AI Notes 1

shijin chandran - shijinc@cdac.in shijin chandran - shijinc@cdac.in shijin chandran - shijinc@cdac.
in
ISO/IEC 27001:2022 Implementation Training Course
BSI Training Academy

ISO/IEC 27001:2022
Implementation
Training course
.in
ac
cd
1
ISM02001ENIN
Copyright © 2022 BSI. v2.0 Oct 2022
All rights reserved.
c@
jin
Delegate Workbook
hi
-s
Version 2.0 October 2022

an
dr
an
ch
ijin
sh
This material is for the personal use of a delegate attending a course presented by BSI.
No part of the materials may be reproduced, stored electronically, or transmitted in any form or by any
means without the prior written consent of BSI.
ISMS02001ENIN v2.0 Oct 2022 Copyright © 2022 BSI. All rights reserved. 1
shijin chandran - shijinc@cdac.in shijin chandran - shijinc@cdac.in shijin chandran - shijinc@cdac.in

Be aware of the emergency exits

FIRE
EXIT
Welcome
Restrooms
Please switch mobile phone to

silent
Please do not use recording

devices
.in
ac
Designated smoking areas
cd
2
Copyright © 2022 BSI. All rights reserved.
c@
Please observe the following key points for your classroom training:
jin
For your personal safety, please be aware of the emergency exits from your classroom and the
hi
building.
-s
The tutor will inform you of the nearest restrooms.

an
Please do not leave valuable items unattended in the classroom. Keep them with you or make other
arrangements for their safekeeping.
dr
an
Please be considerate of other delegates and avoid distractions from the beeping/ flashing of your
mobile phone.
ch
Please do not use recording devices since they may restrict free discussion.
ijin
The tutor will inform you of the lunch and break schedule. Please return to class on time.
sh
The tutor will inform delegates of any area(s) known to be available for smoking.
If there are any special needs, please confirm these now.

Course structure
Materials:
• Slides
• Reference materials
• Loan copy of ISO/IEC 27001
Course format:
• Activities
.in
• Discussions
ac
cd
3
c@
The tutor will explain the outline or flow of the course.
jin
This course consists of tutorials, delegate activities and discussions.
hi
Your delegate workbook contains all printed materials related to this course, including slides, activities
-s
and reference materials. Sample answers to the activities are also in the back of your workbook.
Please only refer to the answers for each activity after completing it, or if you’re really stuck.
an
You will get the most out of this course by being an active participant, asking questions and engaging
dr
in discussions and activities. Remember there are no silly questions and please feel free to seek the
an
help of your tutor as needed.

ch
All references to ‘the standard’, ‘27001’ or ‘ISO 27001’ unless otherwise specified refer to ISO/IEC
27001:2022.
ijin
sh

Day 1 Day 2
• Benefits to you, welcome and • Module 3: Implementing Clause 6

introductions
• Module 4: Implementing Clause 7 and
• Course aims, objectives and structure 8
Agenda • Module 1: Implementing a management • Module 5: Implementing Clause 9 and

system 10
• Module 2: Implementing Clause 4 and • Module 6: Course review and final

5 questions
.in
ac
cd
4
c@
Two short breaks will be taken at suitably convenient times in the morning and afternoon. Forty-five
minutes will be given for a lunch break. Additional breaks may be taken as long as agreed by
jin
delegates and tutor, and all learning objectives are met. Course activities will be at the tutor’s
hi
discretion, depending on time and delegate needs. Finish times may therefore differ to those
advertised.
-s
an
dr
an
ch
ijin
sh

Benefits to you
This course will help you:
To enable you to implement and effective

and long-term ISMS
Understand comprehensive quality

controls which will build stakeholder
confidence
Take steps to ensure that information

security is at the heart of your
organization
.in
Attract and retain customers by
meeting their current and future
ac
needs better
cd
5
c@
Delegates will develop an understanding of how ISO 27001 can provide a systematic framework to
improve overall organizational performance when managing information. jin
hi
Upon completion of the course, delegates will appreciate how consistent and predictable results can
be more effectively and efficiently delivered by the promotion/application of the process approach,
-s
within ISO 27001, and how this help in meeting requirements.

an
Risk-based thinking has been included in the requirements of ISO 27001, and delegates will benefit
from an understanding of this approach; especially when defining the rigor and degree of formality
dr
needed to plan and control an Information Security Management System.

an
Your learning will be through an activity-based, delegate centred approach. This will help you share
ch
experiences and knowledge with other attendees; bringing alive the information presented and
resulting in enhanced retention and application to your own workplace.
ijin
Delegates will also be able to recognize the new harmonized approach, developed by ISO, to improve
sh
alignment among its International Standards for management systems.
You have the full support and training from a world-class BSI tutor also at your disposal.
We hope you very much enjoy the course and take back valuable knowledge to your workplace.

.in
10
ac
Introductions
cd
6
c@
Your tutor(s) will introduce themselves.
jin
hi
-s
an
dr
an
ch
ijin
sh

Course aim
To gain an understanding of effective
information security management,
by using a systematic framework to
protect the:
• confidentiality;
• integrity;
• and availability
of your information and that of your

interested parties
.in
ac
cd
7
c@
To gain an understanding of effective information security management, by using a systematic
framework to protect the confidentiality, integrity and availability of your information and that of your
jin
interested parties.
hi
-s
an
dr
an
ch
ijin
sh

Learning objectives
Upon completion of this training, delegates
will be able to:
 Explain key elements of a management
system implementation process
 Identify a typical framework for
implementing ISO/IEC 27001 following
the PDCA cycle
 Conduct a base line review of the
organizations current position with
regard to ISO/IEC 27001
 Interpret the requirements of ISO/IEC
27001 from an implementation
perspective in the context of their
organization
 Implement key elements of ISO/IEC
.in
27001
ac
cd
8
c@
Learning objectives describe in outline what delegates will know by the end of the course.
jin
hi
-s
an
dr
an
ch
ijin
sh

Module 1: Implementing a management system
.in
ac
cd
9
c@
jin
hi
-s
an
dr
an
ch
ijin
sh

Implementing a
Management System
Stage 1:
“Where we are”
Stage 2:
“Implement and operate”
Act Plan
Stage 3:
“Manage and improve”
.in
Check Do
ac
cd
10
c@
ISO/IEC 27001 may be seen as adopting a process approach for establishing, implementing,
maintaining and continually improving an ISMS. This approach is often referred to as the Plan, Do,
jin
Check, Act (PDCA) model, and can be applied to all ISMS processes.
hi
• (Plan) Establish the ISMS by understanding the organization’s information security requirements,
-s
requirements from interested parties and create policies, processes and procedures.
• (Do) Implement and Operate the ISMS by implementing and operating the policies, controls,
an
processes and procedures

• (Check) Monitor and review by assessing and measuring the performance of the ISMS
dr
• (Act) Take actions to continually improve the ISMS

an
The tutor will now explain a 3 stage process, identified above.

