Step-by-Step ISO 27001 Implementation Guide

Step-by-Step ISO 27001 Implementation Guide





Getting Started with Data Upload and Analysis

Follow these detailed steps to upload and analyze your organization's data effectively:

1.    Access the Data Upload Interface:

·        Open the menu on the left side of your interface.

·        Scroll down to the "Assessments and Reports" section.

·        Select "Organization" and then "Files" to be directed to the correct page for data upload.

2.    Upload Your Documents:

·        Click on the “Upload File” button.

·        Upload crucial files such as your organization’s annual report, business plan, financial statements, product descriptions, and other relevant documents.

3.    Alternative Document Upload:

·        If certain documents like vision and mission statements or detailed business plans are not readily available in file form, navigate to your organization's website.

·        Convert the relevant web pages to PDF format by going to the web page and clicking CTRL+ P then save PDF.

·        Upload these PDFs using the same “Upload File” button.

4.    Begin Data Analysis:

·        Once your documents are uploaded, the AI analyzer will automatically process the information.

·        This system is designed to extract key data from your files and enter it into the app, which helps in streamlining future processes and enhances data-driven decision-making.



Updating and Enhancing Organizational Details

Here’s how you can use uploaded data to update and refine your organization's profile efficiently:

1.    Review Uploaded Data:

·        After uploading your documents in the "Files", navigate away from this page by scrolling up.

·        Click on the "Profile" page  in the “Organization” section to view the information.

2.    Automatic Data Population:

·        Observe that the data from the uploaded files has automatically populated most of the fields under “Organizational Details.”

3.    Edit Organizational Details:

·        If you spot any inaccuracies or if updates are necessary, click on "Edit" located at the top right corner of the page.

 

 

 

4.    Refine Details with AI Assistance:

·        As you edit, look for fields marked with little yellow stars.

·        Clicking on these stars will prompt the AI to provide suggestions, helping you refine your organizational information effectively.

5.    Save Changes:

·        Once you have made all necessary modifications, click “Back.”

·        Your changes will be automatically saved, ensuring that your organizational profile is updated and accurate.




Analyzing Context

1.    Access Governance Section:

·       Navigate to the menu and scroll to locate the "Governance" section.

2.    Open Context Settings:

·       Within the Governance section, click on "Context."

3.    Use Organization Context Analyzer:

·       After uploading your files in the “Organization” section under “Files,” proceed to click on "Organization Context Analyzer." This tool will automatically analyze the files and populate the organization context for you.

4.    Edit Organization Context:

·       If adjustments are needed, click "Edit" to modify the information manually or utilize the AI-assisted features.

 

 

5.    Utilize AI for Enhanced Editing:

·        On the editing page, look for yellow stars next to some fields. These stars indicate that AI suggestions are available to assist you in refining the content.

6.    Save Your Modifications:

·        After making all necessary changes, click on the save icon to ensure that your updates are preserved.

7.    Return to Previous Section:

·        Once you have completed updating the organization context, click “Back to Context Page” to navigate back to the previous section.

 

 


Adding Company Departments

To expand and organize your organization's structure by adding new departments, follow these steps:

1.    Navigate to the Identify Section:

·        Go to the menu on the left side of your screen and locate the "Identify" section.

2.    Access Department Settings:

·        Click on "Departments" within the Identify section to manage departmental information.

3.    Add New Departments:

·        To begin adding departments, click on "Add New Departments."

 

 

 

4.    Enter Department Details:

·        Fill in the required details for each new department you want to add. Ensure all information is accurate to facilitate effective organization management.

5.    Save Your Entries:

·        After entering the details, click on "Save" to secure the information and officially add the departments to your organization.

 


 


Adding and Managing Company Members

Follow these steps to efficiently manage and expand your organization's membership through the Department section:

1.    Access Governance:

·        Select “Governance” from the main menu.

·        Click on “Departments”.

2.    Edit Department:

·        Find the department to add members to and click the “pen icon” next to it.

 


3.    Add Member:

·        In the department's page, click on “Add Member”.

·        Select “Add New Member”.

 


 

4.    Enter Member Details:

·        Fill in the form with the member’s information.

·        Click “Save” to finalize the addition.

5.    Verify Addition:

·        Ensure the new member appears in the department’s member list.

