Fortunately, there are two tools that you (hopefully) already have at your disposal:
- A spreadsheet -- As you've probably already discovered, ISO 27002 is broken up into 12 main sections. I recommend creating a spreadsheet with at least one worksheet for each section. From there, break down each section into appropriate policies, procedures and controls. There are several organizations that sell pre-made spreadsheets for this purpose, but keep in mind that ISO 27001/2 is flexible, so even with a commercial product, some editing will be necessary to cover your specific situation. Some auditors will also pre-share their own lists; this is something to consider when negotiating during the contract phase. Regardless of how the spreadsheets are generated, they will serve as a basic outline for measuring your current state, as well as your target state for certification.
- Project management skills -- Once you have your spreadsheet, these skills come to bear through the simple -- yet not necessarily easy -- job of prioritizing and implementing the necessary changes to achieve certification. The level of difficulty of prioritization is going to depend heavily on how complete the current information security program is. One way to do this is to take the spreadsheets from above and rate each objective on three metrics:
- % complete
- cost to comply
Then add these three numbers together and you'll have some data to compare the tasks to each other. If the company has a more formal risk management process in place, leverage that for the rankings instead.
For more information:
- Learn how to apply ISO 27002 to PCI DSS compliance.
- Is the Orange Book still relevant for assessing security controls? Read more.
Related Q&A from David Mortman
While IT security consultancies can be helpful when trying to find flaws in an information security management framework, there are ways to do it ...continue reading
PCI DSS audits can be a lot easier if the scope is narrow. Learn how to consolidate and store sensitive data in order to best reduce PCI DSS security...continue reading
When hiring an information security team member, how important is a certification in information security? Learn how to talk to executives about ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.