Implementation Overview - Initiation Phase

ISO 27001
INITIATION PHASE
Get your project off to the best possible start.

Contents
Initiation Phase of ISO 27001 Implementation ........................................................................ 2
1. Establish a Project Plan ...................................................................................................... 4
2. Assemble a Steering Group................................................................................................. 6
3. Define the ISMS .................................................................................................................. 8
4. Develop an Information Security Policy ............................................................................. 10
5. Define ISMS Roles and Responsibilities (R&Rs) ................................................................. 12
6. Set ISMS Objectives.......................................................................................................... 14
Alignment with ISO 27001:2022 Clauses 4 & 5 ...................................................................... 16

1
 Implementation Overview - Initiation Phase

Initiation Phase of ISO 27001 Implementation

The Initiation phase of ISO 27001 implementation is about laying a solid foundation for an
Information Security Management System (ISMS).

The phase ensures that all necessary preparatory steps are taken to set up the ISMS
effectively. It involves demonstrating an understanding of the organisational context, defining
the scope, and ensuring leadership commitment.

In short, we are setting a scope and laying out the framework.

High-Level Summary of the Initiation Phase

The Initiation phase focuses on:

1. Establishing a project plan.

2. Assembling a steering group.
3. Defining the ISMS.
4. Developing an information security policy.
5. Defining ISMS roles and responsibilities (R&Rs).
6. Setting ISMS objectives.

2
 Implementation Overview - Initiation Phase

Each step helps ensure a comprehensive and systematic ISMS implementation.

Let's take a look at each one in turn.

3
 Implementation Overview - Initiation Phase

1. Establish a Project Plan

Overview
Failing to plan is planning to fail. Every complex delivery needs a project plan, and a move to
ISO 27001 is no different.

The project plan outlines the approach, key resources, timelines, and milestones required for
the ISMS implementation.

I've said I won't go into too much detail on project management techniques, but every project
plan follows a similar approach.
I've posted many templates on my website, www.iseoblue.com and advice on running projects
if you need it.

Implementation
• Create a Detailed Project Charter

This document should include the scope, objectives, deliverables, timelines,

resources, and stakeholders involved in the ISMS project.

https://www.iseoblue.com/post/project-charter-template

• Define Key Milestones

Break down the implementation into manageable phases with specific milestones to
track progress.

Guess what – that's what this document helps with.

You're welcome.

• Allocate Resources

Identify and allocate necessary resources, including personnel, budget, and tools
required for the implementation.

4
Implementation Overview - Initiation Phase

At this stage, it can only be roughly what you think you'll need, but later, you'll build out
the actual resources based on a more detailed evaluation of requirements.

• Capture Project Risks

Develop a plan to identify potential challenges and mitigation strategies. All project
plans should manage risk, and this is no different, but they could include;

• Insufficient Resources – Use the plan as a basis, but clarify that requirements
will unfold as the project is implemented. Make sure you have estimates for
consultancy, auditing, etc.
• Management commitment – If your senior executives are indifferent to the ISO
27001 process, you will likely not get essential support and traction on things
when you need it most.
• Lack of expertise – This guide is here to help, but you could overengineer things
if you get caught up in the details or make an incorrect assumption.
• Resistance to change – If you don't bring stakeholders with you and try to apply
ISO 27001 and its controls to them without active engagement and listening,
then brace yourself for pushback.

• Define a Communication Plan

Establish a communication plan to ensure all stakeholders are informed and engaged
throughout the implementation process.

A more detailed communication and awareness programme is needed, but this part of
the project plan explains how you will keep your stakeholders informed of the progress
of your move to ISO 27001, as opposed to how the ISMS needs to be applied, etc. For
example, highlight reports, meetings, etc.

5
 Implementation Overview - Initiation Phase

2. Assemble a Steering Group

Overview
Once you have an approved project plan (and please make sure your senior stakeholders
approve it!) I recommend forming an Information Security Group (ISG) with defined terms of
reference to oversee the implementation process, ensuring that all necessary expertise and
leadership are represented.

The ISG can address two needs in a single place if you are able;
1) Act as your project team/board
2) Act as your ISMS governance

Implementation
• Define the Terms of Reference
These outline the purpose and responsibilities of the Steering Group.

ISG 1 - Information Security Steering Group Terms of Reference.

In the short term, it will act like a project team, but in the longer term, it'll become the
management review body for the governance of your ISMS.

• Select Attendees

Choose members from various departments, including IT, HR, legal, and senior
management, to ensure diverse perspectives and expertise.

Leave people out at your peril, but don't invite the world and his mother; it never makes
for good governance.

• Define Roles and Responsibilities

6
Implementation Overview - Initiation Phase

Clearly outline the roles and responsibilities of each member to ensure accountability
and effective decision-making.

• Set Up Regular Meetings

Schedule regular meetings to review progress, discuss challenges, and adjust the
implementation plan as needed.

• Document Meetings

Maintain detailed records of steering group meetings, decisions, and action items to
ensure transparency and accountability.

