What is required to Implement ISO 27001.

Developing an Information Security Management System (ISMS) that satisfies the requirements of ISO 27001 involves three steps.

• Creation of a management framework for information - This sets the direction, aims, and objectives of information security and defines a policy which has management commitment.
• Identification and assessment of security risks - Security requirements are identified by a methodical assessment of security risks. The results of this assessment will help guide and determine the appropriate management action and priorities for managing information security risks.
• Selection and implementation of controls - Once security requirements have been identified, controls should be selected and implemented. The controls need to ensure that risks are reduced to an acceptable level and meet an organization’s specific security objectives. Controls can be in the form of policies, practices, procedures, organizational structures and software functions. They will vary from organization to organization. Expenditure on controls needs to be balanced against the business harm likely to result from security failures.