SlideShare a Scribd company logo

ISO 27001 How to accelerate the implementation.pdf

Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001

ISO 27001:2022 Tips and Tricks. How to accelerate the implementation. Information Security Management System (ISMS)

Technology
1 of 15
Download to read offline
ISO 27001:2022 Tips and Tricks. How to accelerate the implementation by Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001 www.patreon.com/AndreyProzorov 1.0, 01.06.2023
Agenda 2 1. ISMS Implementation plan 2. The main obstacles 3. Recommendations for the implementation team 4. Recommendations for the project management 5. Recommendations for the core processes 6. Other recommendations 7. ChatGPT and ISO 27001 (ISMS) Toolkits
ISMS Implementation plan 3 1. Conduct awareness trainings for the top management 2. Conduct a Gap analysis 3. Understand the Context 4. Plan the implementation 5. Conduct the first IS Committee meeting 6. Establish Information Security Policy and Information Security Objectives 7. Take an inventory of the assets 8. Define a method of risk assessment, identify and assess information security risks 9. Prepare Statement of Applicability (SoA) and Risk Treatment Plan (RTP) 10.Define requirements for documentation management 11.Develop ISMS Framework and define roles and responsibilities 12.Develop and implement a set of ISMS policies and procedures 13.Plan and implement additional information security measures 14.Plan, prepare and conduct awareness trainings 15.Operate the ISMS 16.Monitor the ISMS 17.Audit the ISMS 18.Conduct ISMS Management reviews 19.Practice continual improvement 20.Prepare for the certification audit *time-consuming tasks
4 Program Evaluation Review Technique (PERT) is a project management planning tool used to calculate the amount of time it will take to realistically finish a project ISMS Implementation plan 1-2 years
5 The main obstacles 1. Lack of top management support 2. Insufficient budget and resources / no allocated resources 3. Resistance to change (e.g., sophisticated alignment, extensive document approval, complicated procurement process) 4. Inadequate understanding of ISMS concepts (e.g., focus on Annex A, not on the main text) 5. Lack of skilled professionals 6. Unclear roles and responsibilities 7. Ineffective communication with the interested parties 8. Choosing a Risk Assessment methodology that is too complicated 9. No processes / low maturity level of processes / too complex processes, especially: • Internal audit • Nonconformity management • ISMS Evaluation (metrics and KPIs) • Asset management • Incident management • Change management • Business continuity management 10. Desire to radically increase the maturity of the processes (+ 2-3 levels) 11. Implementing new automation tools (e.g., GRC, SIEM, UEBA, SOAR) before building the processes 12. Lack of information security culture / Lack of awareness
6 Recommendations for the implementation team 1. Educate the implementation team in advance 2. Protect the implementation team from other projects and tasks (prioritisation) 3. Increase the motivation of the implementation team (e.g., additional bonuses, flexible hours, training courses) 4. Hire a few interns 5. Involve external consultants and/or mentors
7 Recommendations for the project management 1. Set clear and realistic project goals 2. The project charter is important, but don't make it too complicated 3. Reduce the ISMS scope for the certification 4. Improve communication between the implementation team members (e.g., use a Kanban board, create a channel on Slack/MS Teams) 5. Don't spend much time on detailed planning. Use the sprints (1-2 weeks) 6. Schedule parallel tasks (e.g., Risk Assessment and Documents preparation) 7. Prepare and strictly follow a Communication Plan
8 Recommendations for the core processes 1. Launch awareness training ASAP. Start from the top management 2. Launch the ISMS Committee / IS Steering Committee ASAP. Hold meetings once or twice a month at first, then once a quarter. 3. Use simple templates for ISMS documents, and easy approval and review procedures (e.g., during the ISMS Committee meetings) 4. Use Notion/Confluence (if allowed) 5. Create templates and registers in advance: 1. ISMS Committee presentation and MoM 2. Policy (Template) 3. Statement of Applicability (SoA) 4. Audit Plan and Report 5. Nonconformity Register and Report 6. ISMS management review report 7. Risk register 8. Incident register 6. Prepare the mandatory documents first. You don’t need the full set of topic-specific policies and procedures! 7. Simplify the core processes! You will improve them later… 8. Combine an ISMS Gap Analysis with Internal Audits 9. Don't spend much time on Risk Assessment. You will improve it later… 10. Implement only critical controls (Annex A). Just plan to implement others… 11. Continual improvement is better than the perfect system
9 Other Recommendations 1. Purchase and study ISO 27000, 27001, 27002, 27003, 27005, 27007, 19011 in advance 2. Collect and keep records with care 3. MS Excel is the best GRC for starters • Asset register • Incident register • Nonconformity register • Risk register and RTP • Statement of Applicability (SoA) • ISMS Documented information • Supplier register • … 4. Use ChatGPT 5. Use templates and toolkits
10 www.patreon.com/posts/how-to-use-for-83553386
11 Best ISO 27001 (ISMS) Toolkits 1. ISO27k Toolkit by ISO27k Forum (Free) - https://lnkd.in/eC5Kh5d6 2. ISMS Implementation Toolkit by Andrey Prozorov (28$ per month) - https://lnkd.in/enzZdZ9 3. ISO 27001 Documentation Toolkit by Advisera (897$) - https://lnkd.in/euYBc-SW 4. ISO 27001 Toolkit by CertiKit (950€) - https://lnkd.in/ePxZUjHe 5. ISO 27001 Toolkit by IT Governance (595£ per year) - https://lnkd.in/eAwTcuE6 6. ISO/IEC 27001 Info Kit by PECB (Free) - https://lnkd.in/d-HEuN_8 7. ISO 27001 Templates Toolkit: Consultant Edition 2022 by HighTable (597£) - https://lnkd.in/dxhZX56U 8. ISO 27001:2022 All-In-One Toolkit by Certification Templates (999$) - https://lnkd.in/djXhSbiv 9. Instant 27001 for Confluence (from 1995€) - https://lnkd.in/dE7y6vzX 10. ISO/IEC 27001:2022 Documentation Toolkit by UCStoolkit (466€) - https://lnkd.in/d7CpThMF
12 www.patreon.com/posts/ 47806655
Thanks, and good luck! www.linkedin.com/in/andreyprozorov www.patreon.com/AndreyProzorov 13
My ISMS Implemantation Plan + templates 14 www.patreon.com/posts/isms-plan-iso-74660190
My other ISMS-related presentations