ch
Stage 1 will essentially enable you to understand where your organization is compared to the
ijin
requirements in the Standard, and identifying gaps.

sh

Implementing a
Management System
• Top management interest
Stage 1
• Understanding requirements, legal and guidance
• Baseline review, Gantt chart and resource
requirements
Where we • Approve and communicate implementation plan
are
Stage 2
• Implement and operate the plan
• Support project
Implement • Monitor project
and
operate
Stage 3
• Monitor, measure, analyze and evaluation
• Management review
.in
Manage • Continual improvement
and
improve
ac
cd
11
c@
The first stage is to understand “where we are” in terms of what is the top management interest,
understanding the requirements of interested parties as well as legal and regulatory requirements.
jin
From this information we can undertake a base line review and produce a Gantt chart to identify what
hi
resources are required to implement an ISMS.
-s
Management will need to approve an implementation plan, which will need to be communicated to all
relevant parties.
an
Stage two is all about implementing and operating the plan, ensuring that the project is supported and
dr
monitored.
an
The final stage is all about determining whether the management system is effective and meets the
ch
needs of the business and interested parties, as well as identifying where the management system
can be improved. This is done through monitoring, measuring and reviewing the ISMS performance.
ijin
During this course we will be focusing our attentions on understanding the requirements from an
sh
implementation perspective. Using a workshop approach through activities we will be implementing

elements of the Standard.
We start with understanding the requirements.

< IMPLEMENTATION PROCESS >
Top Management
Key: Normal Route
Potential Route
Management Representative or Team Overall Project Management
Process and Link to PDCA
Activities
Yes Identify organizational goals
Commitment to for the management system
implement? Understanding ISO/IEC 27001 requirements, legal,
and review available guidance
No
• Example ISO/IEC 27001 Implementation Process
END
Appoint a Management
representative or team
Activities
• PDCA cycle
Baseline review
Identify minimum Conduct baseline gap

documentation analysis
requirements
Consider
certification
Activity
Communicate interest to Identify project milestones
the business
Create Gantt
chart
Approve and communicate

the implementation plan Estimate costs and
secure resources
PLAN
Activities
Support project
Implement the plan Operate the system
Monitor project
DO
Activity
.in
Monitor, measure, analysis and evaluation
CHECK
Management No
Implementation complete?
review
ac
ACT
Yes
Activity This process is meant to be used only as an
example for descriptive purpose.
Prepare for Maintain and Your implementation process should be
certification continually Improve modifies and developed to your business as
cd
system appropriate, including consideration of scale,
style, culture and complexity. 12
c@
The diagram depicts an example implementation process for an ISMS and how the activities required
to be undertaken can be distributed between top management and the individual/team responsible for jin
coordinating implementation.
hi
The overall project management process depicts normal and potential routes, if certification is
-s
required, through the process. It also maps to the PDCA process.

an
We will be asking you, as a project manager implementing an ISMS, to cover elements of this process
during the course for your own organization.
dr
an
The tutor will explain the process, especially the top management “plan” section. Activities are also
shown with the first ones dealing with ISO/IEC 27001 requirements.
ch
ijin
(Please refer to References: Overall Project Management Process and link to PDCA)
sh

Normal Route
< IMPLEMENTATION PROCESS > Key: Potential Route
Top Management Management Representative or Team
Activities
Yes Identify organizational
Commitment to goals for the Understanding ISO/IEC 27001 requirements,
implement? management system legal, and review available guidance
No
END Appoint a Management

Activities
Baseline review
.in
Identify minimum Conduct baseline
documentation gap analysis
ac
requirements
Consider
cd
certification
c@
Activity
Communicate interest Identify project
to the business jin milestones
Create Gantt
hi
chart
-s
Approve and
communicate the Estimate costs and
PLAN
implementation plan secure resources

an
dr
Activities
an
Support project
Implement the Operate the
ch
plan system
Monitor project
ijin
DO
sh
Activity
CHECK
Management Implementation No
review complete?
ACT
Yes This process is meant to be used only as an

Activity
certification continually modifies and developed to your business as
Improve system appropriate, including consideration of
scale, style, culture and complexity.

Activity 1:
ISO/IEC 27001 Requirements
Review the clause requirements of

ISO/IEC 27001 from an implementation
perspective
Match the statements with correct clauses

and determine if the statements are true or
false
.in
20
ac
cd
14
c@
Activity 1: ISO/IEC 27001 Requirements
jin
Purpose:
hi
Review the clause requirements of ISO/IEC 27001 from an implementation perspective.
-s
Duration:
20 minutes
an
5 minutes classroom discussion

5 minutes reflection/application to own workplace
dr
an
Directions:
Review and discuss the statements provided, and match the statements with the correct clause,
ch
identifying which are true/false.

ijin
sh

ISO/IEC 27001
Statement 1 Statement 2 Statement 3
Clause
(True) (True) (False)
Reference
4.1
4.2
.in
4.3
ac
cd
4.4
c@
5.1
jin
hi
-s
5.2
an
dr
5.3
an
ch
6.1
ijin
sh
6.2
6.3
7.1

ISO/IEC 27001
Statement 1 Statement 2 Statement 3
Clause
(True) (True) (False)
Reference
7.2
7.3
.in
7.4
ac
cd
7.5
c@
8.1
jin
hi
-s
8.2
an
dr
8.3
an
ch
9.1
ijin
sh
9.2
9.3
10.1
10.2

Requirements
Interested Industry Best Practice Internal

Parties specifications documents Requirements
External Standards Product

Requirements specifications
.in
ac
cd
17
c@
How do you know what the internal and external issues are that are relevant to the purpose of your
organization. Those issues may relate to legal, regulatory or contractual requirements that apply to
jin
your organization and operations. Legislation is changing all the time. How do you keep on top of the
hi
changes? What about other requirements? Perhaps the industry sector you operate in is regulated,
how do you keep abreast of changes to regulations?
-s
An organization needs to know what these requirements are if they want to comply with them. They
an
will have more chance of complying with them if they know what they are! An ISMS requires an
organization to have a framework for the identification and on-going evaluation of these requirements,
dr
so that it knows what is out there and how it applies to the organization.
an
Typically, an organization will produce a register of legislation, regulations and contractual

ch
requirements with an indication of how it applies to the organization and the operational controls in
place.
ijin
See toolkit section:

sh
1) *Information Security Legal and Regulatory List Example

2) Legislation and Regulation Compliance Register (Source: Telstra Global)

Typical ISMS Structure

Holistic
Business View
Owner – Managing Director
Measure ISMS performance
‘The What?’
A Process A Process
Owner – Process
Measure IS effectiveness
‘The How?’
A Procedure
.in
Owner – Procedure
Measure IS operation
ac
cd
18
c@
The slide depicts a typical management system structure. We will cover the procedure/process
requirements of ISO/IEC 27001 later on. However, it is important to understand what a process and
jin
procedure is.
hi
Process: Set of interrelated or interacting activities which transforms inputs into outputs
-s
Procedure: Specified way to carry out an activity or process

an
Within the information security policy an organization may state that it will ensure staff leave the
organization in a secure and controlled manner. To demonstrate this is happening and to ensure it
dr
complies with this requirement the organization will implement a leavers process.
an
The ‘leavers’ process is owned by HR, even though it requires action from other departments across
ch
the organization. The inputs into this process could be an employees resignation letter which is sent
to HR. When HR receive this, they inform the necessary parties, which forms some of the outputs:
ijin
• IT – to provide a list of assets provided to the user and for them to deactivate accounts on a set
date
sh
• Facilities – to deactivate building access card

• Manager – to retrieve assets provided to user (from list provided by IT)
• Finance – account reporting
IT may then have a procedure on what they need to do when they receive a leaver notification from
HR, e.g. how to run a report of assets assigned to that user and deactivate their account and
privileges.

