The first stage focuses on collating information relating to your commitment to proceed with the project and producing an information security policy that reflects the appropriate objectives for your organisation. This will define the scope of the ISMS and facilitate the mandated management approval of essential documents.
2. Project initiation
This stage develops the project’s goals and ensures that both the project and theISMS succeed in delivering the objectives. With a project plan and key deliverydates in place, it’s easy to keep track of the achievement of milestones andensure the project is delivered on time.
3. ISMS initiation
The third stage involves compiling a list of the requirements of each ISMS process and the tasks required to develop and implement them. These will relate directly to the principal stages in the project plan and inform the assignment of tasks required to execute the plan.
4. Management framework
This stage addresses the critical ISO 27001 requirements relating to organizational context, scope and leadership, and ensures that the ISMS framework is aligned with and supports the delivery of business objectives.
5. Baseline security criteria
Any organisation already has a number of security controls in place. Ensuring these existing security controls meet the requirements of the relevant legislation, regulations and contracts early in the project can ensure an effective information security stance.
6. Risk management
This stage covers the development of a robust information security risk process and identification of appropriate information security risk treatments and controls. The default approach is an asset-based risk assessment, unless specifically required otherwise and results in the essential Risk Treatment Plan (RTP) and Statement of Applicability (SoA).
The implementation phase addresses both management system processes and information security controls to make sure that the design of the ISMS and operation of its processes are carried out in an appropriate manner.
Your consultant will work with you to develop the necessary documentation based upon a consolidated workbook that forms the basis for the ISMS. Your consultant will also help arrange access to online information security staff awareness training, which will ensure you meet this specific requirement of the Standard.
8. Measure, monitor and review
This phase establishes the effectiveness of the ISMS based upon measurable parameters, including ISMS processes and security controls. Key areas include an internal ISMS audit and management review; your consultant will facilitate the first management review meeting.
9. Certification audit
We will plan, conduct, report and follow-up on the necessary internal audit prior to the certification audit.
One day’s support will be available during the stage two certification audit.