Recommended

How to use ChatGPT for an ISMS implementation.pdf
How to use ChatGPT for an ISMS implementation.pdfHow to use ChatGPT for an ISMS implementation.pdf
How to use ChatGPT for an ISMS implementation.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdfISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMSAkhil Garg
 
ISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdfISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdfSerkanRafetHalil1
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
ISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_ListISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_ListSriramITISConsultant
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 IntroductionAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 

Recommended

How to use ChatGPT for an ISMS implementation.pdf
How to use ChatGPT for an ISMS implementation.pdfHow to use ChatGPT for an ISMS implementation.pdf
How to use ChatGPT for an ISMS implementation.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdfISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMSAkhil Garg
 
ISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdfISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdfSerkanRafetHalil1
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
ISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_ListISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_ListSriramITISConsultant
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 IntroductionAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001technakama
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdfControlCase
 
Isms awareness presentation
Isms awareness presentationIsms awareness presentation
Isms awareness presentationPranay Kumar
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 
27001.pptx
27001.pptx27001.pptx
27001.pptxAvniJain836319
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My OrganisationVigilant Software
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfCybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA
 
NQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNA Putra
 
ISO 27701
ISO 27701ISO 27701
ISO 27701UtkarshDhiman4
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromMart Rovers
 
Infosec Audit Lecture_4
Infosec Audit Lecture_4Infosec Audit Lecture_4
Infosec Audit Lecture_4Obrina Candra, CISA, ISMS-LA
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardPECB
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO 27002-2022.pdf
ISO 27002-2022.pdfISO 27002-2022.pdf
ISO 27002-2022.pdfChristianAquino52
 
ISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSM
ISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSMISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSM
ISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSMGlobal Manager Group
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness TrainingDr Madhu Aman Sharma
 
Iso 27001
Iso 27001Iso 27001
Iso 27001Adam Miller
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001PECB
 
PRESTO KPI installation checklists
PRESTO KPI installation checklistsPRESTO KPI installation checklists
PRESTO KPI installation checklistsTOPP Tactical Intelligence Ltd
 