Typical ISMS Structure
Process
Procedure
Policy Process Procedure
.in
ac
Policy: Statement of intent
cd
19
c@
Organizations may decide that they do not want to differentiate between a process and procedure and
just use one term; that is entirely up to the organization as long as individuals know whether they
jin
should be creating a document detailing the inputs and outputs or a document providing the detail to a
hi
task.
-s
In some cases organizations combine policy, processes and procedures into a single document –
there is no right or wrong way, just what is appropriate for the organization. Ideally though, a policy is
an
a statement of intent and does not cover how the requirements are met.
dr
an
ch
ijin
sh

PDCA - Clauses - Implementation

10 Improvement 5 Leadership
Leadership
Improvement
ACT PLAN
Planning
4 Context of the
Organization 6 Planning
Performance
9 Performance Support
Evaluation
Evaluation
7 Support
CHECK
.in
Operation
DO
8 Operation
ac
cd
20
c@
This slide shows the framework and its associated clauses.
jin
As you can see the clauses follow the PDCA approach and as we have said, PDCA can be an
hi
approach used for implementing the clauses. With this in mind the next activity asks you to consider
elements of the clauses and how they could be logically implemented according to PDCA.
-s
an
dr
an
ch
ijin
sh

Activity 2: Holistic
implementation process
• Review the statements and discuss the

implementation process
Create a holistic process of the ISO/IEC
• Place these statements into the order
27001 implementation requirements by
which identifies the correct sequence of
following the PDCA cycle
events
.in
20
ac
cd
21
c@
Activity 2: Holistic implementation process
jin
Purpose:
hi
Create a holistic process of the ISO/IEC 27001 implementation requirements by following the PDCA
cycle.
-s
Duration:
an
20 minutes
5 minutes classroom discussion/review model answers
dr
an
Directions:
The tutor will allocate a list of process elements:
ch
• Review these and discuss the implementation process

• Place each of these statements into the order which identifies the correct sequence of events
ijin
Prepare to present back your findings to the rest of the class.

sh
(It may help if you think of the PDCA cycle)

.in
ac
cd
5
c@
6
jin
hi
-s
7
an
dr
8
an
ch
9
ijin
sh
10
11
12

Overall Project
Management Process
and Link to PDCA
Where we are now!
Activities
Baseline review
Identify
Conduct
minimum
baseline gap
documentation
analysis
requirements
.in
ac
cd
23
c@
Referring back to the ‘Overall Project Management Process and link to PDCA’ diagram we discussed
earlier, if you were the project manager implementing this management system the next stage would
jin
be looking at the baseline review section; starting with documentation requirements.
hi
-s
an
dr
an
ch
ijin
sh

Documented Information
Required documented information
Control of documented information
.in
ac
cd
24
c@
When the Standard refers to documented information, it is talking about documents and records,
whether these are in physical or electronic format. jin
hi
The extent of documented information required by an organization will depend upon the nature, size
and complexity of the organization and competence of persons within the organization. The general
-s
rule of thumb is, if the absence of documentation is likely to give rise to a significant impact, then the
process, procedure or work instruction should be written down. However, the Standard does require
an
certain information to be documented, which we will cover in Activity 5.

dr
In addition, the Standard requires controls, suitable to the organization, to be implemented for the
an
creating, modifying, labelling and handling of documented information. Documented information is

covered within Clause 7.5, more information is provided later around this clause.
ch
ijin
sh

Determine the Need

Policy for Documentation
ISMS manual/
framework
Process
Support documentation
.in
ac
Records
cd
25
c@
This slide shows ‘typical’ types of documented information within a management system.
jin
Policy – which is appropriate to the purpose of the organization, it should define the outline as to how
hi
information security is managed within the organization.
-s
Manual / Framework – no Manual is required by ISO/IEC 27001, but a framework will provide a map
from the top that will route newcomers and those unused to the ISMS to the precise system element
an
or procedure that they require. This could easily be just an intranet page for information security, but
should include elements such as scope, process identification etc.
dr
an
Procedures – the operational control procedures, as required. Procedures prevent non-permitted

variation of operations where such a change would have a detrimental impact.
ch
Support documentation – permits, work instructions, signs, notices etc. Work instructions build upon
ijin
procedures, but are much more focused on a particular task.

sh
Records – recording the evidence of the effectiveness of the system and to aid communication.
Clause 7.5.3 of ISO/IEC 27001 requires that document control be applied to documented information
required by the ISMS.

Activity 3:
Minimum documentation
requirements
Identify the minimum documentation
requirements of ISO/IEC 27001:
Create a list of the minimum
documentation requirements • Include any documented procedures,
records and other documents
• Identify what processes and procedures
are required
• Record your findings using the templates
supplied
20
.in
ac
cd
26
c@
Activity 3: Minimum documentation requirements
jin
Purpose:
hi
Create a list of the minimum documentation requirements.
-s
Duration:
20 minutes
an

dr
an
Directions:
Identify the minimum documentation requirements of ISO/IEC 27001:
ch
• Include any documented procedures, records and other documents

• Identify what processes and procedures are required
ijin
• Record your findings using the templates supplied

sh

ISO/IEC 27001
Documented Requirements
clause:
4.1
4.2
4.3
4.4
.in
5.1
ac
cd
5.2
c@
5.3 jin
hi
-s
6.1.1
an
6.1.2
dr
an
6.1.3
ch
6.2
ijin
sh
7.1
7.2
7.3
7.4

ISO/IEC 27001
Documented Requirements
clause:
7.5.1
7.5.2
7.5.3
8.1
.in
8.2
ac
cd
8.3
c@
9.1 jin
hi
-s
9.2
an
9.3
dr
an
10.1
ch
10.2
ijin
ISO/IEC 27001 Process and Procedure Requirements (not necessarily

sh
Clause: documented though)

Baseline Gap Analysis

‘Where are we now?’
Considerations Evidence
Purpose BC/DR Incidents
ISO/IEC 27001 Requirements IS Incidents
Legal and other requirements Maintenance Logs

