Figure 7—Referenced Policies and Procedures to Control Risks Example
ISO 27001:2005 Controls
Excluded Controls
Objective
Security of system
files
Section
12. 4
Existing Controls
Yes
Justification
Best practices
Reference
Policies and
Procedures
Systems
acquisition/
development policy
The SOA documents the control objectives (figure 6),
the controls selected from Annex A, and the justification for
adopting or not adopting the control.
12. 4. 1 Control of
operational
software
system test data
controls and staffing decisions. This important step in the
process is project management review. The results of audits
and periodic reviews are documented and maintained.
Phase 7—Set Up Policies and Procedures to Control Risks
For the controls adopted, as shown in the SOA, the
organization will need statements of policy or a detailed
procedure and responsibility document (figure 7) to identify
user roles for consistent and effective implementation of
policies and procedures.
Documentation of policies and procedures is a requirement
of ISO/IEC 27001. The list of applicable policies and
procedures depends on the organization’s structure, locations
and assets.
Phase 8—Allocate Resources, and Train the Staff
The ISMS process highlights one of the important
commitments for management: sufficient resources to
manage, develop, maintain and implement the ISMS. It is
essential to document the training for audit.
Phase 9—Monitor the Implementation of the ISMS
The periodic internal audit is a must for monitoring and
review. Internal audit review consists of testing of controls
and identifying corrective/preventive actions. To complete
the PDCA cycle, the gaps identified in the internal audit must
be addressed by identifying the corrective and preventive
controls needed and the company’s compliance based on a
gap analysis.
To be effective, the ISMS needs to be reviewed by
management at periodic, planned intervals. The review
follows changes/improvements to policies, procedures,
Phase 10—Prepare for the Certification Audit
In order for the organization to be certified, it is essential
that it conduct a full cycle of internal audits, management
reviews and activities in the PDCA process, and that it
retains evidence of the responses taken as a result of those
reviews and audits. ISMS management should review risk
assessments, the RTP, the SOA, and policies and procedures
at least annually.
An external auditor will first examine the ISMS documents
to determine the scope and content of the ISMS. The objective
of the review and audit is to have sufficient evidence and
review/audit documents sent to an auditor for review. The
evidence and documents will demonstrate the efficiency and
effectiveness of the implemented ISMS in the organization
and its business units.
Phase 11—Conduct Periodic Reassessment Audits
Follow-up reviews or periodic audits confirm that the
organization remains in compliance with the standard.
Certification maintenance requires periodic reassessment
audits to confirm that the ISMS continues to operate as
specified and intended. As with any other ISO standard,
ISO 27001 follows the PDCA cycle and assists ISMS
management in knowing how far and how well the enterprise
has progressed along this cycle. This directly influences the
time and cost estimates related to achieving compliance.