CIO Day and OPEX Banking & Finance Day
CIO Day and OPEX Banking & Finance DayCIO Day and OPEX Banking & Finance Day
CIO Day and OPEX Banking & Finance DayArtie Debidien
 

More Related Content

What's hot

Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001technakama
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdfControlCase
 
Isms awareness presentation
Isms awareness presentationIsms awareness presentation
Isms awareness presentationPranay Kumar
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My OrganisationVigilant Software
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA
 
NQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNA Putra
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromMart Rovers
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardPECB
 
ISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSM
ISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSMISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSM
ISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSMGlobal Manager Group
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001PECB
 

What's hot (20)

Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
 
Isms awareness presentation
Isms awareness presentationIsms awareness presentation
Isms awareness presentation
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
 
27001.pptx
27001.pptx27001.pptx
27001.pptx
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My Organisation
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfCybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdf
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
 
NQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation Guide
 
ISO 27701
ISO 27701ISO 27701
ISO 27701
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
 
Infosec Audit Lecture_4
Infosec Audit Lecture_4Infosec Audit Lecture_4
Infosec Audit Lecture_4
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
 
ISO 27002-2022.pdf
ISO 27002-2022.pdfISO 27002-2022.pdf
ISO 27002-2022.pdf
 
ISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSM
ISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSMISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSM
ISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSM
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
 
Iso 27001
Iso 27001Iso 27001
Iso 27001
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
 

Similar to ISO 27001 How to accelerate the implementation.pdf

CIO Day and OPEX Banking & Finance Day
CIO Day and OPEX Banking & Finance DayCIO Day and OPEX Banking & Finance Day
CIO Day and OPEX Banking & Finance DayArtie Debidien
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Yerlin Sturdivant
 
RCS 2nd Q - course program portfolio
RCS 2nd Q - course program portfolioRCS 2nd Q - course program portfolio
RCS 2nd Q - course program portfolioDieter Moll
 
2nd q - course program portfolio
2nd q - course program portfolio2nd q - course program portfolio
2nd q - course program portfolioDieter Moll
 
2nd Q - course program portfolio
2nd Q - course program portfolio 2nd Q - course program portfolio
2nd Q - course program portfolioDieter Moll
 
RCS (Dieter MOLL lead trainer) - 2nd Q v1.2 - course program portfolio
RCS (Dieter MOLL lead trainer) - 2nd Q v1.2 - course program portfolio RCS (Dieter MOLL lead trainer) - 2nd Q v1.2 - course program portfolio
RCS (Dieter MOLL lead trainer) - 2nd Q v1.2 - course program portfolio Dieter Moll
 
EXIN Agile Scrum Foundation - Course Preview
EXIN Agile Scrum Foundation - Course PreviewEXIN Agile Scrum Foundation - Course Preview
EXIN Agile Scrum Foundation - Course PreviewInvensis Learning
 
1. table of contents
1. table of contents1. table of contents
1. table of contentsBeben Sutara
 
IT Governance, Risk & Compliance (GRC) by Berk Algan
IT Governance, Risk & Compliance (GRC) by Berk AlganIT Governance, Risk & Compliance (GRC) by Berk Algan
IT Governance, Risk & Compliance (GRC) by Berk AlganBerk Algan
 
Top management role to implement ISO 27001
Top management role to implement ISO 27001Top management role to implement ISO 27001
Top management role to implement ISO 27001PECB
 
Documentation Framework for IT Service Delivery
Documentation Framework for IT Service DeliveryDocumentation Framework for IT Service Delivery
Documentation Framework for IT Service DeliverySimon Denton
 
IHST - SMS in Small Operations
IHST - SMS in Small OperationsIHST - SMS in Small Operations
IHST - SMS in Small OperationsIHSTFAA
 
Khachab-Top Management role to implement ISO 27001
Khachab-Top Management role to implement ISO 27001Khachab-Top Management role to implement ISO 27001
Khachab-Top Management role to implement ISO 27001Mohamad Khachab
 