Determine
Expectations Current Status Fines
Context SLA/Contract breaches
Current and past IS performance Purchasing decisions
Scope Interested parties communications
.in
ac
cd
29
c@
We now need to establish where we are now by conducting a baseline review. The review takes into
consideration activities, products, processes and services in relation to current and past performance,
jin
based on existing evidence.
hi
The aim of this review is to form a basis for establishing the ISMS. It is important to set the boundaries
-s
with regard to the application and implementation of an ISMS. For example, you might choose to
apply it to the entire organization across all sites or just an operating unit or one particular site. Once
an
the scope and boundaries have been defined, all the activities of the organization within that scope
will need to be included in the ISMS.
dr
an
But how do you go about gathering this information?

ch
Well, you could use a number of tools and methods to undertake this review including checklists,
conducting interviews, results from previous audits or other reviews, looking through historical records
ijin
of previous incidents and so on. However, we are going to look at another approach using
questionnaires.
sh

• Question 1
Has the organization undertaken a review to determine
fully the external and internal issues that are relevant
Activity 4: Baseline gap
to establishing the context of the organization? (4.1) analysis
• Question 2
Has the organization undertaken a review to identify
interested parties and to understand their needs and
expectation? (4.2)
Find out how far your
• Question 3
organization’s information security
Has the organization determined the boundaries and
management aligned with
applicability of the information security management
ISO/IEC 27001 requirements
system? (4.3)
• Question 4
Has the organization established an information
.in
security management system? (4.4)
ac
25
cd
30
c@
Activity 4: Baseline gap analysis
jin
Purpose:
hi
Conduct a baseline review of the organizations’ current position with regard to ISO/IEC 27001
-s
Duration:
25 minutes
an

dr
Directions:
an
Please read the instructions below and then answer the 25 questions posed. Once completed add the
scores up and review the comments pertaining to your scores.
ch
How to complete the Questionnaire

ijin
This questionnaire can be used to establish a benchmark position for those organizations considering
implementing a standardized information security management system and can be used
sh
subsequently by the same organizations to track progress, probably at quarterly intervals.

Please complete this questionnaire to give a fair representation of your current level of compliance
with the Standard’s requirements. There are 25 questions and the figures in brackets refer to sections
of ISO/IEC 27001:2022. The answers you give should be representative of your organization’s status
as a whole, so it may be easier to restrict your first answers to a specific representative site for the
purpose of the current activity.
When you have finished answering all the questions, transfer your numerical scores to the final
summary sheet. Please keep the completed questionnaire for your own future reference and use.
Each question requires a self-scored answer in the form of a mark on a linear scale; the two extremes
of the scale are indicated by words or phrases. The scoring is indicated by circling or ticking one of
the five numbers as shown to indicate the status of your organization in relation to the two extremes.
Please ensure that you score with whole numbers only.
.in
ac
0 1 2 3 4
cd
c@
If you consider you have made no progress as regards a particular question, then a 0 should be
selected.
jin
hi
Please note, where questions refer to the maintenance of work procedures you should only consider
-s
your organization to merit a high score if you have had procedures long enough to alter them in the
light of experience. As this process is likely to have taken about a year even with a fully active
information security management system, few organizations rate such a high score.
an
dr
an
ch
ijin
sh

Question 1
Has the organization undertaken a review to determine fully the external and internal issues that are
relevant to establishing the context of the organization? (4.1)
Previous partial review or new review Thorough review completed, formal report
started, but little progress. covering key areas including its role in
information security management. Identification
of processes, activities and functions that can
have an effect on information security
management.
0 1 2 3 4
.in
Question 2
ac
Has the organization undertaken a review to identify interested parties and to understand their needs
and expectation? (4.2)
cd
Previous partial review or new review Thorough review completed with a formal report
c@
started, but little progress. covering the key areas, including:
Determination of relevant interested parties,
their requirements and identification of legal and
jin
other requirements relating to information
hi
security management.
0 1 2 3 4
-s
an
Question 3
Has the organization determined the boundaries and applicability of the information security
dr
management system? (4.3)

an
Little action taken to identify the scope Scope established including consideration of
ch
of the system. issues of context identified in Clause 4.1, the

requirements referred to in Clause 4.2 and
planning requirements in Clause 6. Intended
ijin
outcomes determined.
0 1 2 3 4
sh
Question 4
Has the organization established an information security management system? (4.4)
No discernible action taken in the System that meets the requirements of ISO/IEC
establishment of an information security 27001 is in place.
management system.
0 1 2 3 4

Question 5
Has top management demonstrated its commitment to establishing an information security
management system and effective leadership in the continual improvement of the system? (5.1)
There is no clear management Top management displays its commitment to

involvement or responsibility taken. establishing the information security
management system and is actively involved in
the promotion of the information security
management system and its performance.
0 1 2 3 4
.in
Question 6
Has the organization established an information security policy? (5.2)
ac
Draft available but not widely adopted Relevant, understood, maintained, consistent
cd
and some major issues not addressed. with organization policies and available to
interested parties.
c@
0 1 2 3 4
jin
hi
Question 7
-s
Has the organization assigned responsibilities and authorities in respect of the information security
an
There are no clear responsibilities or Well defined responsibility/authority for

dr
authorities assigned. information security management system

including conformity to the requirements of the
an
standard and reporting performance.

ch
0 1 2 3 4
ijin
sh
Question 8
Does the organization follow a process that determines risks and opportunities? (6.1)
There is little evidence of planning for Effective planning is put in place that fully takes
the information security management into account the context of the organization and
system. its information security risks etc.
0 1 2 3 4


Question 9
Has the organization defined and applied an information security risk assessment process? (6.1.2)
Little evidence of determination of risks. Risks identified, analyzed and evaluated to

determine priorities for the treatment of risks.
0 1 2 3 4
Question 10
Has the organization defined and applied an information security risk treatment process? (6.1.3)
No evidence of a risk treatment process Effective risk treatment plans in place that
.in
in place. determine all the controls necessary to
implement the information security risk
ac
treatment options chosen. This has been
approved by risk owners and acceptance of
cd
residual information security risks has been
obtained. A Statement of Applicability has been
c@
created.
0 1 2 jin 3 4
hi
Question 11
-s
Has the organization established information security objectives? (6.2)

Limited evidence of information security Objectives in place that take into account the
an
objectives in place. requirements of the standard with suitable

documented information in place.
dr
0 1 2 3 4
an
ch
Question 12
Does the organization have plans in place to achieve information security objectives? (6.2)
ijin
Limited plans in evidence. Comprehensive action plans in place, suitably

sh
documented and reviewed.

0 1 2 3 4
Question 13
Does the organization carry out changes to the ISMS in a planned manner? (6.3)
Limited plans in evidence. Comprehensive change management plans
and process in place, suitably documented and
reviewed.
0 1 2 3 4

Question 14
Has the organization provided adequate resources (including human, technological and financial) for
establishment, implementation, maintenance and continual improvement of the information security
Limited resources available to support Evidence of proper resourcing of the system to
the system. achieve information security objectives is in
place.
0 1 2 3 4
Question 15
Has the organization taken the necessary steps to determine the competence of persons, undertaking
work under its control, which can affect information security management system performance? (7.2)
.in
Limited evidence of identification of Comprehensive assessment in place supported
ac
competence and training to support by suitable documentation as evidence of
competence development. competence.
cd
0 1 2 3 4
c@
Question 16
jin
Has the organization promoted awareness of information security management; so that all those
hi
working under the organization’s control are aware of the requirements as they affect them? (7.3)
-s
Awareness of system requirements Regular actions taken to ensure that all those
an
limited. affected are aware of the information security

dr
management system requirements.

