I want to implement ISO security standards in my organization, but I don't know where to start. I have a couple of policies in place, but I want help on how I can tie the process together.
There are numerous ISO standards, so it’s necessary to first identify which of the ISO frameworks the organization seeks to align with and then begin to better understand the respective requirements for policies, procedures, and other related processes.
Keep in mind an organization cannot technically have an ISO policy to follow if the procedures have not been implemented within that organization. As such, the first order of business should be to seek out the specific ISO standard (such as ISO/IEC 27001:2005) the enterprise wishes to comply with, purchase the relevant standards documentation from ISO or an ISO representative, and start to understand what security gaps or areas of remediation have been identified.
At this point, an ISO implementation plan can be formalized to correct and strengthen those areas. The enterprise will then have a policy in place that soundly follows a given procedure, and not the other way around, where companies develop a policy that isn’t followed because the underlying procedure was never implemented. Putting the cart before the horse is a common mistake in policy and procedural development that needs to be avoided at all times.
Organizations should also consider hiring the services of an ISO consultant, generally known as an ISO 27001 Lead Implementer. This individual helps organizations implement all the necessary operational, security and social changes needed for an organization to be considered a candidate for an official ISO audit or for that organization to comfortably say it adheres to the best practices of ISO 27001 security.
It is important to remember that actual ISO certification by a certification body is vastly different from "adhering" to ISO best practices without any objective third-party validation. Even with that said, most if not all organizations looking to comply with ISO security best practices have to start somewhere, which is usually a self-evaluation resulting in an internal gap analysis, complete with a detailed listing of areas for remediation.
This was first published in December 2011