Top 10 Best Practices for Implementing Data Classification
Top 10 Best Practices for Implementing Data ClassificationTop 10 Best Practices for Implementing Data Classification
Top 10 Best Practices for Implementing Data ClassificationWatchful Software
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
Critical Success Factors along ERP life-cycle in Small medium enterprises
Critical Success Factors along ERP life-cycle in Small medium enterprises Critical Success Factors along ERP life-cycle in Small medium enterprises
Critical Success Factors along ERP life-cycle in Small medium enterprises Moutasm Tamimi
 

Similar to ISO 27001 How to accelerate the implementation.pdf (20)

PRESTO KPI installation checklists
PRESTO KPI installation checklistsPRESTO KPI installation checklists
PRESTO KPI installation checklists
 
CIO Day and OPEX Banking & Finance Day
CIO Day and OPEX Banking & Finance DayCIO Day and OPEX Banking & Finance Day
CIO Day and OPEX Banking & Finance Day
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001
 
RCS 2nd Q - course program portfolio
RCS 2nd Q - course program portfolioRCS 2nd Q - course program portfolio
RCS 2nd Q - course program portfolio
 
2nd q - course program portfolio
2nd q - course program portfolio2nd q - course program portfolio
2nd q - course program portfolio
 
2nd Q - course program portfolio
2nd Q - course program portfolio 2nd Q - course program portfolio
2nd Q - course program portfolio
 
RCS (Dieter MOLL lead trainer) - 2nd Q v1.2 - course program portfolio
RCS (Dieter MOLL lead trainer) - 2nd Q v1.2 - course program portfolio RCS (Dieter MOLL lead trainer) - 2nd Q v1.2 - course program portfolio
RCS (Dieter MOLL lead trainer) - 2nd Q v1.2 - course program portfolio
 
EXIN Agile Scrum Foundation - Course Preview
EXIN Agile Scrum Foundation - Course PreviewEXIN Agile Scrum Foundation - Course Preview
EXIN Agile Scrum Foundation - Course Preview
 
IT Manager
IT ManagerIT Manager
IT Manager
 
1. table of contents
1. table of contents1. table of contents
1. table of contents
 
IT Governance, Risk & Compliance (GRC) by Berk Algan
IT Governance, Risk & Compliance (GRC) by Berk AlganIT Governance, Risk & Compliance (GRC) by Berk Algan
IT Governance, Risk & Compliance (GRC) by Berk Algan
 
It manager
It managerIt manager
It manager
 
Top management role to implement ISO 27001
Top management role to implement ISO 27001Top management role to implement ISO 27001
Top management role to implement ISO 27001
 
Documentation Framework for IT Service Delivery
Documentation Framework for IT Service DeliveryDocumentation Framework for IT Service Delivery
Documentation Framework for IT Service Delivery
 
IHST - SMS in Small Operations
IHST - SMS in Small OperationsIHST - SMS in Small Operations
IHST - SMS in Small Operations
 
Khachab-Top Management role to implement ISO 27001
Khachab-Top Management role to implement ISO 27001Khachab-Top Management role to implement ISO 27001
Khachab-Top Management role to implement ISO 27001
 
Chap07
Chap07Chap07
Chap07
 
Top 10 Best Practices for Implementing Data Classification
Top 10 Best Practices for Implementing Data ClassificationTop 10 Best Practices for Implementing Data Classification
Top 10 Best Practices for Implementing Data Classification
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
Critical Success Factors along ERP life-cycle in Small medium enterprises
Critical Success Factors along ERP life-cycle in Small medium enterprises Critical Success Factors along ERP life-cycle in Small medium enterprises
Critical Success Factors along ERP life-cycle in Small medium enterprises
 

More from Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001

More from Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001 (20)

NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
 
pr ISMS Documented Information (lite).pdf
pr ISMS Documented Information (lite).pdfpr ISMS Documented Information (lite).pdf
pr ISMS Documented Information (lite).pdf
 
ISO Survey 2022: ISO 27001 certificates (ISMS)
ISO Survey 2022: ISO 27001 certificates (ISMS)ISO Survey 2022: ISO 27001 certificates (ISMS)
ISO Survey 2022: ISO 27001 certificates (ISMS)
 
12 Best Privacy Frameworks
12 Best Privacy Frameworks12 Best Privacy Frameworks
12 Best Privacy Frameworks
 
My 15 Years of Experience in Using Mind Maps for Business and Personal Purposes
My 15 Years of Experience in Using Mind Maps for Business and Personal PurposesMy 15 Years of Experience in Using Mind Maps for Business and Personal Purposes
My 15 Years of Experience in Using Mind Maps for Business and Personal Purposes
 
From NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdfFrom NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdf
 
pr Privacy Principles 230405 small.pdf
pr Privacy Principles 230405 small.pdfpr Privacy Principles 230405 small.pdf
pr Privacy Principles 230405 small.pdf
 
ISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdf
 
ISO Survey 2021: ISO 27001.pdf
ISO Survey 2021: ISO 27001.pdfISO Survey 2021: ISO 27001.pdf
ISO Survey 2021: ISO 27001.pdf
 
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdfAll about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
 
Supply management 1.1.pdf
Supply management 1.1.pdfSupply management 1.1.pdf
Supply management 1.1.pdf
 
Employee Monitoring and Privacy.pdf
Employee Monitoring and Privacy.pdfEmployee Monitoring and Privacy.pdf
Employee Monitoring and Privacy.pdf
 
GDPR RACI.pdf
GDPR RACI.pdfGDPR RACI.pdf
GDPR RACI.pdf
 
GDPR and Personal Data Transfers 1.1.pdf
GDPR and Personal Data Transfers 1.1.pdfGDPR and Personal Data Transfers 1.1.pdf
GDPR and Personal Data Transfers 1.1.pdf
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
 
GDPR EU Institutions and bodies.pdf
GDPR EU Institutions and bodies.pdfGDPR EU Institutions and bodies.pdf
GDPR EU Institutions and bodies.pdf
 
Data protection RU vs EU
Data protection RU vs EUData protection RU vs EU
Data protection RU vs EU
 
IS Awareness in practice, isaca moscow 2019 10
IS Awareness in practice, isaca moscow 2019 10IS Awareness in practice, isaca moscow 2019 10
IS Awareness in practice, isaca moscow 2019 10
 
Про работу на Западе (Прозоров)
Про работу на Западе (Прозоров)Про работу на Западе (Прозоров)
Про работу на Западе (Прозоров)
 
About TM for CISO (rus)
About TM for CISO (rus)About TM for CISO (rus)
About TM for CISO (rus)
 

Recently uploaded

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 

Recently uploaded (20)