0 1 2 3 4
an
ch
Question 17
Has the organisation implemented and maintained sufficient and appropriate communication with
ijin
appropriate interested parties? (7.4)

Some initiated. Comprehensive communication process in
sh
place.
0 1 2 3 4
Question 18
Has the organization established and is it maintaining documented information as required by the
standard and as determined as necessary by the organization? (7.5)
Outline documentation exists. Comprehensive and detailed documentation
available meeting the requirements of the
standard.
0 1 2 3 4


Question 19
Has the organization determined, planned and implemented operational controls to meet the
requirements of the information security management system? (8.1)
Some outline controls exists. Comprehensive and detailed planning and
controls in place to meet the requirements of
the standard.
0 1 2 3 4
Question 20
Has the organization established a process to ensure information security risk assessments are
performed at planned intervals or in response to significant changes? (8.2)
Little evidence of an established An established process is in place to ensure
.in
process. risk assessments are carried out at appropriate
intervals and in response to significant
ac
changes.
cd
0 1 2 3 4
c@
Question 21
Has the organization implemented the risk treatment plan? (8.3)
jin
Little evidence of risk treatment plan The risk treatment plan has been fully
hi
implementation. implemented and documented information is
-s
retained relating to the results of information

security risk treatment.
an
0 1 2 3 4
dr
an
Question 22
Has the organization determined details, methods and frequency of areas of operation that need to be
ch
monitored, measured, analyzed and evaluated in order to establish the performance and effectiveness
of the information security management system? (9.1)
ijin
Few effective monitoring arrangements Comprehensive monitoring, measurement,

are in place. analysis and evaluation of performance is in
sh
place with necessary documented information

to evidence results.
0 1 2 3 4
Question 23
Has the organization established, implemented and maintained an information security internal audit
programme and documented evidence of the results? (9.2)
Audit programme drafted. Comprehensive information security audit
programme in place that fully meets the
requirements of the standard.
0 1 2 3 4


Question 24
Has the organization undertaken reviews of the information security management system? (9.3)
Initial review only. Regular review undertaken by top

management.
0 1 2 3 4
Question 25
Does the organization continually improve its information security management system? (10.1)
Little attention paid to the improvement Opportunities to improve the suitability,
of the system adequacy and effectiveness of the information
security management system are identified
.in
through use of the information security policy,
objectives, audit results, management reviews
ac
and analysis of monitored events.
cd
0 1 2 3 4
c@
Question 26
jin
hi
Does the organization react effectively to any nonconformity identified within its information security
management system and maintain documented information where appropriate? (10.2)
-s
No methods in place. Full procedure exists with the nature of non-

conformities and results of corrective action
an
taken documented and maintained.

dr
0 1 2 3 4
an
ch
Summary Sheet
ijin
ISO/IEC 27001 REF

sh
Question number and Subject Score
Section Ref
4.1 1 Context
4.2 2 Interested parties
4.3 3 Scope
4.4
ISMS02001ENIN 4 2022 ISMS
v2.0 Oct Copyright © 2022 BSI. All rights reserved. 37

Summary Sheet continued
Section Ref
Leadership
5.1 5 Leadership and commitment
5.2 6 Policy
.in
5.3 7 Organizational roles, responsibilities and authorities
ac
cd
6 Planning
c@
6.1.1 8 General jin
hi
6.1.2 9 Information security risk assessment
-s
6.1.3 10 Information security risk treatment

an
dr
6.2 11 Information security objectives

an
6.2 12 Plans to achieve information security objectives

ch
6.3 13 Planning of changes

ijin
sh
7 Support
7.1 14 Resources
7.2 15 Competence
7.3 16 Awareness
7.4 17 Communication
7.5 18 Documented information


Summary Sheet continued
Section Ref
8 Operation
8.1 19 Operational planning and control
.in
8.2 20 Information security risk assessment
ac
cd
8.3 21 Information security risk treatment
c@
jin
9 Performance evaluation
hi
-s
9.1 22 Monitoring, measurement, analysis and evaluation

an
9.2 23 Internal audit

dr
9.3 24 Management review

an
ch
ijin
10 Improvement
sh
10.1 25 Continual improvement
10.2 26 Nonconformity and corrective action
Total Score (Maximum 105)

Overall Project
Management Process
and Link to PDCA
Where we are now!
Identify project Activity

milestones
Create Gantt
chart
Estimate costs and
.in
secure resources
ac
cd
40
c@
To recap where we are now, after conducting the gap analysis we now need to identify project
milestones and create a Gantt chart. jin
hi
-s
an
dr
an
ch
ijin
sh

Project Plan
Project plan J F M A M J J A S O N D Responsibilities Deadlines

Baseline Review X X X
Context X
Policy Draft X
Risks and opportunities X X
Application of legal requirements X X
Staff awareness X X
Operational controls X X X X
Monitoring and measurements X X X X
Evaluation of compliance
Audits X X X X X X
Implement improvements X X X X X
.in
Management review X X X X
BSI registration X
ac
cd
41
c@
Once the gaps have been identified we can then start planning using a Gantt chart (as an example).
jin
You will need to identify the elements required in any project management, i.e. critical paths and
tasks, linking tasks (leading or lagging), resources, milestones and reporting.
hi
-s
MS Project is one tool that can do this, but there are many others including just using an excel
spreadsheet.
an
The commitment of people is paramount in any project and ensuring this happens is the responsibility
dr
of the Project manager. He or she will need to mix the right team with the right skills and the ability to
an
be team players, however the realities of time, cost and quality come into play.
ch
ijin
sh

Project plan
Excellent
communicator
Project manager Good leader
Authority to
make
decisions
.in
A good project manager’s instinctive method of
working will be founded on years of experience
ac
cd
42
c@
The project manager must be an excellent communicator; project management is about influencing
others. Skills such as negotiating, persuading, advising and listening also come into play.
jin
hi
The project manager must be a good leader. A project relies on the commitment and loyalty of all
involved.
-s
It is important to note the balance between responsibility and authority in any project. The project
an
manager needs to have the responsibility and authority to see a project through to completion. If they
don’t have the authority to make decisions this will lead to project inertia.
dr
an
In a similar way, the members of the project team will need clear guidance on their own
responsibilities and the decisions they have the authority to make.
ch
A good project manager’s instinctive method of working will be founded on years of experience.
ijin
sh