You’ll need these as evidence of management commitment later in the audit, so make
sure you capture them.

ISG 2 - Information Security Group Meeting Minutes

• Create the Information Security Statement

The ISMS must evidence senior support and commitment.

I recommend having an overarching statement that lays out the ISMS's stall and makes
it clear to everyone what the expectations are, thus helping address Clause 5.1
(Leadership and Commitment).

It's not mandatory but recommended.

G3 - Information Security Statement

7
 Implementation Overview - Initiation Phase

3. Define the ISMS

Overview
Scope definition time.

We need to identify and document an asset inventory and understand statutory, regulatory,
and contractual requirements to establish the boundaries and applicability of the ISMS, all of
which will influence its scope.

Implementation
• Conduct an Asset Inventory

Identify all information assets, including hardware, software, data, and personnel, and
document their importance to the organisation.

R1 – Asset Inventory

Depending on your organisation, this may be relatively easy or very hard. I recommend
starting by capturing things at a high level and then going down in levels of detail.

You will ultimately need a detailed list of every information asset (who owns it, where it
is, etc). But at this point, it might be easier to capture the various types of asset that will
fall into the scope of your ISMS.

So, for example, start with acknowledging laptops/desktops, databases, and systems
as asset groups, then catalogue them in a little more detail or point to where an asset
register is maintained, i.e. any automated hardware inventory system.

• Understand Legal and Regulatory Requirements

Identify applicable statutory, regulatory, and contractual requirements that affect

information security.

G11 – Statutory Regulatory & Contractual Requirements

8
Implementation Overview - Initiation Phase

I've documented some to get you started based on EU/UK law, but they'll be unique to
your organisation, customers and locale. E.g.
▪ GDPR (EU / UK)
▪ Australian Privacy Act (1988)
▪ HIPAA health data legislation, USA
▪ PCI DSS Payment card protection

• Define & Document the ISMS Scope

Define the boundaries of the ISMS, considering the organisation's context, internal and
external issues, and interested parties' expectations.

G1 – Information Security Management System (ISMS) Scope Document

I've created a document to walk you through this, but my advice is simple:

KEEP THE SCOPE AS TIGHT AS POSSIBLE TO START.

You can always build it out later. Look at what is most important to protect and start
there, such as customer-facing services and data.

Ensure that the ISMS scope is documented, agreed and communicated to all relevant
stakeholders.

9
 Implementation Overview - Initiation Phase

4. Develop an Information Security Policy

Overview
Next up is a hugely important piece of the puzzle, and every auditor will ask for it within the first
five minutes of an audit after finding the coffee machine and the toilets; an Information
Security Policy.

We need to draft an initial information security policy that aligns with the organisation's
objectives and regulatory requirements, setting the groundwork for security practices.

Implementation
• Policy Drafting

Develop a comprehensive information security policy that includes the organisation's

commitment to information security, objectives, and principles.

P1 – Information Security Policy

This will likely become a document that needs to be revisited as you build up sub-
policies that detail some aspects in more detail but only for specific groups or areas.
I strongly advise making the policy as easy to read and digest as possible. Our main
objective is getting compliance, not creating a stick to beat people. Avoid overwhelming
readers with legal wording and confusing phrases like 'notwithstanding'.
An information security policy is not a legal document, so don't word it like one. Sure, it
can have legal implications if someone fails to adhere to it, but that makes it even more
critical to make it readable and in plain English.
Also, the policy should be worded positively rather than negatively. Say what you want
people to do, not what you don't want them to do. E.g.
"Always lock your computer when stepping away from your desk to ensure data
security."

10
Implementation Overview - Initiation Phase

Rather than

"Do not leave your computer unlocked when you are away from your desk."

• Approval and Communication

Get the policy approved by senior management and communicate it to all employees.

• Regular Review

Establish a process for regular review and updates to the policy to ensure it remains
relevant and effective.

11
 Implementation Overview - Initiation Phase

5. Define ISMS Roles and Responsibilities (R&Rs)

Overview
Next, we need to clearly define and document roles and responsibilities related to information
security to ensure accountability and effective implementation.

To some extent, we've already done some of this in the ISG (Information Security Group) terms
of reference, but we need to expand it across the ISMS.

Implementation
• Identify & Document Key Roles & Responsibilities

Determine the necessary roles for ISMS implementation, including information security
officer, risk manager, compliance officer, and other relevant positions.

G8 – ISMS Roles & Responsibilities Document

In smaller organisations, there might be fewer roles, and a person can potentially wear
multiple hats (recognising a role is not necessarily the same as a job).

Clearly outline the responsibilities of each role, ensuring they cover all aspects of the
ISMS implementation and ongoing management.

Assign these roles to individuals based on their expertise and organisational

responsibilities.

• Communicate R&Rs
You can’t tuck the roles & responsibilities away in a corner; it’s important to
communicate them so people know what is expected and can identify any gaps in cover
and skills.