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 

ISO 27001 How to accelerate the implementation.pdf

  • 1. ISO 27001:2022 Tips and Tricks. How to accelerate the implementation by Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001 www.patreon.com/AndreyProzorov 1.0, 01.06.2023
  • 2. Agenda 2 1. ISMS Implementation plan 2. The main obstacles 3. Recommendations for the implementation team 4. Recommendations for the project management 5. Recommendations for the core processes 6. Other recommendations 7. ChatGPT and ISO 27001 (ISMS) Toolkits
  • 3. ISMS Implementation plan 3 1. Conduct awareness trainings for the top management 2. Conduct a Gap analysis 3. Understand the Context 4. Plan the implementation 5. Conduct the first IS Committee meeting 6. Establish Information Security Policy and Information Security Objectives 7. Take an inventory of the assets 8. Define a method of risk assessment, identify and assess information security risks 9. Prepare Statement of Applicability (SoA) and Risk Treatment Plan (RTP) 10.Define requirements for documentation management 11.Develop ISMS Framework and define roles and responsibilities 12.Develop and implement a set of ISMS policies and procedures 13.Plan and implement additional information security measures 14.Plan, prepare and conduct awareness trainings 15.Operate the ISMS 16.Monitor the ISMS 17.Audit the ISMS 18.Conduct ISMS Management reviews 19.Practice continual improvement 20.Prepare for the certification audit *time-consuming tasks
  • 4. 4 Program Evaluation Review Technique (PERT) is a project management planning tool used to calculate the amount of time it will take to realistically finish a project ISMS Implementation plan 1-2 years
  • 5. 5 The main obstacles 1. Lack of top management support 2. Insufficient budget and resources / no allocated resources 3. Resistance to change (e.g., sophisticated alignment, extensive document approval, complicated procurement process) 4. Inadequate understanding of ISMS concepts (e.g., focus on Annex A, not on the main text) 5. Lack of skilled professionals 6. Unclear roles and responsibilities 7. Ineffective communication with the interested parties 8. Choosing a Risk Assessment methodology that is too complicated 9. No processes / low maturity level of processes / too complex processes, especially: • Internal audit • Nonconformity management • ISMS Evaluation (metrics and KPIs) • Asset management • Incident management • Change management • Business continuity management 10. Desire to radically increase the maturity of the processes (+ 2-3 levels) 11. Implementing new automation tools (e.g., GRC, SIEM, UEBA, SOAR) before building the processes 12. Lack of information security culture / Lack of awareness
  • 6. 6 Recommendations for the implementation team 1. Educate the implementation team in advance 2. Protect the implementation team from other projects and tasks (prioritisation) 3. Increase the motivation of the implementation team (e.g., additional bonuses, flexible hours, training courses) 4. Hire a few interns 5. Involve external consultants and/or mentors
  • 7. 7 Recommendations for the project management 1. Set clear and realistic project goals 2. The project charter is important, but don't make it too complicated 3. Reduce the ISMS scope for the certification 4. Improve communication between the implementation team members (e.g., use a Kanban board, create a channel on Slack/MS Teams) 5. Don't spend much time on detailed planning. Use the sprints (1-2 weeks) 6. Schedule parallel tasks (e.g., Risk Assessment and Documents preparation) 7. Prepare and strictly follow a Communication Plan
  • 8. 8 Recommendations for the core processes 1. Launch awareness training ASAP. Start from the top management 2. Launch the ISMS Committee / IS Steering Committee ASAP. Hold meetings once or twice a month at first, then once a quarter. 3. Use simple templates for ISMS documents, and easy approval and review procedures (e.g., during the ISMS Committee meetings) 4. Use Notion/Confluence (if allowed) 5. Create templates and registers in advance: 1. ISMS Committee presentation and MoM 2. Policy (Template) 3. Statement of Applicability (SoA) 4. Audit Plan and Report 5. Nonconformity Register and Report 6. ISMS management review report 7. Risk register 8. Incident register 6. Prepare the mandatory documents first. You don’t need the full set of topic-specific policies and procedures! 7. Simplify the core processes! You will improve them later… 8. Combine an ISMS Gap Analysis with Internal Audits 9. Don't spend much time on Risk Assessment. You will improve it later… 10. Implement only critical controls (Annex A). Just plan to implement others… 11. Continual improvement is better than the perfect system
  • 9. 9 Other Recommendations 1. Purchase and study ISO 27000, 27001, 27002, 27003, 27005, 27007, 19011 in advance 2. Collect and keep records with care 3. MS Excel is the best GRC for starters • Asset register • Incident register • Nonconformity register • Risk register and RTP • Statement of Applicability (SoA) • ISMS Documented information • Supplier register • … 4. Use ChatGPT 5. Use templates and toolkits
  • 11. 11 Best ISO 27001 (ISMS) Toolkits 1. ISO27k Toolkit by ISO27k Forum (Free) - https://lnkd.in/eC5Kh5d6 2. ISMS Implementation Toolkit by Andrey Prozorov (28$ per month) - https://lnkd.in/enzZdZ9 3. ISO 27001 Documentation Toolkit by Advisera (897$) - https://lnkd.in/euYBc-SW 4. ISO 27001 Toolkit by CertiKit (950€) - https://lnkd.in/ePxZUjHe 5. ISO 27001 Toolkit by IT Governance (595£ per year) - https://lnkd.in/eAwTcuE6 6. ISO/IEC 27001 Info Kit by PECB (Free) - https://lnkd.in/d-HEuN_8 7. ISO 27001 Templates Toolkit: Consultant Edition 2022 by HighTable (597£) - https://lnkd.in/dxhZX56U 8. ISO 27001:2022 All-In-One Toolkit by Certification Templates (999$) - https://lnkd.in/djXhSbiv 9. Instant 27001 for Confluence (from 1995€) - https://lnkd.in/dE7y6vzX 10. ISO/IEC 27001:2022 Documentation Toolkit by UCStoolkit (466€) - https://lnkd.in/d7CpThMF
  • 13. Thanks, and good luck! www.linkedin.com/in/andreyprozorov www.patreon.com/AndreyProzorov 13
  • 14. My ISMS Implemantation Plan + templates 14 www.patreon.com/posts/isms-plan-iso-74660190
  • 15. My other ISMS-related presentations