 




Uploading Your Network Diagram Files

Network diagrams are essential tools for visualizing the layout of your network infrastructure. They help in understanding virtual operations and managing assets efficiently, which is critical for enhancing security. Here’s a step-by-step guide on how to upload your network diagram files or create one if you don’t already have it.

1.    Access the Upload Feature:

·        Navigate to the department section within your system. Look for an “Upload File” button located in the top right corner.

2.    Upload Your File:

·        Click on the “Upload File” button and select your network diagram file from your computer. Make sure the file is in a format that your system supports.

3.    Create a flow chart:

·        If you don’t have one just go create on in any flow chart app (e.g. Draw.io)

·        Then save the image of your flow chart and upload it to the MapleGRC app.




Managing and Adding Assets

Adding and managing your organization's assets can be streamlined with the following steps:

1.    Begin by Accessing the Departments Section:

·        In the "Departments" section, start managing your assets. Locate the pen icon next to each listed asset to make edits.

 


2.    Utilize the Assets Discovery Assistant:

·        On the asset editing page, click on "Assets Discovery Assistant." This AI-powered feature facilitates the process of uploading and registering all your assets simultaneously.

 

 

3.    Bulk Upload Assets:

·        Select "Bulk Upload" to add multiple assets at once. You can upload an Excel sheet containing detailed information about your assets. The system will analyze the file and automatically incorporate the assets into your system.

 

 

4.    Manual Upload for Hardware Assets:

·        If you don't have an Excel sheet ready, click "+ Add Hardware Asset" to manually enter details for each hardware item.

 

 

5.    Add Software Assets:

·        Use the dropdown menu to select and add your software assets.



6.    Repeat the Process for Other Asset Types:

·        Follow the same steps to add "hardware assets" and "virtual assets," ensuring all categories of assets are updated and managed correctly.

 

 



Standards and Regulation

To incorporate specific standards and regulations into your organizational processes, follow these detailed steps:

1.    Access the Organization Section:

·        In your application menu, scroll to the bottom and click on "Organization."

2.    Navigate to Standards and Regulations:

·        Within the Organization section, select "Standards and Regulations."

3.    Initiate Addition of New Standards:

·        Click on "Add Standard and Regulations" to start incorporating new standards into your organization.

 

 

 

 

4.    Select the Standard:

·        From the drop-down menu that appears, select on the “ISO 27001“ standard. Add this standard to begin aligning your processes with this regulation.




5.    Assign Owners for Each Standard:

·        Select an “owner” who will be responsible for overseeing the implementation and compliance of the ISO 27001 standard within your organization.

6.    Save and Apply Settings:

·        After selecting the ”ISO 27001” standard and assigning the owner, click on "Save" to confirm your choices and apply these settings.





Implementing and Managing Policies

To effectively set up and manage your organization's policies, follow these steps for each of the eight policies under the "Governance" section:

  1. Navigate to the Governance Section:
    • Scroll down to the "Governance" section and click on "Policy."
  2. Select the First Policy:
    • Begin with the "Risk Management Policy" and use this procedure for each subsequent policy.
  3. Auto-Fill Policy Details:
    • Click on the "Analyze Policy Suggestions" button to automatically populate the policy details.
  4. Edit the Policy:
    • If modifications are necessary, click on the “Pen Icon” to edit the policy manually.

 

 

  1. Utilize AI Suggestions:
    • Look for the "Yellow Stars Icon" for AI suggestions, which provide a helpful starting point for customizing the policy content to fit your specific needs.
  2. Save Each Section:
    • After editing, click on the "Save Icon" for each section to record your inputs. Ensure that no fields are left empty, as these will not be included in the final version of the policy.
  3. Generate the Policy Document:
    • Once all sections are edited and saved, click on the "Generate Policy Document" button to finalize the creation of the policy.
  4. Repeat for Remaining Policies:
    • Follow these steps for each of the eight policies to cover all governance areas.

  

 

Once all policies are created:

  1. Access Policy Manager:
    • Scroll down to the “Policy Manager” section.
  1. Preview and Review Policies:
    • For each policy, click on the “Download Button” to preview. Then, “Assign the Reviewer” to choose a company member to review the policy.
  1. Activate and Circulate Policies:
    • Click on “Activate and Circulate” to distribute the policy for all company members to read and sign.