Activity 5: Create Gantt Related

Questions Clause Task Duration Start Finish
Gantt
Chart
chart
(Activity 5)
(NEED TO DEFINE FOR EACH
ORGANIZATION: RESOURCES
ETC)
4.1 Determine purpose
1 Determine external and internal
Start to create a Task Sheet and Gantt issues
4.2 Determine interested parties
Chart using the baseline review to identify
Determine their requirements
main weaknesses 2
Determine legal and other
requirements
4.3 Determine boundaries/scope
Determine interfaces and
3
dependencies
Document scope
Establish and implement an
4 4.4
ISMS
.in
Maintain and continually improve
the ISMS
Top management:
5 5.1
Establish policy, objectives
ac
15
cd
43
c@
Activity 5: Create a Gantt chart
jin
Purpose: Start to create a Task Sheet and Gantt Chart using the baseline review to identify main
hi
weaknesses
-s
Duration:
15 minutes
an

dr
Directions:
an
Having identified the main strengths and weaknesses in your ISMS from the last activity, it is now time
to translate this into a task sheet. Review the activities in the task sheet provided and, for the areas of
ch
greatest weakness identified, start to identify specific activity durations for the resources you have at
your disposal (if any). This will help in creating a Gantt chart for your implementation.
ijin
Reference ISO/IEC 27001 for full details of task items.

sh

Related
GANTT
CHART
(Activity 5)

ORGANIZATION: RESOURCES ETC)
4.1 Determine purpose

1
.in
Determine external and internal
issues
ac
cd
4.2 Determine interested parties
c@
2 Determine their requirements
jin
Determine legal and other
hi
requirements
-s
4.3 Determine boundaries/scope

an
Determine interfaces and

3
dr
dependencies
an
Document scope
ch
4.4 Establish and implement an ISMS

ijin
Maintain and continually improve

sh
the ISMS
Top management:
5 5.1
Establish policy, objectives
Top management
Ensure integration of ISMS
requirements into organization’s
processes
Top management:
Ensure resources available
Top management:
Communicate importance
Top management:
ISMS02001ENIN v2.0 Oct 2022 Copyright
Ensure ISMS © achieves
2022 BSI. All rights reserved.
intended 44
outcome
Related
GANTT
CHART
(Activity 5)

Top management:
Directing and supporting persons
.in
Top management:
ac
5
Promoting continual improvement
cd
Top management:
c@
Support other relevant
management roles
Top management:
jin
5.2 Policy is appropriate to
hi
organization’s purpose
-s
Top management:
Policy provides information security
an
objectives or framework
dr
Top management:
Policy includes commitment to
an
satisfy applicable requirements

ch
relates to information security

Top management:
6
ijin
Policy includes a commitment to

continually improve
sh
Top management:
Policy is documented
Top management:
Policy is communicated within the
organisation
Top management:
Policy is available to interested
parties

Related
GANTT
CHART
(Activity 5)

Top management:
Ensure roles, responsibilities and
5.3
authorities are assigned and
.in
communicated
ac
Top management:
Assign responsibility and authority
7
cd
for:
a) ensuring the ISMS conforms to
c@
the requirements of the standard
b) reporting on the performance of

jin
the ISMS
hi
-s
Determine the risks and

6.1.1 opportunities that need to be
addressed
an
8
Plan how to address the risks and
dr
opportunities and how to integrate

and evaluate them
an
Define and apply a risk assessment

ch
process including:
9 6.1.2
Establishing and maintaining risk
ijin
criteria
sh
Ensuring consistency and validity

and comparable results
Identify the risks and the risk owners
Analyze the information security

risks
Evaluate the information security

risks
Document information about the risk

assessment process

Related
GANTT
CHART
(Activity 5)

Define and apply an information

security risk treatment process to:
.in
Select risk treatment options
ac
cd
10 6.1.3 Determine necessary controls
c@
Compare controls with Annex A jin
hi
Produce a Statement of Applicability
-s
an
Formulate a risk treatment plan

dr
Obtain risk owner approval

an
ch
Document information about the

information security risk treatment
process
ijin
Establish information security

6.2
sh
objectives
11
Retain documented information on
the objectives
Planning to achieve information

12
security objectives
13 6.3 Planning of changes
14 7.1 Determine and provide resources

Related
GANTT
CHART
(Activity 5)

7.2 Determine necessary competence
.in
Ensure persons are then competent
ac
on basis of...
cd
Take action to acquire this
15
competence
c@
Evaluate the effectiveness of the
actions taken jin
hi
Retain appropriate documented
-s
evidence
Ensure person(s) who work under

an
16 7.3
control are aware
dr
Determine the need for

7.4
an
internal/external communications
ch
Determine on what it will

communicate
ijin
Determine when it will communicate

sh
17
Determine with whom to
communicate
Determine who shall communicate
Establish a communications process

Related
GANTT
CHART
(Activity 5)

Document information required by

7.5.1
this Standard
.in
Document information required for
ISMS effectiveness
ac
cd
Ensure appropriate identification and
7.5.2
description
c@
Ensure appropriate format and
media jin
hi
Ensure review and approval for
adequacy
-s
Ensure availability and suitability for

an
7.5.3
use
18
dr
Ensure adequately protected

an
ch
Control distribution, access, retrieval

and use
ijin
Control storage, preservation and

sh
legibility preservation
Control changes (version control)
Control retention and disposition
Identify and control documented

information of external origin

Related
GANTT
CHART
(Activity 5)

Plan, implement and control
8.1
processes
.in
Implement plans
ac
cd
Keep documented information to
provide confidence
c@
19 Control planned change jin
hi
Review consequences of
unintended changes
-s
Take action to mitigate adverse

an
effects
dr
Control outsourced processes

an
Perform a risk assessment at

ch
planned intervals or in response to

significant changes
ijin
20 8.2
Retain documented information of
sh
the results of risk assessments
Implement the information security

risk treatment plan
21 8.3
Retain documented information of
the results of the risk treatment

Related
GANTT
CHART
(Activity 5)

Determine what needs to be
9.1
monitored
Determine the methods to ensure

valid results
.in
ac
Determine when it shall be
performed
cd
c@
22 Who shall monitor and measure
jin
When the results shall be analyzed
and evaluated
hi
-s
Who shall analyze and evaluate the

results
an
Retain documented information as

evidence of monitoring and
dr
measurement results
an
Conduct internal audits at planned

9.2
intervals
ch
Ensure audit objectives cover a)

ijin
and b)
sh
Plan, ...audit programme(s),

including...
Ensure audit programme(s) take

into consideration...
23
Define audit criteria and scope for
each audit
Select objective, impartial auditors
Ensure results of audits are

reported to management

evidence of above
Related
GANTT
CHART
(Activity 5)

Top management:
9.3
Review ISMS at planned intervals
.in
Include for consideration a) to f)
ac
24
cd
Outputs include decisions relating
to...
c@
evidence of review jin
hi
10.1 React to nonconformities
-s
Take control, contain and correct

an
them
dr
Deal with the consequences

an
25
ch
Evaluate need for action by...

