MODULE 2- THE PLANNIG PHASE

What is the purpose of the ISMS scope?

 The main purpose of setting the ISMS (information security management
system) scope is to define which information you intend to protect. Therefore,
it doesn’t matter whether this information is stored within your company offices,
or somewhere in the cloud; it doesn’t matter whether this information is accessed
from your local network, or through remote access. The point is that you will be
responsible for protecting this information no matter where, how, and by
whom this information is accessed.
 So, for example, if you have laptops that your employees carry out of your office,
this doesn’t mean these laptops are outside of your scope – they should be
included in your scope if through these laptops the employees can access your
local network and all the sensitive information and services located there.
 Of course, the scope is also important if you go for the certification – the
certification auditor will check if all the elements of the ISMS work well
within your scope; he won’t check the departments or systems that are not
included in your scope.

The requirements of ISO 27001 regarding the scope.

Basically, ISO 27001 says you have to do the following when defining the scope:

 Take into account internal and external issues defined in clause 4.1 – this
article explains the details: How to define context of the organization
according to ISO 27001.
 Take into account all the requirements defined in clause 4.2 – this article explains
how: How to identify interested parties according to ISO 27001 and ISO
22301.
 Consider interfaces and dependencies between what is happening within the
ISMS scope and the outside world.
 Another thing you should include in your ISMS scope document is a short
description of your location (you could use floor plans to describe the
perimeter) and organizational units (e.g., org charts) – this is not strictly
required by the standard, but certification auditors like to see them included.
 ISO 27001 requires you to write a document for the ISMS scope – you can
merge this document with some other (e.g., Information security policy), keep it
as a separate document, or have one document with references to others (e.g.,
interested parties and their requirements, context of the organization, etc.).
 Now, the key question is how to deal with these interfaces and dependencies.
Interfaces and dependencies
 Let’s start with dependencies – it is probably easiest to describe them
graphically. You can draw your processes that are included in your ISMS
scope, and then outside of this circle draw the processes that are provided
from outside of your scope. By processes, I don’t mean only security or IT
processes – I mean the main business processes within your scope; if you
already implemented ISO 9001, you probably have a similar process chart. Here’s
an example:

 O
nce you know the dependencies, you have to identify the interfaces. They are
important for a company to understand its ISMS boundaries, and to understand
which inputs and outputs will be going through these interfaces in order to
protect them better.

There are a couple of approaches to identify interfaces:

 You can try to identify all the end points you control – e.g., in your local
network that could be the router (because after that point you usually have no
 control of the link – the telecom company does), for your offices the interface
could be the entrance doors, etc.

 Perhaps a better approach would be to define high-level characteristics of

interfaces through these three factors: (1) people, (2) processes, and (3)
technology. So, in the example displayed in the above diagram, people in the
company A would be all the users of the software, while in the IT company
providing software development and maintenance that would be the main
software developer; processes would be support (resolving problems with the
software bugs) and development of new software functionalities; technology
would be Help desk application, email, VPN, FTP, etc.

The biggest myths about the ISMS scope.;

When setting the scope, you should be careful with these issues:

 Smaller scope does not mean an easier job . When leaving some parts of your
company out of the scope, this means you have to treat them as an “outside
world”: you have to limit their access to the information within the scope,
which could create more problems than initially anticipated. Limiting the
scope is usually feasible for larger companies, but not for smaller ones – see
also this article: Problems with defining the scope in ISO 27001.
 Exclusion of controls has nothing to do with the ISMS scope . You cannot say
something like “we will exclude controls x, y, and z from the scope because we
don’t want them”; you can exclude the controls only if there are no risks nor
requirements which would require the implementation of those controls. In
other words, if there are risks and/or requirements, you cannot exclude related
controls. See also this article: The basic logic of ISO 27001: How does
information security work?

Benefits of defining the ISMS scope

 The definition of scope might sound complicated, but once you go through this
process, you’ll start to appreciate it – not only will you better understand the
environment in which your company operates and realize which security
requirements you need to fulfill, you will also be able to focus much better on
your most sensitive information. This is exactly why you need to define (and
document) your ISMS scope before you start writing any other security
documents.

How to perform training & awareness for ISO 27001 and ISO 22301.
  Most of the information security/business continuity practitioners I speak
with have the same problem: the employees in their companies don’t take them
seriously – not only the top managers, but also their peers.

