ISO / IEC 27001:2022

Lead Implementer
Training Course

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022
 Implementation Phases

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 2
Implementing ISMS
Context of the Organization (Cl. 4)
Leadership (Cl. 5)

Planning (Cl. 4, 5, 6)
1) Identify business objectives.
2) Obtain management support.
3) Define and establish ISMS scope.
4) Define a method of risk assessment and risk
Improvement (Cl. 10) treatment. Operation (Cl. 8)
14) Continually improve by taking necessary 5) Prepare an inventory of information assets and rank 7) Conduct risk assessment.
▪ Correction assets. 8) Manage the risks, and create a risk treatment
▪ Corrective action 6) Establish communication channels plan.
▪ Preventive action (if applicable) 9) Set up policies and procedures to control risks.
10) Allocate resources and train the staff.
Performance Evaluation (Cl. 9)
11) Monitor the implementation of the ISMS in
terms of its effectiveness.
12) Conduct internal audits and management
reviews.
13) Prepare for the certification audit.

Support (Cl. 7)
TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 3
Context of the organization
4.1 Understanding the ▪ Determine external and internal
organization and its context issues to its purpose and relevant
Interested parties to ISMS
▪ Customers, ▪ May refer to ISO 31000
Biz risks,
▪ Shareholders,
opportunities
▪ Regulatory agencies

4.2 Understanding the ▪ Interested parties relevant to ISMS

need and expectation of ▪ Requirements relevant to ISMS
interested parties ▪ Regulatory requirements
ISMS
requirements
▪ Internal and external issues
4.4 ISMS 4.3 Determine scope of the ▪ Requirements of interested parties
ISMS ▪ Interface between organizations

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 4
Implementation Phases
Initiate the
Get management Plan for
implementation Define scope
support implementation
project

Establish
Prepare necessary Select controls and Conduct risk
communication
documentation conduct risk treatment assessment
channels

Conduct a compliance Take necessary

Successful
review (Monitoring corrective and
certification.
and Measurement) preventive actions

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 5
Planning
▪ Initiation:
• Assess the costs for implementation in terms of internal resources, external resources, technology and finally
certification.
• Prepare a plan for implementation of ISMS.
▪ Management Support: Management should support in determining and establishing an IS policy which acts as a
framework to set ISMS objectives. The setting of business objectives should be driven by stakeholders and aligned to
company’s mission, strategic plans and IT goals. Management should also support in the following
• Information security objectives and plans.
• Roles and responsibilities for information security or a segregation of duties (SoD) matrix.
• Communicate across the organization about the importance of adhering to IS policy.
• Adequate resources to establish, implement, maintain and continually improve an ISMS.
• Determination of the acceptable level of risk.
• Management reviews of the ISMS at planned intervals.
• Identifying training needs and train personnel who are associated with ISMS.
• Appointment of competent people for the tasks they are assigned to fulfil.

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 6
Planning
▪ Scope of ISMS: One must identify the scope carefully. Scope can include the entire organization or parts thereof. The
business units, departments, processes etc. should be identified before actual implementation of ISMS. Identifying the
scope correctly can save the organization’s time and money. The following points should be taken into consideration
while establishing the scope
• Scope should be manageable.
• Internal and external issues that could affect the ability to meet intended outcomes.
• Interested parties and their requirements.
• Areas, locations, assets and technologies to be included.
• Any dependencies on other organization (e.g. outsources processes).
• Regulations and legal laws.

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 7
Planning
▪ Risk Assessment Methodology: Risk assessment is one of the most important processes in establishing ISMS. The
following should be considered
• Method of risk assessment should be established. The organization can choose any risk assessment method of their
choice (e.g. asset based, process based, qualitative, quantitative etc.).
• Establish basis for identifying risk owners in order to manage risks, risk acceptance criteria and prioritization of risks.
• Can refer to NIST Special Publication (SP) 800-30 Risk Management Guide for Information Technology Systems, Also
can refer to ISO 31000.
▪ Information Security Objectives: Information security objectives should be in sync with the IS policy. The following
should be considered
• SMART IS objectives should be established at relevant functions and levels.
• Establish a well defined plan to achieve objectives.

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 8
Operation
▪ Conducting Risk Assessment: The following should be considered
• Assets to be identified and asset inventory list relevant to ISMS to be created.
• Asset owners and risk owners to be identified.
• Reference to documents to be made. (e.g. Grouping of assets, information asset classification etc.)
• Ensure risks are identified based on the loss of Confidentiality, Integrity and Availability (CIA) triad.
• Analyse risks and arrive at a risk value.
• Evaluate analysed risks by comparing with risk acceptance criteria.
• Prioritize risks for risk treatment.
Note: Risk Assessment can either be qualitative, quantitative or a hybrid of both.

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 9
Operation
▪ Manage Risks: The organization can manage risks by mitigating, transferring, avoiding and accepting the risks. The
following needs to be considered.
• Perform gap analysis with the controls mentioned in Annex A of ISO/IEC 27001:2022 standard.
• Prepare risk treatment plan to treat risks. Approval to be sought by risk owners.
• Prepare SoA (Statement of Applicability) with justifications for inclusions and exclusions of the controls.
• Identify the appropriate controls to bring down the levels of risks to acceptable limits from gap analysis.
• Residual risks if any needs to be approved by risk owners.

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 10
Operation
▪ Documentation preparation: Setting up procedures and policies assists in achieving the objectives. The extent of
documentation will depend upon the size of the organization, complexity of processes, assets etc. The following should
be considered.
• Define policies as indicated in SOA.
• Any additional policies that the organization needs to develop taking into consideration the various risks involved.
• Establish and document policies and procedures that is needed by the international standard.
• Retain necessary mandatory records in accordance with the international standard ISO/IEC 27001:2022.

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 11
Operation
▪ Resource allocation and training: Top management should be committed to provide necessary resources for
implementing ISMS and the organization should train their employees to make them competent in their area of work.
The following should be considered.
• Identify the necessary resources and assign them roles and responsibilities to effectively implement ISMS.
• Create awareness in the organization with regards to ISMS.
• Trainings records to be maintained.
• Competency records like education, training, experience to be maintained.

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 12
Performance Evaluation and Improvement
▪ Monitoring and Measurement: Evaluating the performance and effectiveness of ISMS is of prime importance because it helps
the organization to access whether they are on the right track to meeting objectives. Internal audits and management review
meetings are effective tools of monitoring. The following should be considered.
• Monitor the effectiveness of controls implemented.
• Analyse security breaches and incidents to improve the ISMS.
• Conduct internal audits at planned intervals.
• Close gaps identified in internal audits by taking necessary correction, corrective action and preventive action (if applicable).
• Conduct management review meetings at planned intervals to review ISMS. The review follows changes or improvements to
be made in ISMS.
• Results of internal audit and management reviews needs to be maintained as records..

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 13
Certification Audit
▪ Certification audit preparation: Before certification it becomes imperative to conduct at least one full cycle internal audit
and management review meeting. The following should be considered.
• Retain evidence of responses taken as a result of internal audits and management reviews.
• Ensure that all mandatory documented information (documents and records) exists as demanded by the international
standard.
Note: The evidence and documents will demonstrate the efficiency and effectiveness of the implemented ISMS in the
organization and its business units.

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 14
Any Questions?

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 15