• Training and Support

12
Implementation Overview - Initiation Phase

Provide the necessary training and support to individuals to enable them to fulfil their
roles effectively.

You'll need to determine the best time to do this. Some people may need training early
(for example, if they need to know more about ISO 27001 and its structure), while others
may need it later as part of the awareness and communication campaign.

At this stage, focus on what people need to know to get your ISMS off the ground.

13
 Implementation Overview - Initiation Phase

6. Set ISMS Objectives

Overview
Establish specific, measurable, attainable, relevant, and time-bound (SMART) objectives for
the ISMS to guide subsequent implementation phases and provide clear goals for security
improvements.

Clause 6.2 requires the ISMS to have documented objectives. I think defining the objectives as
part of the initiation phase fits naturally here, so you broadly know where you are heading.

Implementation
• Identify Objectives

Based on the organisational goals, identify specific objectives for the ISMS. These might
include improving data protection measures, achieving regulatory compliance, or
enhancing incident response capabilities.

Assuming it's your initial venture, setting objectives early can define your project more
successfully. They could be pretty basic, such as setting up an ISO 27001-compliant
ISMS by the end of the quarter, etc.

G2 – ISMS Objectives

However, to get you thinking, here are some suggestions;

Objective 1: Enhance Information Security Awareness

• Key Result 1: Conduct information security training sessions for 100% of employees by the end
of Q4.
• Key Result 2: Achieve a 90% or higher score on post-training assessments for all employees.
• Key Result 3: Distribute monthly security newsletters and achieve a 75% open rate.

14
Implementation Overview - Initiation Phase

Objective 2: Improve Risk Management Process

• Key Result 1: Identify and document 100% of critical information assets by the end of Q2.
• Key Result 2: Complete a risk assessment for all identified critical assets by the end of Q3.
• Key Result 3: Implement risk treatment plans for the top 5 identified risks by the end of Q4.

Objective 3: Strengthen Access Control Measures

• Key Result 1: Implement multi-factor authentication (MFA) for all employees by the end of Q3.
• Key Result 2: Ensure 100% compliance with the new access control policy by the end of Q4.
• Key Result 3: Conduct quarterly access reviews to ensure proper access rights and achieve a
95% accuracy rate.

Objective 4: Enhance Incident Response Capability

• Key Result 1: Develop and approve an incident response plan by the end of Q1.
• Key Result 2: Conduct two incident response drills by the end of Q3, achieving a 100%
participation rate.
• Key Result 3: Reduce the average incident response time by 20% by the end of Q4.

Objective 5: Achieve Compliance with ISO 27001:2022 Requirements

• Key Result 1: Complete a gap analysis against ISO 27001:2022 by the end of Q2.
• Key Result 2: Implement corrective actions for identified gaps, achieving 100% closure by the
end of Q3.
• Key Result 3: Successfully pass the ISO 27001:2022 certification audit by the end of Q4.

• Communicate Objectives

Once ready, communicate the objectives to all relevant stakeholders to ensure

everyone knows the goals and their role in achieving them.

• Monitor and Review

Establish processes for monitoring progress towards these objectives and review them
regularly to ensure they align with the organisational goals and ISMS requirements.

15
 Implementation Overview - Initiation Phase

Alignment with ISO 27001:2022 Clauses 4 & 5

Let's examine briefly how these steps align with clauses 4 (Context of the Organisation) and 5
(Leadership).

Clause 4: Context of the Organisation

So, clause 4 determines what needs to shape your ISMS and response to scope, policies,
procedures, controls, etc.
Here’s how we go about ticking it off;

✓ Understanding the Organisation and Its Context (4.1): We’ve documented the
context as part of our scope.
✓ Understanding the Needs and Expectations of Interested Parties (4.2): We’ve
captured our interested parties in our scope.
✓ Determining the Scope of the ISMS (4.3): We’ve documented and shared our scope,
clarifying our ISMS boundaries.
✓ Information Security Management System (4.4): We’ve started to establish,
implement the ISMS per the requirements of ISO 27001.

Clause 5: Leadership
Clause 5 ensures we have top-down direction so everyone understands where we are heading
and what part they must play.

We do that by addressing the following parts;

✓ Leadership and Commitment (5.1): Ensure top management demonstrates leadership

and commitment to the ISMS through the Information Security Statement, the ISG
Steering Group, and sponsorship of the resources and project plan for ISO 27001.
✓ Information Security Policy (5.2): We’ve developed and communicated an information
security policy.
✓ Organisational Roles, Responsibilities, and Authorities (5.3): We have assigned,
documented and communicated the ISMS roles and responsibilities.

Hopefully, you can see the clear correlation between this phase's activities and meeting the
clauses' requirements in the standard.
Next up?
Planning: exploring risk and our responses to it.

16
 Implementation Overview - Initiation Phase

Important Notice
This document is provided for personal use only. Commercial or consultative use requires a licence. For detailed terms of use, please visit
https://www.iseoblue.com/terms.

17