ijin
Implement any action needed

sh
Review effectiveness of any

corrective action

Related
GANTT
CHART
(Activity 5)

Continually improve the suitability,
26 10.1 adequacy and effectiveness of the
ISMS
.in
Make changes to the ISMS if
10.2
ac
necessary
27
cd
evidence of…f) and g)
c@
jin
hi
-s
an
dr
an
ch
ijin
sh

Module 2: Implementing Clause 4 and 5
.in
ac
cd
54
54
c@
jin
hi
-s
an
dr
an
ch
ijin
sh

Overall Project
Management Process and
Link to PDCA
Where we are now! Create Gantt
chart
Approve and
communicate the
implementation Estimate costs and secure
plan resources
Activities
Support project Operate

Implement
.in
the
the plan
system
Monitor project
ac
cd
55
c@
As you can see, once a task sheet/Gantt has been prepared and costs/resources estimated, top
management will need to approve and communicate the plan to the appropriate people. Not everyone
jin
will need to know everything, therefore it is important to determine who needs to know what and
hi
when.
-s
This leads us nicely into looking at the activities around implementing the plan and operating the
system. We will start by looking at the requirements around understanding the context of your
an
organization.
dr
an
Refer to output from Activity 4: Holistic Implementation Process

ch
ijin
sh

Clause 4: Context of
the Organization (4.1)
Determine: External issues
relevant to its
purpose
Interfaces and
Internal issues
dependencies
relevant to its
between
purpose
activities
Organization
Activities
Interested
performed by the
parties relevant
.in
organization/oth
er organizations to the ISMS
ac
Requirements of
these interested
parties
cd
56
c@
Clause 4 relates to the context of the organization which requires the organization to determine the
external and internal issues that affect its ISMS. What those issues are will be dependant on the type
jin
of organization it is.
hi
Organizations shall also demonstrate an appreciation and understanding of its purpose, aligned with
-s
the needs and expectations of its interested parties relevant to the ISMS.
an
Finally, organizations are required to identify interfaces and dependencies between the activities it
performs and the activities performed by other organizations that could have an impact on information
dr
security. Therefore, if it is reliant on a third party for certain activities, i.e. IT services, it is important
an
that the organization understands what contractually this third party has agreed to do and how this
third party may affect the organization’s information security measures.
ch

ijin
3) Pass 99:2012 Extract – 4 Context of the Organization

4) *Internal and External Issues Example
sh
5) *Example Statement of Context

6) ISMS Framework - Extract (Source: Telstra Global)

Activity 6: Understanding 1) Organization’s purpose/intended outcome(s) of its ISMS?
your context
2) Internal issues relevant to question 1)?
Practice implementation of ISO/IEC 27001

key elements 2) External issues relevant to question 1)?
4) Processes, associated activities and functions that can impact Information

Start to complete areas 1-6 for your Security?
organization
5) Interfaces and dependencies between activities performed by the organization?
.in
6) Interfaces and dependencies between activities performed by other organizations?
ac
15
cd
57
c@
Activity 6: Understanding your context
jin
Purpose:
hi
Practice implementation of ISO/IEC 27001 key elements: Understanding of the organization and its
context.
-s
Duration:
an
15 minutes
dr

an
Directions:
ch
Review the template provided – start to complete areas 1-6 for your organization.
ijin
sh

1) Organization’s purpose/intended outcome(s) of its ISMS?
2) Internal issues relevant to question 1)?
.in
ac
cd
2) External issues relevant to question 1)?
c@
jin
hi
-s
4) Processes, associated activities and functions that can impact Information Security?
an
dr
an
ch
5) Interfaces and dependencies between activities performed by the organization?

ijin
sh
6) Interfaces and dependencies between activities performed by other organizations?

Clause 4: Context of the Organization (4.2)

Determine: Relevant interested parties and their needs
D E T E R M I N E P
L A
E R
V T N
A I E
I N T E R E S T E D
.in
T S D
ac
S
cd
59
c@
As mentioned, there is a requirement to determine relevant interested parties and the needs of these
interested parties. Those needs and expectations may include legal and regulatory requirements and
jin
contractual obligations. These may be dependant on the type, size and industry sector the
hi
organization operates in.
-s

an
7) *Understanding the Needs and Expectations of Interested Parties

8) Interested Parties Needs and Expectations - Summary (Source: Telstra Global)
dr
an
ch
ijin
sh

Your Organization
Activity 7: Interested parties
Citizens Management Competitors
• Top
Customers Media
Management
Distributors • Those Commentators
Map across interested parties and
accountable
for ISMS
determine requirements
Shareholders Trade groups
policy and
Investors implementati Neighbours
on
Owners Pressure groups
Those who
Insurers implement and Emergency Identify individuals and/or entities
maintain the ISMS services
Government who are affected by and affects your
• Those who
Regulators maintain
Other response
agencies
ISMS
ISMS and
Recovery service risk Transport services
suppliers procedures
Staff dependents
Other Staff
.in
Contractors
ac
15
cd
60
c@
Activity 7: Interested parties
jin
Purpose:
hi
Map across interested parties and determine requirements.
-s
Duration:
15 minutes
an

dr
an
Directions:
Please identify from the lists provided, and any others that you might wish to add:
ch
1) Which interested parties would be relevant to your ISMS?

Please take into account those that you can affect, be affected by, or perceive themselves to be
ijin
affected by a decision or activity relating to your ISMS.

2) What do you believe the requirements of these interested parties might be and how is your
sh
organization actually going to find out?

Your Organization
Citizens Management Competitors

• Top Management
Customers Media
• Those accountable for
Distributors ISMS policy and Commentators
implementation
Shareholders Trade groups
Investors Those who implement and Neighbours
.in
maintain the ISMS
Owners Pressure groups
ac
• Those who maintain
Insurers ISMS and risk Emergency services
cd
procedures
Government Other response agencies
c@
Regulators Other Staff jin Transport services
Contractors
Recovery service suppliers Staff dependents
hi
-s
an
dr
an
ch
ijin
sh

Clause 4.3: Determining the

scope of the ISMS
Boundaries – Physical and organizational
(including processes)
Driven by requirements – Legal/regulatory,

interested parties, risk appetite
Include activities that contribute to

product/service delivery
Clear statement; understood by all
Examples of scope statements are:

• All business functions in <HQ> and all regional offices
.in
• Purchasing, manufacturing, storage and distribution
including completion of sales orders and despatch in
<HQ> and regional manufacturing sites only
ac
• IT and HR processes within branch 1 and branch 2
cd
62
c@
All of the elements discussed in the previous slides will enable the organization to determine the
boundaries and applicability of the ISMS to establish its scope. jin
hi
9) *ISMS Scope Example
-s
an
dr
an
ch
ijin
sh

An ISMS Scope – Example:

Activity 8: Write a scope
The scope of the XXX ISMS applies to the provision of
telephony services to customers from its head office in
Birmingham. It covers the management of information and
business activities that support these services; in
Enable delegates to determine and write a
accordance with the ISMS Statement of Applicability
revision 03, dated 21/Sept/20xx. scope for their own organization
The scope includes staff and assets that support this
function based at the head office.
The scope also includes XXX’s assets that support this
function based at the following third-party data centre:
 Data Hosting, Wembley Determine the boundaries and applicability
The third-party Data Centre is covered by virtue of of ISMS
contractual agreement which specifies XXX’s security
requirements; therefore, any aspect relating to the
physical location (i.e. security and utilities) of this Data
Centre will not form part of the scope.
.in
ac
15
cd
63
c@
Activity 8: Write a scope
jin
Purpose:
hi
Enable delegates to determine and write a scope for their own organization.
-s
Duration:
15 minutes
an

dr
an
Directions:
After reviewing the sample scope provided in your Toolkit Section, please try a first attempt at drafting
ch
a scope for your ISMS. Write this on a flipchart so that all participants can feed back on.
ijin
The Standard refers to ‘determining the boundaries and applicability of the ISMS to establish its
scope’.
sh
Activity 7 (question 5) should assist you here.