 

  1. Procedure Statement:
    • After you “Activate & Circulate” the “Policy Manger” page will change and will have a “Active Policy” Section.
    • In “Active Policy” Section click on “Procedures"

    • For each section you will fill the “Procedure Statement” and once you filled it out don’t forget to click on the “Save Icon” on the top left side corner of the box.
    • You will repeat the same thing to each Section and return back to the previous page

 


  1. View Organizational Policy Report:
    • Click on “View Organization Policy Report” to see an overview of policy statuses and compliance.




Initiate Policy Training

  1. Start Policy Training:

·        Click on “Go to Policy Training” to initiate and circulate the training for each policy across the company.


·        Which will take you here to start the policy training. 





Implementing Procedures for Asset Protection

To effectively manage and secure both critical and non-critical assets within your organization, follow these detailed steps:

Initial Setup

1.    Navigate to the Protect Section:

·        Go to your menu and head to the "Protect" section, then select "Guidelines".

2.    Generate Procedures:

·        Click on "Generate Procedures" to create procedures for the assets you've added under "Departments".

3.    Select Appropriate Regulation:

·        In the "Select Regulation" part, choose "ISO 27001:2022" as the standard you are implementing.

4.    Focus on Critical Assets First:

·        start with Critical Assets" for better prioritization and management. Click on "Critical Assets".

 

 

Procedure Implementation for Each Asset

5.    Review and Process Critical Assets:

·        Upon selecting "Critical Assets", the relevant assets will appear under "Overall Procedures". Go through each asset individually.

6.    Work Instructions:

·        Start by clicking on the work instructions for each asset. These are detailed steps aligned with the ISO 27001 Control.

 

7.    Assign Work Instructions:

·        Each work instruction, accessible via a link, redirects to a document with steps to comply with the ISO 27001 control. Assign each instruction to a suitable team member.

8.    Complete and Document Steps:

·        After completing the steps in the document, take a screenshot as evidence.

 

9.    Upload Evidence:

·        Click on "Evidence", then on "Add New Package". Follow the instructions to upload the necessary evidence files and then click on "Save".

10.   Update Status to Done:

  •   Once evidence is uploaded and saved, change the status of the work instruction to "Done".

 

11.  Repeat for Each Work Instruction and Asset:

  • Continue this process for each work instruction and for each critical asset.

Process for Non-Critical Assets

12. Proceed with Non-Critical Assets:

  1. After completing critical assets, click on "Non-Critical Assets" and repeat the same procedure.

 

 

 Employee Training Process

1.    Start the Training Plan:
After adding a member, you can initiate your employees' training plan. Navigate to the “Protect” section, click on “Training,” and then select “General Training.” Each employee will be assigned all 12 topics of the general training.



2.    Track Progress:
To monitor each employee's training progress, go to the “Training Report” section. It's crucial that all employees complete their training to comply with audit requirements.

 



3.    Create Annual Training Plans:
You can also develop a comprehensive training plan for the year, divided into quarters, to both refresh general training topics and introduce new ones. To do this, scroll to “Training Plans” and click on “Detailed Plan.”

 

4.     Then click on a quarter then click on pen icon to edit Edit Quarterly Plans:

·        Select a quarter and click on the pen icon to edit the plan.

·        Fill out the necessary details in the form that appears.

·        Click “Save” to store the changes.

 





5.    Publish and Document Training:
Once your training plan is finalized and published, it will be accessible as configured. To document completed training, click on “Evidence” and upload the required proof of completion.




Vendor Assessment Process Guide

To effectively manage and assess your vendors' compliance and certifications, follow these detailed instructions within your system's "Identify" section. This process helps ensure that all vendors meet your required security and quality standards.

Accessing Vendor Assessment

1.    Navigate to Vendor Assessment:

·        Open the main menu and locate the "Identify" section.

·        Click on "Vendor Assessment" to begin evaluating your vendors.

Adding a Vendor

2.    Add a Vendor:

·        In the Vendor Assessment section, click on “Add Vendor” to start the process of entering a new vendor into your system.

 

 

3.    Fill in Vendor Details:

·        Once you click on “Add Vendor,” a form will appear. Fill in all the necessary details about the vendor.

