WIXLIB

A publication of the ISACA Germany Chapter e.V.Information Security Expert GroupImplementation GuidelineISO/IEC 27001:2013A practical guideline for implementing an ISMSin accordance with the international standard ISO/IEC 27001:2013

Publisher:ISACA Germany Chapter e.V.Oberwallstr. 2410117 Berlin, Germanywww.isaca.deinfo@isaca.deTeam of Authors: Gerhard Funk (CISA, CISM), independent consultant Julia Hermann (CISSP, CISM), Giesecke & Devrient GmbH Angelika Holl (CISA, CISM), Unicredit Bank AG Nikolay Jeliazkov (CISA, CISM), Union Investment Oliver Knörle (CISA, CISM) Boban Krsic (CISA, CISM, CISSP, CRISC), DENIC eG Nico Müller, BridgingIT GmbH Jan Oetting (CISA, CISSP), Consileon Business ConsultancyGmbH Jan Rozek Andrea Rupprich (CISA, CISM), usd AG Dr. Tim Sattler (CISA, CISM, CRISC, CGEIT, CISSP), Jungheinrich AG Michael Schmid (CISM), Hubert Burda Media Holger Schrader (CISM, CRISC)The content of this guideline was developed by members of theISACA Germany Chapter e.V. and was thoroughly researched.Due care has been exercised in the creation of this publication;however, this publication is not comprehensive. It reflects theviews of the ISACA Germany Chapter. ISACA Germany Chapter e.V.accepts no liability for the content.The latest version of the guideline can be obtained free of charge at www.isaca.de. All rights, including the right toreproduce e xcerpts of the content, are held by the ISACAGermany Chapter e.V.This guideline was translated from the German original version»Implementierungsleitfaden ISO/IEC 27001:2013« published inJune 2016.Last updated: April 2017 (final upon review by the InformationSecurity Expert Group of the ISACA Germany Chapter)

Implementation GuidelineISO/IEC 27001:2013A practical guideline for implementing an ISMSin accordance with the international standardISO/IEC 27001:2013

3ForewordAn information security management system (ISMS) is acomprehensive set of policies and processes that an organization creates and maintains to manage risk to informationassets. The ISMS helps to detect security control gaps andat best prevents security incidents or at least minimizes theirimpact. The implementation of an ISMS in accordance withthe international standard ISO/IEC 27001 is, however, a verycomplex subject which includes many activities and resourcesand can take many months. Neverthless, for many organizations, an introduction is not only obligatory on the basis ofcontractual or legal requirements, but also a critical successfactor in times of digital transformation and ever-increasingcybercrime.The security of information and related technology is theconcern of ISACA members worldwide. The goal of ourmembers is to work to reduce the number of security incidents and to enable organizations to be better prepared forattacks and to react more effectively. To be successful inachieving this goal, the sharing of knowledge and experienceis of primary importance. Therefore, on behalf of the Boardof the ISACA Germany Chapter, we are pleased to presentthis work of our Information Security Expert Group to aninternational audience.In 2014, the Information Security Expert Group decided toframe and develop a guideline for implementing an ISMS inaccordance with ISO/IEC 27001:2013. This was first writtenand published in German. We believe that this guide, whichhas attracted a good response in German-speaking countries,will also be of great interest to an international audience.This is why we are especially grateful to the expert group forhaving supported a translation of their work with a lot of effort in adjustment, review, verification and quality assurance.We would be glad if this outstanding work of the expertgroup facilitates the work of information security professionals worldwide and if it promotes knowledge sharing andexchange of experiences among them.Matthias GoekenTim SattlerImplementation Guideline ISO/IEC 27001:2013

5Why do we need this guideline?Information security is vital. However, as an aspect of corporate management, its aim must be to provide optimum support for business objectives. A well-structured informationsecurity management system (ISMS) designed in accordancewith international standards provides an ideal foundation forefficient, effective implementation of a comprehensive security strategy, particularly in an era where cyber threats andcyber security are prevalent issues.AcknowledgmentWhether the focus is placed on threats originating from theInternet, protecting intellectual property, complying with regulations and contractual requirements, or securing production systems depends on the situation at hand (e.g., industry,business model, attitude toward risk / risk appetite, etc.) andthe respective organization’s specific security objectives. Regardless of what the chosen approach is called, it is alwaysimportant to identify and be aware of the information security threats that exist in the respective context and to select,implement, and consistently maintain the appropriate strategies, processes, and security measures.Project management: Oliver KnörleISACA Germany Chapter e.V. would like to thank the ISACA Information Security Expert Group and the authors who created this guideline: Gerhard Funk, Julia Hermann, A ngelikaHoll, Nikolay Jeliazkov, Oliver Knörle, Boban Krsic, NicoMüller, Jan Ötting, Jan Rozek, Andrea Rupprich, Dr. TimSattler, Michael Schmid, and Holger Schrader.Reviewers of the English version: Gerhard Funk, Julia Hermann, Oliver Knörle, Boban Krsic, Nico Müller, Dr. TimSattler. Special thanks to Elena Steinke who reviewed thedocument from both a professional and a native speaker perspective.The concrete implementation of an ISMS requires experience; however, first and foremost, implementation must bebased on the decisions and obligations of the highest level ofmanagement in regards to this issue. The basic requirementsfor using an ISMS to support the business objectives includea clear mandate from management, a security strategy adapted to the business strategy, qualified personnel, and thenecessary resources.This Implementation Guideline ISO/IEC 27001:2013 (in thisdocument referred to as Implementation Guideline) includespractical recommendations and tips for organizations thatalready operate an ISMS in accordance with the international standard ISO/IEC 27001:2013, ‘Information technology— Security techniques — Information security managementsystems — Requirements’ or that want to set up this typeof system, regardless of the certifications they hold or areattempting to acquire. The guide provides practical supportand strategies for anyone responsible for setting up and/oroperating an ISMS. It clearly outlines the benefits of an individually customized ISMS that also conforms to standards(if necessary). It also places particular emphasis on practical recommendations for establishing ISMS processes and/orimproving existing ones, and it includes typical examples ofhow to implement various requirements.DisclaimerThe information provided in this document was compiled byexperts in the fields of information security, auditors, and information security managers, to the best of their knowledgeand experience. There is no guarantee that this informationis comprehensive or free from errors.Implementation Guideline ISO/IEC 27001:2013

7Contents1.Introduction2.Guideline Structure2.12.22.311Subject Areas. 11Chapter Structure. 12Conventions. 123. Components of an ISMS in accordance withISO/IEC .133.14913Context of the Organization.13Leadership and Commitment. 14IS Objectives.15IS Policy. 16Roles, Responsibilities and Competencies. 17Risk Management. 19Performance Monitoring & KPIs. 24Documentation. 25Communication. 27Competence and Awareness. 29Supplier Relationships. 31Internal Audit . 33Incident Management. 37Continuous Improvement. 394.Glossary415.References436.Index of Figures447.Appendix 1:Mapping ISO/IEC 27001:2013 vs.ISO/IEC 27001:200545Appendix 2:Version Comparison, ISO/IEC 27001:2013 vs.ISO/IEC 27001:2005578.Implementation Guideline ISO/IEC 27001:2013

8 Contents9.Appendix 3:Internal ISMS Audits – Mapping of ISO/IEC 19011:2011and ISO/IEC 27007:201110. Appendix 4:Performing Internal ISMS Audits(Process Diagram)Implementation Guideline ISO/IEC 27001:20135960