ISO 27001:2013 implementation expects a lot of top management involvement. The standard itself emphasizes on "Leadership" while implementing information security management system. The clause 5 of standard 27001:2013 emphasises "top management must demonstrate leadership and commitment to the ISMS, mandate information security policy and assign information security roles, responsibilities and authorities within the organization".
Following steps are generally followed while implementing ISMS based on ISO27001:2013
- Scope defining including physical boundaries
- Appointment of ISO/CISO & roles and responsibilities
- Implementation Plan
- Awareness Trainings
- Risk Assessment Trainings
- Risk Analysis & Gap analysis
- SOA
- Process Implementation - Policies, Procedures etc.
- Internal Audits
- NC Closures - if any
- Management Review Meeting
- Repeat awareness training and audits if required
- Select Certification Body & call for audit
- Achieve Certification
- Celebrate :)
- Get busy in continual improvements & surveillance audits.