User
What are the steps for implementing ISO 27001 controls?
Experta
After you complete the Risk Treatment Plan (that defines which controls will be implemented, when, their budget, and who is responsible), the next steps to implement Annex A controls are as follows:
1. Assing the team for writing required documents, implementing technical solutions, etc.
2. Define which security awareness and training will be needed for which controls.
3. Define how the implementation results will be reported.
4. Define who is going to verify the controls were implemented properly.
Examples:
Control A.8.13 Information backup requires writing a Backup Policy document and implementing a new technical solution, so a company has decided to do the following:
- It assigned to Security Officer to write the Backup Policy and to Head of IT to implement the new technical solution.
- It recorded an awareness video about backup that will be delivered to all employees, and has organized a training for all employees included in using the backup solution.
- It organized weekly meetings where all the results are reported to the Security Officer.
- It nominated Security Officer to verify how the Backup Policy and the backup solution were implemented.