implementing an ISMS.

Top-down: In this approach, the ISMS is first established at the highest level and defined in its basic form, for example through an information security policy. The advantage is that there is a clear strategic direction and implementation is fully supported by management from the outset. This approach is particularly suitable for larger organisations that see an ISMS as a key corporate responsibility. Management defines the security objectives and provides the necessary resources. The disadvantage is that it takes a long time for the operational organisation to benefit from the ISMS.

Bottom-up / iterative: The first step is to implement and establish the core operational processes of the ISMS. This includes a structured process for assessing information security risks in projects or the systematic implementation of maturity assessments according to best practice checklists. The advantage: This pragmatic approach is particularly suitable for SMEs that require flexible implementation and quick results (e.g. improvement actions). The downside is that implementation can stall if there is a lack of governance and, in particular, management support.

In any case, it is important that the ISMS is ultimately embedded throughout the organisation - information security is a shared responsibility that affects all employees, regardless of their position.

Additional benefits of an ISO 27001 ISMS

An ISO 27001 ISMS offers many benefits that go far beyond information protection:

• Compliance and risk reduction: By complying with legal and regulatory requirements (e.g. data protection regulations), you minimise the risk of legal consequences and increase your IT security at the same time. An ISMS based on the proven ISO 27001 standard ensures not only compliance with laws and regulations, but also with internal policies and industry standards.
• Trust and reputation: An ISMS that complies with the internationally recognised ISO 27001 standard strengthens the trust of customers, partners and regulators. Organisations that actively manage their information security to recognised standards enjoy a positive reputation and can improve their market position.
• Efficiency and structure: Standardised processes, clear responsibilities and regular reviews ensure more efficient management. This creates not only security, but also organisational clarity and structure. ISO 27001 helps to standardise complex security processes, promoting both efficiency and transparency within the organisation.

ISO 27001: Certification or Best Practice?

An ISO 27001 ISMS can be used both as a best practice guide for structuring security measures and as a basis for certification. For organisations that do not require external certification, internal implementation of ISO 27001 is often sufficient to ensure information security.

ISO 27001 certification offers additional benefits: it serves as an external endorsement and strengthens the confidence of customers, partners and regulators. Certification can also provide a competitive advantage by facilitating access to new markets and tenders.

However, certification requires a significant investment of time and resources. Companies should weigh the benefits of increased compliance, confidence and market positioning against the costs to decide whether official certification makes sense.

‍