4.    Save Vendor Information:

·        After filling in the details, click on “Save” to add the vendor to your system.

 

 

 

Uploading Vendor Certifications

5.    Upload Vendor Certifications:

·        For each vendor, you will need to upload relevant certifications such as ISO, SOC2, Cybersecure Canada, etc.

·        Click on “Upload File” next to the respective vendor’s name.

 

 

6.    Select Certificate Type and Upload:

·        In the “Tag” dropdown menu, select the type of certification you are uploading.

·        Click on “Upload File” to choose the certificate file from your local system.

·        After selecting the file, ensure you click on “Save” to securely store the certificate in the vendor’s profile.

 

 

 

Requesting Certifications from Vendors

7.    Template for Requesting Certificates:

·        If you do not currently have the necessary certifications from a vendor, click on “Template for Requesting Certificates.”

 

·        This option provides you with a pre-formatted template that you can use to email vendors requesting their certifications. It also includes an attachment that should be included in the email to make your request clear and professional.


8.    Send Requests and Manage Responses:

·        Use the provided template to send out requests to all vendors from whom you need certifications.

·        Keep track of received certifications by updating the vendor profiles with the new documents.

9.    Review and Compliance Check:

·        Regularly review the uploaded certifications for validity and compliance.

·        Ensure all vendor information and certifications are up to date and follow up with vendors as necessary.


Roles, Responsibilities and Authorities

Here are the steps to add and manage cybersecurity roles within your organization using the "Governance" section:

1.    Access Governance Section:

·        Navigate to the “Governance” section from the main menu.

2.    Open Roles and Responsibilities:

·        Click on “Roles and Responsibilities” to view and manage roles specific to your organizational structure.

3.    Enable Editing:

·        Click on “Edit” to make changes to the roles and responsibilities page.

 


4.    Add Cybersecurity Leader:

·        Click on “Add Role” to create a new role.

·        Specify the role as the person in charge of Cybersecurity. Input necessary details such as role name, responsibilities, and qualifications.

5.    Add Cybersecurity Team Members:

·        Click on “Add Cyber Security Team Member” to add individuals to the cybersecurity team.

·        Fill out the required information for each team member, including name, contact details, and specific responsibilities within the team.

6.    Complete the Form:

·        Continue to fill out the rest of the page with relevant details for other roles or responsibilities as needed.

7.    Save Changes:

·        Click on the “save icon” to ensure all your new information is saved and updated in the system.

 





Managing Risk Scenarios and Developing Incident Plans

Follow these streamlined steps to manage risk scenarios and create incident plans in your system:

1.    Navigate to Risk Management:

·        Go to the “Identify” section.

·        Click on “Risk Management” and then select “Risk Scenario”.

2.    Select a Scenario:

·        Choose one of the listed risk scenarios to manage.

 

 

3.    Initiate Mitigation:

·        Click on “Mitigate”

·        Review the linked assets and the controls in place to assess their implementation status.

·        to ensure comprehensive risk management across your organization.

 

 

 

4.    Link to Incident Plan:

·        Scroll to the bottom of the page.

·        Click on the link provided (marked as “here”) to redirect to the Incident Plan page.

 


5.    Create or Update Incident Plan:

·        Now in the “Response and Recover” section, under “Incident Management”, navigate to “Incident Plans”.

·        Now you will find an incident plan created for your organization for the risk scenario.

6.    Repeat for All Scenarios:

Repeat steps 2 through 5 for each risk scenario

 

 

Managing and Exporting Risk Assessment

To effectively manage and document risk assessments within your system, follow these steps:

1.    Navigate to Risk Management:

·        Go to the “Identify” section of your platform.

·        Click on “Risk Management” and then select “Risk Assessment”.

2.    Review Risk Assessment Table:

·        On the risk assessment page, locate the table that includes a list of risk IDs.

·        Each risk ID is associated with Risk Scenarios that were mitigated earlier.

 

 

3.    Edit Risk Details:

·        Scroll to the right within the table until you find the “Pen Icon” next to each risk ID.

·        Click on this icon to edit the respective risk.

 

 

4.    Update Risk Information:

·        In the form that appears, fill out or update the details related to the risk.

·        Ensure all necessary fields are completed to accurately reflect the risk and its mitigation measures.