 This is due to the fact that the employees usually do not understand what
information security or business continuity is all about – in other words, you
may have perfect policies and procedures, but simply pushing those to your
internal email list won’t help. You need to explain to your colleagues why
information security and business continuity are needed, and how to perform
certain tasks – that’s the main purpose of awareness and training.

The training cycles:

Both ISO 27001 and ISO 22301 require you to deal with training in a systematic
manner, i.e. to perform these steps:

 Define which knowledge and skills are required for particular personnel who
have a role in your information security management system (ISMS) or
business continuity management system (BCMS) – basically, you need to go
through every ISMS or BCMS document and see what knowledge and skills
are required of every responsible person mentioned in the document.
 Perform trainings to reach the desired level of knowledge and skills – see
below for methods.
  Measure whether each individual has achieved the desired level of knowledge
and skills – through testing, interviews, etc. – once you know where the gaps are,
you can start again with step #1.
 And this is something that needs to be done continuously – either by the CISO /
business continuity coordinator, or by the HR department.

Methods of training
Very often, the trainings are planned via the Training plan – for example, you can plan for
the following:

 Courses – see this article for more information: How to learn about ISO 27001
and BS 25999-2.
 Reading literature – there are many information security and business continuity
books available, as well as magazines.
 Participating in expert forums on the Internet – in some of those you can get very
concrete answers to your questions – for example, Expert Advice Community or
ISO 27001 security.
 In-house trainings – delivered either by in-house experts, or by hiring consultants,
certification bodies or similar.

Methods of awareness-raising
As opposed to trainings, which give an answer to the question “How?”, awareness must
give an answer to the question “Why?” – that is, explain to your employees why they
should accept information security or business continuity.

There are many methods you can use, for example:

 Include employees in documentation development – before you publish the

documents, ask your employees to give their inputs (see also: Seven steps for
implementing policies and procedures).
 Presentations – organize shorter meetings where you can explain what new
policies and procedures are being published, ask your employees for opinions
about them, clarify any misunderstandings.
 Articles on your intranet or newsletter – simple stories (with as many examples as
possible) that can help employees understand why information security / business
continuity are important.
 Discussions through internal forums – you can initiate and participate in concrete
questions (and myths) arising from information security / business continuity.
 E-learning – you can create short online trainings that explain the significance of
these topics, as well as train your employees.
 Videos – they are a very powerful presentation method – you can distribute them
via email, through the intranet, etc.
 Occasional messages (via email or via your intranet) – can be used not only to
distribute videos, but also to send relevant news and tips for business continuity.
  Gatherings – use some regular meetings that are organized in your company –
e.g., parties, anniversaries, etc. to briefly present what you are doing and how it
affects your colleagues.
 And, above all – day-to-day in-person communication – everywhere you go,
whomever you speak to – you have to sell the idea of information security /
business continuity.
 No matter which of these methods you use, the point is that you do them
systematically – again, you should prepare some kind of a plan where you should
define which of these methods you will perform, and how often.

The implementation myth

 So, as I emphasized in this article: The documentation myth – Why the templates
are not enough?, simply writing the policies and procedures won’t be enough – you
need to use awareness and trainings as a helping tool to enable the documentation to
be implemented.
 However, the timing here is also crucial: many companies make the mistake of
publishing all of their documents at once. For example, if you publish 30 policies
and procedures at the same time, then unfortunately, not even the best awareness
programs can help you – your employees will (very correctly) start to think of your
information security / business continuity as overkill.
 Therefore, you have to publish your documentation gradually – the speed of
publishing your new documents must be not be the speed of developing them, but
the speed by which your employees will be able to accept them via your training
and awareness programs.
 See here a series of 25 free security awareness videos that can be easily understood
by any employee in your company.

How to create a Communication Plan according to ISO 27001

 Communicating is a key activity for any human being. This is also the case for an
organization. It helps through exchanging the most correct information to the best
audience and at the best moment. It is certainly important in security management,
because you want people to react in the proper way.
 Important also is that effective communication, in content, format and time, creates
trust both from internal and external parties. It shows how prepared you are, and
whether you are reactive or, better, proactive.
 ISO 27001 addresses the communication issue three times, and organizations
wanting to implement the ISMS have to look closely at these requirements.

