Professional Documents
Culture Documents
2. ISMS benefits
The main benefits of implementing ISMS are: information security risk reduction, standardization,
and structural approach.
The Ministry of Finance will benefit from implementing ISMS by bringing information security
under management control, allowing direction and improvements were needed. Better information security
will reduce the risk (probability of occurrence and adverse impacts) of incidents, cutting incident-related
losses and costs. In addition, ISMS include a structured, coherent and professional approach to the
management of information security, aligned with the government laws and regulations and ISO standards.
Furthermore, comprehensive information risk assessment and treatment according to organization and
security priorities, and focuses information security investment to greatest advantages.
3. Project Objectives
The two main project objectives are:
The overall objectives of the proposed project are to improve the organization’s efficiency, information
security and reputability and ultimately performance through introduced management systems in
accordance with ISMS ISO/IEC 27001 respectively. The specific objectives include:
Demonstrate the ability to provide qualitative services to its clientele;
Improve management processes and efficiency;
Ensure protection of CIA – Confidentiality, Integrity and Availability of all client and company
information processed in-house.
Prevent any information breach of company data or client data, respectively ensure security of all
information traffic within applications developed by company and used by clients;
Increase reputability to its existing and potential clients;
Further improve market penetration in foreign market; and
Increase competitiveness.
Organize and intensive ISMS ISO/IEC 27001:2013 Lead Audit Training with further examination which
leads to candidate’s international certification.
This five-day intensive training “ISMS Lead Auditor” will contribute to the capacity building of
the participants and will enable them to develop the necessary expertise to audit an Information Security
Management System (ISMS) and to manage a team of auditors by applying widely recognized audit
principles, procedures and techniques. During this training, the participants will acquire the necessary
knowledge and skills to proficiently plan and perform internal and external audits in compliance with ISO
19011 the certification process according to ISO 17021. Based on practical exercises, the participant will
develop the skills (mastering audit techniques) and competencies (managing audit teams and audit program,
communicating with customers, conflict resolution, etc.) necessary to efficiently conduct an audit, and
inspect ISMS in the course of Ministry of Finance personnel.
3.3. Scope of consulting services (A)
The consultant will start the project by analyzing company’s activities and its existing organization
and procedures, upon which will be developed gap analysis. Next, the consultant will train the appointed
ISMS team with regard to quality and information security management standards. In the second phase,
the consultant will develop the integrated management system manual, objectives and policies for ISMS,
and procedures such as: control of documented information, internal audit; control on nonconformities
services; corrective action; organization charts; process maps; organizational context; process flows and
internal communication – to continue with development of work instructions, risk treatment plan,
implementation of applicable security control, and management of ISMS resources. In the final stage, the
consultant will test the developed ISMS information security management system, will train the internal
audit team and along will conduct internal audit upon which nonconformities found will be eliminated. The
consultant will also assist the company during external certification audit. The project will be implemented
through the following phases:
2.1 Development of integrated management system manual, objectives and policies for QMS and
ISMS;
2.2 Development of documented procedures: control of documents; control of records; internal
audit; control of nonconforming services; corrective action, organization charts, process maps,
statement of applicability, process flows and internal communications;
2.3 Design and development of work instructions;
2.4 Implementing risk assessment and treatment plan;
2.5 Implementing applicable security control;
2.6 Management of ISMS resources; and
2.7 Implementation of procedures for detecting and managing security incidents.
Phase 3: Implementation and system certification
The “Certified ISO/IEC 27001 Lead Auditor” exam fully meets the requirements of the
PECB Examination and Certification Program (ECP). The exam covers the following competence
domains:
Domain 1: Fundamental principles and concepts of information security
Domain 2: Information Security Management System (ISMS)
Domain 3: Fundamental audit concepts and principles
Domain 4: Preparation of an ISO 27001 audit
Domain 5: Conducting an ISO 27001 audit
Domain 6: Closing an ISO 27001 audit
Domain 7: Managing an ISO 27001 audit program
4. Implementation arrangements
The project will be carried out according to implementation schedule below. The beneficiary is
responsible for providing the necessary and relevant information, appoint the quality team and provide
equipment for the effective implementation of the project. All training and presentations session will be
held online, while testing of functionality of implemented systems will be done at beneficiary’ premises.
The beneficiary should have active participation in the project. The company management will be informed
on the project progress through monthly progress reports prepared and submitted by the consultant.
The project will start on 01 November 2020 and is envisaged to be completed by 01 April 2020.
Individual project phases will be implemented as shown in the table below:
4.2. Schedule for training services (B)
Training will be organized during 5 intensive days and exam will take place the final day.
Training Materials;
Manual, policies and objectives for ISO/IEC 27001:2013;
List of developed manuals, procedures, instructions, plans, other documents and forms;
Risk Assessment report;
Statement of Applicability;
Report of Internal Audit for ISO/IEC 27001:2013;
Management Review Report;
Final report, with advice on maintenance of the established ISMS – Information Security
Management System based ISO/IEC 27001:2013 requirements.
Training Report on each candidate and individual progress report according to the exam results.
6. Budget
Consulting Services (A):
DIRECT COSTS
30 consultant days @ EUR 200 per day EUR 6,000.00