5.    Save Changes:

·        Click on “Save” after editing each risk to ensure that your updates are recorded.

 

 

 

6.    Repeat for All Risk IDs:

·        Continue this process for each risk ID in the table to ensure all risks are up-to-date.

7.    Export Risk Assessment Report:

·        Once all risk IDs have been edited and saved, click on “Export Risk Assessment”.

·        This action will generate a report of the risk assessment, which can be used for auditing purposes or further review.

 



Filling out the Statement of Applicability

Creating a Statement of Applicability (SOA) for ISO 27001 involves several detailed steps to ensure that your Information Security Management System (ISMS) is aligned with organizational needs and compliance requirements. Here is a step-by-step guide to help you fill out the SOA:

Step 1: Access SOA Template

  • Navigate to the Governance section of your platform.
  • Click on Statement of Applicability.

 

Step 2: Introduction

  • Purpose: Enter a brief explanation of the SOA’s role in your ISMS.
  • Example: "This Statement of Applicability (SOA) outlines the specific controls and requirements from ISO 27001 that are relevant and applicable to [Your Organization's Name] ISMS. It serves as a roadmap for implementing and maintaining an effective information security framework."
  • Click on the Save Icon to save your entries.

 

Step 3: Scope of the ISMS

  • Purpose: Define the scope of your ISMS, detailing the information assets, systems, and processes included.
  • Example: Include lists of departments, types of information assets, and systems covered.
  • Exclusions: Mention any exclusions with justifications.
  • Click on the Save Icon to save your entries.

 

Step 4: Context of the Organization

  • Purpose: Describe your organization's context, including business activities, industry, and size.
  • Example: Detail your business environment and factors influencing information security risks.
  • Click on the Save Icon to save your entries.

 

Step 5: ISMS Boundaries and Applicability

  • Purpose: Define the boundaries of your ISMS and the applicability of ISO 27001 controls.
  • Example: Specify the information assets and systems under the ISMS and the controls applied.
  • Click on the Save Icon to save your entries.

 

Step 6: Information Security Risk Assessment and Treatment

  • Purpose: Summarize the risk assessment outcomes and treatment strategies.
  • Example: List significant risks and describe the mitigation strategies implemented.
  • Click on the Save Icon to save your entries.

 

Step 7: Documentation and Control

  • Purpose: Describe the documentation and control mechanisms used in managing your ISMS.
  • Example: List key policies, procedures, and control management processes.
  • Click on the Save Icon to save your entries.

 

Step 8: Interfaces with External Parties

  • Purpose: Detail interactions with external parties and related information security controls.
  • Example: Describe controls for managing risks from suppliers, customers, and other third parties.
  • Click on the Save Icon to save your entries.

 

Step 9: Conclusion

  • Purpose: Summarize the key points of your SOA and reaffirm your commitment to information security.
  • Example: Reiterate the customization of ISO 27001 standards to fit your organization's needs.
  • Click on the Save Icon to save your entries.

 

Step 10: Review and Adjust Annex A Controls

  • Scroll to the table containing all ISO 27001 Annex A Control IDs.
  • For each control, set the Status as "Applicable" or "Not Applicable" using the dropdown menu.
  • Any status marked as "Not Applicable" must include a valid reason in the Notes section.
  • Ensure to click the Save Icon after each modification.

 

Step 11: Link Scenarios, Threats, and Assets

  • Click on Scenarios to view and link risk scenarios to each control.
  • Click on Threats to see associated threats and make necessary adjustments.
  • Click on Assets to review and update the list of related assets for each control.

 

Step 12: Final Review and Submission

  • Review all entries to ensure accuracy and completeness.
  • Confirm that all sections are saved and reflect the accurate status of your ISMS.







Setting up Your Cyber Risk Management  Strategy

To effectively manage and analyze your organization's cyber risk, follow these detailed steps:

1.    Access the Governance Section: Navigate to Cyber Risk Strategy.

·        Scroll through the menu to locate and select the "Governance" section.

·        Within the Governance options, choose "Cyber Risk Strategy."

2.    Use the Cyber Risk Management Strategy Analyzer:

·        Click on "Cyber Risk Management Strategy Analyzer." If financial documents have been previously uploaded, the tool will automatically assess your cyber risk tolerance, appetite, and capacity.