What exactly is a Communication Plan?

 Clause 7.4 requires a clear answer to a series of questions on security issues: Who
should communicate? To whom? What messages? On what? When? And how?
 Let’s look more closely at how to address these questions.
 On what? (content) Organizations should clearly communicate on what is important
to them: the need for information security and the need to conform to the
requirements and policies.
 It will address risk management issues, new or changed security objectives, and
vulnerabilities, events or incidents to initiate the adequate answer of all, and
especially the trained personnel who perform the planned reaction. Celebrating
achievements and congratulating exceptional security behaviours has very positive
effects.
 Including security clauses and requirements in the contract is also a way to
communicate your requirements to services and product providers. Hence, it could
be considered a part of the Communication Plan.

 What messages? (form & format) Messages should be clear in their form and
content to produce the expected behavior. The type of communication medium is
looked at here. You can use short stories, images, metaphors, or cartoons.
 Messages should be short and focused on their real intent. You certainly remember
the SMART criteria that you can use to make sure the message is complete.
 Who? Organizations should clarify who is authorized to communicate, especially
with external parties. Internally, top management and the CISO and the help desk
are good examples. Big companies have their Public Relations Officer to
communicate with the external parties.
 The communicator should have the appropriate authority to make sure the message
will be received with the necessary attention and will be followed by the expected
action or reaction.
 To whom? Not everybody should receive all messages. Messages should be aimed
at a specific audience, depending on the classification of the information, the
necessary technical knowledge, and the role in the organization. The
Communication Plan should be effective and addressed only to those who will
benefit from it or need to act based on it – e.g., different interested parties like users,
partners, internal and external service providers, regulating bodies, shareholders,
etc. See also this article: How to identify interested parties according to ISO 27001
and ISO 22301.
 How? (process) The simplest and first way is the security policy and all the
documents that describe what to do (and how) to meet the objectives of the policy.
Messages should be prepared and approved, particularly in the case of incidents and
crises.
 Defined channels (and protocols) should be utilized to make sure the
communication reaches the intended audience at the best moment and with the best
possible effectiveness. Examples: emails, pop-up screens, screensavers, posters,
audio messages, meetings, policies and directives, etc.
  When? Communication should be both continuous and event-based (in reaction to
events).
 You should make sure the communicated message is continuously retransmitted, for
example, to newcomers and at repeated intervals, to make sure it won’t get
forgotten.
 You also should be able to modify the messages or introduce new messages or
formats and channels when the situation requires it. Communicating in normal
conditions might be seriously different in comparison to during incidents or in crises

Internal vs. External Communication Plan

 It is important to recognize that the Communication Plan has both internal and
external aspects. They will respond differently to the following questions.
 Internal Communication Plan. Top management uses the internal Communication
Plan to send messages on its objectives and commitment toward information
security. Some examples are: The Information Security Policy, the security
organization with the key roles and responsibilities, the Awareness plan, the general
and specific requirements to respond to incidents.
 However, the internal Communication Plan should not remain unidirectional. The
channels (telephone and email, for example) should also be known and used to
communicate “bottom-up” from the base (the users) to the management about
events or some new vulnerability.
 External Communication Plan. Most of the examples given above relate to the
internal Communication Plan, but are also fully applicable to the external
Communication Plan.
 You may need to communicate to the external world: regulatory authorities, public
authorities, shareholders, clients and partners, to announce events either positive
(successes) or negative (incidents, accidents and crises). Here also you will need a
Communication Plan answering the same questions as above.
 However, in this case, you’ll have to use more caution as you may not expose or
disseminate sensitive information that will make your situation worse.

How to document the Communication Plan?

 Depending on the size of the organization and its security objectives, the
Communication Plan could be more or less formal, fully documented as a separate
document or simply stated in a few sentences within other policies, procedures and
plans.
 As long as the desired messages are passed to those who should make the best of it,
your solution will fit your needs and the resources you can devote to it.

Why is a Communication Plan important?

 To conclude, the Communication Plan is a question of creating and maintaining
trust and confidence in 1) your preparedness, 2) your capability to face events, and
3) your ability to recover from crises.
  The Communication Plan is a key element of a good Information Security
Management System. One of the Returns On (Security) Investment of a good
Communication Plan, as required by ISO 27001, is a strong image, both internal and
external. Losing internal (or stakeholders’) trust is sometimes worse than losing
your public image. You risk implosion.
 After you set up your Communication Plan, use this Conformio compliance
software to handle all the communication with your colleagues.

