Problem solve Get help with specific problems with your technologies, process and projects.

Getting started with an ISO implementation

Struggling to develop an ISO implementation plan? Get advice on starting an enterprise ISO implementation.

I want to implement ISO security standards in my organization, but I don't know where to start. I have a couple...

of policies in place, but I want help on how I can tie the process together.

There are numerous ISO standards, so it’s necessary to first identify which of the ISO frameworks the organization seeks to align with and then begin to better understand the respective requirements for policies, procedures, and other related processes.

Keep in mind an organization cannot technically have an ISO policy to follow if the procedures have not been implemented within that organization.  As such, the first order of business should be to seek out the specific ISO standard (such as ISO/IEC 27001:2005) the enterprise wishes to comply with, purchase the relevant standards documentation from ISO or an ISO representative, and start to understand what security gaps or areas of remediation have been identified.

At this point, an ISO implementation plan can be formalized to correct and strengthen those areas. The enterprise will then have a policy in place that soundly follows a given procedure, and not the other way around, where companies develop a policy that isn’t followed because the underlying procedure was never implemented. Putting the cart before the horse is a common mistake in policy and procedural development that needs to be avoided at all times.

Organizations should also consider hiring the services of an ISO consultant, generally known as an ISO 27001 Lead Implementer. This individual helps organizations implement all the necessary operational, security and social changes needed for an organization to be considered a candidate for an official ISO audit or for that organization to comfortably say it adheres to the best practices of ISO 27001 security.

It is important to remember that actual ISO certification by a certification body is vastly different from "adhering" to ISO best practices without any objective third-party validation.  Even with that said, most if not all organizations looking to comply with ISO security best practices have to start somewhere, which is usually a self-evaluation resulting in an internal gap analysis, complete with a detailed listing of areas for remediation.

This was last published in December 2011

Dig Deeper on Information security policies, procedures and guidelines

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.