3.    Manual Input if Necessary:

·        If no financial statements are available, click "Edit" to manually input the required information.

 

 

4.    Enter Data Manually or Use AI Suggestions:

·        On the editing page, you have the option to manually fill out the data or utilize AI-generated suggestions by clicking on the "Yellow Stars Icon."

5.    Save Your Work:

·        After entering the necessary data, click the "Save Icon" next to the AI suggestions to ensure that all your modifications are preserved. This step is crucial to prevent any loss of data.

6.    Return to Previous Page:

·        Once all entries are complete, click on the "Back" button. This action takes you back to the previous page, allowing you to confirm that all changes have been saved correctly and that no information is missing.

 


Completing the ISO 27001 Audit Compliance Report

When preparing for an external audit, the internal audit is a critical step in ensuring compliance with the ISO/IEC 27001 standard. Here's a detailed guide on how to navigate and utilize the "Assessment & Reports" section for the ISO 27001 Audit:

Step 1: Accessing Compliance Reports

1.    Navigate to Compliance Reports:

·        In your system, go to the “Assessment & Reports” section.

·        Click on “Compliance Reports.”

2.    Select ISO 27001 Audit:

·        Click on “ISO 27001 Audit” within the compliance reports section to start your internal audit process.


Step 2: Purchasing and Reviewing the ISO 27001 Standard

1.    Purchase the Standard:

·        In the top left box of the ISO 27001 Audit page, find and click on “ISO.org($200)”.

·        This link will redirect you to the ISO website where you can purchase and download the ISO/IEC 27001 standard.


Step 3: Audit Progress and Implementation

1.    Audit Progress Chart:

·        Observe the chart in the top right side box to check your progress in the audit.

2.    Control Implementation and Audit Guides:

·        The page will display a table listing all controls from the ISO/IEC 27001 standard.

·        Click on “Implementation Guide” next to each control for guidance on implementing that specific control.

·        Click on “Audit Guide” for insights on how to audit that control.

3.    Audit Evidence:

·        Click on “Audit Evidence” to see what evidence is required for each control according to the ISO/IEC 27001 standard.







Step 4: Linking and Uploading Evidence

1.    Evidence Guideline in MapleGRC:

·        This will indicate which page of the app contains the required evidence.

·        Use “Link in MapleGrc” to navigate directly to the appropriate page for gathering evidence.

2.    Selecting Conformity:

·        Click on “Select Conformity” and choose the appropriate response from options like Compliant, Partially Compliant, or Non-Compliant.

3.    Uploading Evidence:

·        For creating a PDF of the necessary pages, press Ctrl + P, save the PDF, and then upload it by clicking on “Evidence”

 


·        Then  Click on “Add New Package” then Fill out details and don’t forget to click on “Save”

 

 

Step 5: Managing Table Navigation

1.    Navigating the Table:

·        If you need to access parts of the table that are not visible, scroll to the bottom of the page to use horizontal navigation.

·        Scroll back up after adjusting your view to continue updating the necessary details.

 



Finalizing the Audit

1.    Review and Save:

·        Ensure all entries are accurate and that all evidence is correctly linked and documented.

·        Save your progress frequently to avoid data loss.

2.    Final Review:

·        Perform a final review to ensure that all aspects of the audit are complete and compliant before the external audit.


    • Related Articles

    • Step-by-Step CyberSecure Canada Implementation Guide

      Getting Started with File Upload To start setting up your environment, it helps to start by uploading pdf file that explains your organization context. This could be your business plan, product catalough, or a PDF print of your website about and ...

    • Step-by-Step SOC 2 Implementation Guide

      Getting Started with Data Upload and Analysis Follow these detailed steps to upload and analyze your organization's data effectively: 1. Access the Data Upload Interface: · Open the menu on the left side of your interface. · Scroll down to the ...

    • Introduction to CyberSecure Canada Implementation

      Introduction to CyberSecure Canada Implementation CyberSecure Canada Implementation Training This training video covers the basics of implementing CyberSecure Canada standards. It includes an introduction to information security management systems ...

    • Introduction to Cyber Security Management using Maple GRC

      Cyber Security Management Overview Cyber security management involves maintaining a balance between cyber risks and controls to ensure that productivity and efficiency are not compromised. This process requires ongoing assessments and audits to ...