Which of the following statements represent external issues?

1. Organizational culture – Incorrect! This is an internal issue.

2. Cultural environment – Correct!

3. The structure of the company – Incorrect! This is an internal issue.

4. The competition of the company – Correct!

5. The political situation in the country where the company operates – Correct!

Match the following interested parties with their requirements:

1. A company that buys your services - Protecting their information and signing a nondisclosure
agreement

2. A government agency for personal data protection - Compliance with the personal data
protection law

3. The company that supplies you with the materials for your production - Paying them on time and
for all the delivered goods, i.e., having correct and available information for your supplies and
deadlines for payment

Which of the following statements describes an ISMS scope?

1. The Information Security Management System (ISMS) applies to the provision of secure and
trusted e-commerce services. – Correct!

2. Company X has implemented ISO 9001 and ISO 27001. – Incorrect! The scope should include the
services or products that the company provides, and the locations included in the scope.

3. The Information Security Management System (ISMS) applies to the provision of software
development and implementation, outsourcing of IT services including maintenance of hardware
and software, operating from the offices in London and Edinburgh. – Correct!

4. The ISMS has implemented all the controls from Annex A. – Incorrect! The scope should include
the services or products that the company provides, and the locations included in the scope.
How can top management demonstrate leadership and commitment to the
Information Security Management System? Choose the correct
statements:
1. Ensuring resources necessary for the ISMS – Correct!

2. Creating exceptions to the security rules for top management – Incorrect! Top management should
give good example for the rest of the employees and follow the ISMS rules and communicate the
importance of information security to all employees.

3. Communicating the importance of information security – Correct!

4. Dedicating one week a year for information security, while the rest of the time is dedicated to
everyday activities – Incorrect! Top management should make sure that the ISMS is integrated within
the company processes, not treat the ISMS as an isolated matter.

5. Promoting continual improvement – Correct!

The following statements are requirements for the Information Security

Policy:
1. It should be documented. – Correct!

2. It should include a commitment to continual improvement of the ISMS. – Correct!

3. It should include relevant technical details and security rules. – Incorrect! This policy is a top-
level policy and it shouldn’t be too detailed. The details about the information security controls and rules
should be prescribed in detailed policies and procedures.

4. It should provide a framework for setting information security objectives. – Correct!

5. It must include the ISMS scope. – Incorrect! There is no such requirement for the Information
Security Policy.

Which of the following responsibilities and authorities are relevant for the
person responsible for reporting on the performance of the ISMS to top
management?
1. Prepares input for management review meeting – Correct!

2. Updates the Statement of Applicability – Incorrect! Updating the Statement of Applicability is

ensuring that the ISMS fulfills the requirements of ISO 27001.

3. Reviews the effectiveness of Business Continuity Plan – Correct!

4. Conducts a campaign for ISMS awareness raising – Incorrect! Awareness raising is ensuring that
the ISMS fulfills the requirements of ISO 27001.

5. Measures the KPIs (Key Performance Indicators) – Correct!

Which of the following objectives represents a measurable information
security objective?
1. Ensure 99.9% availability of company’s e-commerce service annually - Correct!

2. Decrease the average time for solving incidents by 10% - Correct!

3. Improve the incident management – Incorrect! This information security objective is not complete;
a description of what it means to improve the incident management (decrease number of incidents, time to
solve them, resources used, etc.), a measurable target, and a timeframe are missing.

4. Increase the awareness raising training for 2 hours per employee annually - Correct!

5. Increase the frequency of backup by 50% for the next year - Correct!

6. Strengthen the overall capabilities of the Information Security Management System in the next
six months - Incorrect! This information security objective is too general and doesn’t provide a
measurable target.

For effective implementation of incident management software in

Company Y, the following resources should be available:
1. Available person and time to conduct analysis of the most suitable software for incident
management in Company Y – Correct!

2. Available time for top management to coordinate the implementation of the procedure –
Incorrect! Top management should make the decision to implement such procedure and approve the
procedure and the necessary budget, not coordinate the process.

