Now here is a spreadsheet that will help you understand your compliance level right from the beginning to the end of your implementation process. This document has three sheets out of which two shows you the status of implementation based on each control objective and each domain.

All you need to do is to ask yourself / team / organization the question that is posted against each control and put in your answers in the column called “Findings”. Once this is done, you will be able to determine the level of implementation. Put in the percentage of completion in the “Status (%)” column against each control.

The value in the “Status (%)” will be in the range of 0 -100 and you can mention NA or any other value to denote that a particular control is not applicable. Kindly note that if there is any control that is not applicable to your organization, then your cumulative results on the other two sheets will show either not completed or partial. To avoid such situation, mention Not Applicable in your findings and put in the value 100 in the status field. This will ensure that your report is accurate.

By going to the other two sheets you will be able to understand the level of implementation. This is also useful when you want to project to the management on your progress of implementation.

The graphical representation sheet will give you the graphical view of your status, which can be incorporated into your management presentation.

You can download the file here.
ISO 27001 Compliance Checklist

Note: Since the site does not allow uploads of .xls files, I have renamed this file as .pdf. All you need to do is right click on the link to download the file, save it on your machine and rename the extension back to .xls and you are ready to go. Cheers!!!

Keep an eye on any assets been added to your infrastructure. Usually in large organizations it is quiet obvious that you tend to skip this task and get surprises during your next audit. There are also possibilities that an asset has been removed from the infrastructure. Identify the assets, do a risk assessment, update your risk treatment documents and the SOA if required. Since you are already certified, I assume the process of adding assets or removing has already been defined, communicated and followed.

User awareness should be an ongoing process. Try to avoid giving the same details over and over again. Employees will be interested in knowing the latest threats and

• how that can impact the organization
• what measures have we taken to avoid this risk
• by implementing information security practices how have we taken care of such threats
• how much value they as employees have added

Never forget to check the effectiveness of the awareness sessions. You can conduct quizzes, scenario based training programs, online training programs etc, which can be made mandatory by having the performance of individuals mapped directly to their appraisals.

Internal audit should be carried out at regular interval. The interval of audits will be as per your internal policy. There are different areas were the audits has to be conducted. I am sure you would have experienced this during your certification audit. Some of areas are as listed below. For more details on what to look for under each of these areas, refer to my article called “ISMS Implementation guide” which is posted in the same site.

• On floor audit
• Desktop audit
• Awareness audit
• Technical audit
• Social engineering

Some of the other activities that should be carried out on a regular basis, apart from the awareness are as mentioned below:

• Fire drills
• Check for the expiry dates on fire extinguishers
• Penetration testing, Vulnerability assessment
• Testing of BCP implementation

The last one on this article is to measure the effectiveness of your implementation. There is something that you have implemented and you need to know if what you have implemented is useful, valuable to the organization which includes employees and effective. This will also help you in your surveillance audit to a great extent in showing improvements.

How to measure your controls effectiveness is a topic by itself. I am looking forward in writing an article at the earliest. In the meantime there is a document from National Institute of Standards and Technology (NIST), sp800-80, which is still in a draft stage. You can get this document from the following location.

Guide for developing performance metrics for information securitydraft sp800 80

1. Nothing has happened for the past X years. What is going to happen now and why do you want all these security

2. How is the organization benefited out of implementing information security practices…??? How much will be the profit…???

3. So you mean to say, once we implement information security practices, my network is completely safe.

4. We want work to be done. Do not hamper our routine to integrate your security practices

5. Security!!! Please ask IT

6. I have firewalls, IPS, two-factor authentication, anti-virus gateways, web filters, motion detectors, access control mechanisms etc implemented , what more security are you going to provide…???

7. If I change this now, nothing is gonna work. Please do not suggest any changes, it has been working, let it work

Please download the document here:
ISMS Implementation Guide

Risks:
Management Commitment — Management has one of the key roles in the implementation of ISMS practices. The management should have the thirst, drive and understanding for the requirement of ISMS practices in the organization.

Availability of Internal Resources — This is a very common problem that everyone faces. We will require the participation of other team members, right from the initial phase until implementation is completed and further to practice the implementation. To address certain areas like, asset inventory, risk assessment etc, it will difficult to get some of the resources, since they will also be busy with their routine tasks.

Asset Inventory — There are two risks to this phase.

Identifying and recording all the assets from all the departments. It is sometimes not possible to sit with each and every team and help them in identifying their assets. So the common practice is to have a workshop with one of the members from those teams and then request to identify the assets in their department. So the information that comes back from the team members are the ones they have identified and most times you can have surprises.
The implementation project in an organization with 500 – 1000 employees would take a minimum of 6 to 8 months. During this period there will chances that new assets are added to the infrastructure and you go unnoticed. So keep you eye open to see and understand, if there any proof of concept (POC) going on for any products or anything budgeted for the current year.

Hiding non-existence of Controls — While you are carrying out your control assessment, it is quite obvious that the nominated persons to assist you in taking you through the exisiting controls might hide certain weak areas or areas where there are absolutely no controls. This is very often done cause the nominated persons do not completly understand the meaning of a control assessment and mistake it for an audit and fear of you reporting non-conformities to the senior management. If this is not been communicated properly, make sure that you take about 5 minutes before you start of with your control assessment exercise to brief the person assisting you on the impact. If you fail to identify the areas where there is no control, this would impact your risk assessment exercise.

Manpower/Budget — During the implementation phase there will be controls recommended which can be both technical and non-technical. At times it has been seen that there will be lack of man power or lack of expertise for implementation of these controls or the organization would not be ready with the budget required for the purchase of these products. So watch out for these risks and have a buffer of both in place.

User Awareness — There are numerous workarounds for other implementations, tell me one workaround for lack on awareness in the organization…??? I don’t see any and would certainly consider this as one of the critical risks to the organization. Even before you think of implementing ISMS practices, collect the required information and start training the employees on regular intervals. At a later stage if you decide not to implement ISMS, you still do not loose anything.