Fortunately, there are two tools that you (hopefully) already have at your disposal:
- A spreadsheet -- As you've probably already discovered, ISO 27002 is broken up into 12 main sections. I recommend creating a spreadsheet with at least one worksheet for each section. From there, break down each section into appropriate policies, procedures and controls. There are several organizations that sell pre-made spreadsheets for this purpose, but keep in mind that ISO 27001/2 is flexible, so even with a commercial product, some editing will be necessary to cover your specific situation. Some auditors will also pre-share their own lists; this is something to consider when negotiating during the contract phase. Regardless of how the spreadsheets are generated, they will serve as a basic outline for measuring your current state, as well as your target state for certification.
- Project management skills -- Once you have your spreadsheet, these skills come to bear through the simple -- yet not necessarily easy -- job of prioritizing and implementing the necessary changes to achieve certification. The level of difficulty of prioritization is going to depend heavily on how complete the current information security program is. One way to do this is to take the spreadsheets from above and rate each objective on three metrics:
- % complete
- cost to comply
Then add these three numbers together and you'll have some data to compare the tasks to each other. If the company has a more formal risk management process in place, leverage that for the rankings instead.
For more information:
- Learn how to apply ISO 27002 to PCI DSS compliance.
- Is the Orange Book still relevant for assessing security controls? Read more.
This was first published in February 2009