3. Responsible person for coordinating the implementation of the procedure – Correct!

4. Available time for all employees to pass short training on how to use the incident management
software for reporting incidents. – Correct!

5. Dedicated budget for licenses for the chosen incident management software – Correct!

Which of the following statements represent requirements from the ISO

27001 standard?
1. All employees should have an ISO 27001 Introduction certificate - Incorrect! The standard
requires for the company to determine the necessary competences; it doesn’t indicate specific
competences.

2. Keep records as evidence of competence – Correct!

3. Define the information security competences for all persons working for your company –
Correct!

4. All employees shall have university degrees – Incorrect! The standard requires for the company to
determine the necessary competences; it doesn’t indicate specific competences.
Information security awareness raising helps improve the information
security in the company by:
1. Helping employees understand their role and the impact they have on ISMS – Correct!

2. Helping employees understand the consequences if they don’t follow the ISMS rules – Correct!

3. Helping employees become information security experts – Incorrect! Awareness raising campaigns
help employees understand information security better, but that doesn’t make them experts on the topic.

Communication rules should cover the following elements:

1. When the scheduled internal audit is scheduled – Incorrect! This is an important message to be
communicated; however, it is not a rule for communication.

2. What should be communicated – Correct!

3. Who shall communicate – Correct!

4. Why information security objectives are important – Incorrect! This is an important message to be
communicated; however, it is not a rule for communication.

5. With whom to communicate – Correct!

When creating a new document, you should take into consideration the
following aspects:
1. Writing your name in the author section on the first page of the document, as defined in the
template you use – Correct!

2. Writing it in English because that is the official language of your firm – Correct!

3. Storing the document wherever is suitable for you - Incorrect! Documents should be stored as
prescribed by the company; for example, electronic information is stored in shared folders on the
company file server or in a folder in the cloud.

4. Saving the document in the appropriate file format – Correct!

5. When finished, submitting the document for review and approval – Correct!

6. The document is very well written, so it doesn’t need a title. It is pretty much obvious what it is –
Incorrect! A title of the document is probably the first thing that the readers are looking for.

ISO 27001 requires the identification of interested parties significant for

the information security in your organization to be documented.
1. True – Incorrect! The standard requires these analyses to be conducted; however, it does not require
them to be documented.

2. False – Correct!

In order to define the ISMS scope, the company should consider:

1. Requirements of the interested parties – Correct!

2. External and internal issues – Correct!

3. Activities that are carried out by your organization and the activities performed by other
organizations, such as partners, associates, or an outsourcing company; how those activities are
related; and how they depend on each other. – Correct!

4. Information security objectives – Incorrect! The information security objectives are established after
the scope is set, taking into consideration the defined scope.

5. The number of employees in the company – Incorrect! The number of employees doesn’t influence
the ISMS scope.

When defining the information security objectives, the following aspects

should be taken into consideration:
1. They should be aligned with the Information Security Policy. – Correct!

2. They should be documented together with the information security risk treatment – Incorrect!
There is no such requirement in ISO 27001; objectives and the risk treatment plan are two separate
documents.

3. They should be measurable. – Correct!

4. They should be updated in order to reflect the current situation of the company and its ISMS. –
Correct!

5. They should be communicated to all interested parties. – Correct!

6. They should be defined for a period of one year. – Incorrect! The time frame for completion of
objectives can be set by the company itself; it is not defined by the standard.

Regarding the resources, ISO 27001 requires companies to:

1. Group resources into three groups: financial, human, and time – Incorrect! ISO 27001 doesn’t
have such requirement; it refers to different types of resources.

2. Identify the needed resources for the Information Security Management System – Correct!

3. Ensure they are available for everyday operation – Correct!

4. Ensure they are available for continual improvement of the ISMS – Correct!

5. Define an annual budget for the ISMS – Incorrect! ISO 27001 doesn’t have such requirement. The
annual budget can be used as a tool for managing and controlling financial resources; however, it is not a
requirement.

Regarding competences, ISO 27001 requires the company to:

1. Define the necessary competences of employees who are related to information security –
Correct!

2. Regularly test the employees to check their competences – Incorrect! This is not a requirement
from the standard.

3. Send employees to training every month – Incorrect! This is not a requirement from the standard.

4. Make sure that employees have the appropriate training and experience – Correct!

5. Keep documented evidence that the employees really have the required competences – Correct!