ISO 27001

I m p l e m e n t a t i o n Ro a d m a p

Address ShortTerm Attestation

Requirements

Provides substantiative evidence that the net security objectives

(e.g., ensuring the confidentiality of information) are being achieved.
* Cost Effective * Well Regarded * Early Identification of Critical Risks

<1 Month

Secure Data Flow Diagram (SDFD)

Proving that you are secure

while you are working towards
27001 Certification is crtical to the
success of your organization.
Where stronger interim attestation
is required see Shared
Assessment Phase below.

Provides evidence that key client risks are being mitigated

to an acceptable level by reasonable and appropriate security design.
* Integral to Risk Assessment and Scoping * Facilitates Risk Identification
* Evidence of Secure Design and Substantiative Test is effective attestation

Preliminary 27001 Project Plan

Where key clients have already requested 27001 compliance/certification,
communicating a plan & progress towards it is critical to satisfying their requirements.

Define ISMS Scope

Logically/physically limit the scope of the ISMS to the maximum extent possible
consistent with initiative objectives. Optimizes likelihood of project success
(prevents boil the ocean exercises).

Assess
Gaps
Optimally scoping and
understanding the current gap
between the desired and current
state are integral to appropriately
allocating the resources
(personnel, third party support,
expenditures, and time) necessary
to ensure the project achieves
objectives on time and on budget.

27005 Risk Assessment

Identifies major risks (& impacts) the ISMS intended to mitigate.
* Leverages SDFD * Basis of 27001 *

Risk Treatment Plan

1- 3
Months

Establish acceptance criteria and define treatments

(avoid/control/transfer/accept) for all key risks.

Conduct Gap Assessment

O
R

Via documentation review, ICQ's and/or surveys determine

where risk treatment gaps exist in:
* Existence * Appropriateness * Completeness of Documentation & ISMS support

Shared Assessment
Same functionality as Gap Assessment except produces a Shared Assessment
worksheet that may be accepted as interim attestation by clients.

Develop &
Execute the
Roadmap

Develop a work plan based on a number of factors:

* Risk * Ease of Mitigation to an Acceptable Level * Client Concerns
*Reusability/Commonality * Resource and Skill Set Availability * Other Initiatives

Prioritize and execute the work

effort necessary to address the
issues identified.

* Correct Design Deficiencies * Close Compliance Gaps

* Update/Create Necessary Documentation * Implement New Controls

Operate the
Environment
Assess efficacy of environment,
monitor the ISMS, tune controls
accordingly, and accumulate
audit evidence for
attestation and certification.

Certify
While there are many significant
advantages to implementing
27001, most notably demonstrably
reducing risk and simplifying
Information Security,
for most entities certification
is the most important.

Prioritized Roadmap (Remediation Plan)

3-18
Months

Execute the Plan

Monitor the Environment

Integral to 27001 is ongoing monitoring of the ISMS.
Tune control design/output to facilitate monitoring.

Respond to Incidents

1-12
Months

Integral to 27001 is demonstrable Incident Response.

Tune Incident Response processes to facilitate ISMS improvements.

Implement Continuous Improvement Principles

Integral to 27001 is demonstrable Continuous Improvement. Based on monitoring
and Incident Response evolve the control environment in a demonstrable manner.

Pre-Certification Audit
"Friendly" pre-audit structured in accordance with certification audit
(Tabletop Review then Compliance Review).

Certification Audit
27001 Certification Audit conducted by Certification Body resulting in
issuance of ISO 27001 Certificate

Surveillance Audit (Year 2)

Mini-audit conducted by the Certification Body to validate ISMS
efficacy. ISMS scope extension possible.

Triennial Audit (Every 3rd year)

Re-Certification Audit conducted by Certification Body

When ISO27001 Matters

and
Beyond

F o r c o n s u l t i n g o n I S O 2 7 0 0 1 , v i s i t u s a t w w w. p i v o t p o i n t s e c u r i t y. c o m o r c a l l 1 . 8 8 8 . P I V O T P O I N T ( 8 8 8 . 7 4 8 . 6 8 7 6 )

Vulnerability Assessment/Penetration Test

of Key Applications/Systems