Clause 5: Leadership (5.1)
.in
Leadership and Commitment
ac
Top management set the culture of an organization
cd
64
c@
Clause 5 looks at Leadership, an element around that is Clause 5.1 Leadership and commitment
which identifies top management requirements. jin
hi
Top management responsibility and commitment have been features of management system
standards for many years; however ISO/IEC 27001:2022 re-emphasises this in a more pronounced
-s
way, mandating specific ways in which commitment shall be demonstrated.

an
Top Management set the culture of an organization, employees are more likely to embrace
information security if they see Top Management:
dr
• Motivating and empowering persons to contribute to the effectiveness of the ISMS

an
• Establishing and integrating ISMS requirements into the organization’s processes

• Reinforcing organizational accountability for information security management results
ch
• Creating and maintaining an internal environment in which persons can become fully involved in
achieving the organization’s information security objectives
ijin
• Promoting continual improvement

• Leading by example and supporting other relevant management roles to demonstrate leadership
sh
as it applies to their areas of responsibility


Top management set the culture of an organization
Subclause Establishing an information

5.2 security policy
Subclause Establishing information security

6.2 objectives
Ensuring resources needed for

the ISMS are available
Ensuring ISMS, roles,

Subclause
responsibilities and authorities are
.in
5.3
assigned
ac
Communicating the importance
Subclause
of effective information security
5.1 d
management
cd
65
c@
Top Management shall demonstrate its leadership and commitment through:
jin
• Establishing an information security policy (subclause 5.2)
hi
• Establishing information security objectives (subclause 6.2)
• Ensuring resources needed for the ISMS are available
-s
• Ensuring ISMS, roles, responsibilities and authorities are assigned (subclause 5.3)
• Communicating the importance of effective information security management (subclause 5.1 d)
an
Having information security management at board level will ensure that a comprehensive approach is
dr
taken to managing and understanding risks across the organization.

an
ch
ijin
sh

Activity 9: Leadership and

commitment
• Review ISO/IEC 27001 Clause 5.1
Leadership and commitment
• Discuss from the perspective of your
own organizations, how top
management can demonstrate
Explain expectations from leadership and commitment
leadership and commitment for the
ISMS
• Record your findings, be prepared to
feedback to the rest of the class
.in
10
ac
cd
66
c@
Activity 9: Leadership and commitment
jin
Purpose:
hi
Establish how top management can demonstrate leadership and commitment
-s
Duration:
10 minutes
an

dr
an
Directions:
• Review ISO/IEC 27001 Clause 5.1 Leadership and commitment
ch
• Discuss from the perspective of your own organizations, how top management can demonstrate
leadership and commitment for the ISMS
ijin
• Record your findings, be prepared to feedback to the rest of the class

sh

Clause 5:
Leadership (5.2)
Clause 5.2.2
Communicating
.in
IS Policy
Clause 5.2.1
ac
Establishing IS
Policy
cd
67
c@
Clause 5.2 looks as the requirements around an information security policy. Top management shall
establish an information security policy that: jin
• Is appropriate to the purposes of the organization
hi
• Includes information security objectives (Clause 6.2) or provides the framework for setting
information security objectives
-s
• Includes a commitment to satisfy applicable requirements related to information security

• Includes a commitment to continual improvement of the ISMS
an
Ideally the policy should outline the organization’s information security purposes and should be no
dr
longer than 2 pages – anything longer and it is more than likely people will not read it.
an
ch
ijin
sh

Staff handbook
Notice boards
In house magazines
In house training and

induction
Via Intranet
.in
ac
cd
68
c@
The policy is required to be available as documented information and be communicated to the
organization and available to interested parties (i.e. customers, suppliers, general public).
jin
hi
A policy will not be fully functioning unless it is communicated. How this is communicated will be
dependent on the organization and its structure and culture. Methods for internal communication
-s
could be:
• Staff handbook
an
• Notice boards
• In house magazine
dr
• In house training and induction

an
• Via Intranet
ch

10) *Information Security Policy Example
ijin
11) Information Security Policy (Source: Telstra Global)

sh

Activity 10: Create a policy
After reviewing the sample policy provided, please

try a first attempt at drafting a policy for your
intended ISMS
Realize how an information security policy

can be established and documented
.in
15
ac
cd
69
c@
Activity 10: Create a policy
jin
Purpose:
hi
To enable you the opportunity to create your own policy for your organization
-s
Duration:
15 minutes
an

dr
an
Directions:
After reviewing the sample policy provided, please try a first attempt at drafting a policy for your
ch
intended ISMS..
ijin
Activities 7, 8 and 9 should assist you here.

sh

Clause 5: Leadership (5.3) Responsibilities and authorities need to be assigned to:

• Ensure conformance to ISO/IEC 27001 requirements
Roles, Responsibilities and Authorities • Reporting on ISMS performance
.in
ac
cd
70
c@
The final clause in Leadership is around organizational roles, responsibilities and authorities (Clause
5.3). jin
hi
Top management shall ensure that the responsibilities and authorities for roles relevant to information
security are assigned and communicated. It is important that anyone that has been assigned
-s
responsibility for an activity understand what they have authority to do, agree to etc. For example, the
information security manager may have responsibility for the day to day management of the ISMS but
an
they may not have authority to approve or agree changes to the ISMS. Just because someone has
responsibility does not automatically mean they have authority.
dr
an
Responsibilities and authorities need to be assigned to:

• Ensure conformance to ISO/IEC 27001 requirements
ch
• Reporting on ISMS performance

ijin

12) *Roles, Responsibilities and Authorities Example
sh

Summary and review
.in
ac
cd
71
71
c@
jin
hi
-s
an
dr
an
ch
ijin
sh

Day 2 Welcome and Learning Objectives

Pick an area of the content covered in Day 1 of the course and come up with two/three
questions to which you know the answer
Ask your questions of others and provide answers to theirs
.in
ac
cd
72
72
c@
Review of day 1 and remaining learning objectives.
jin
hi
-s
an
dr
an
ch
ijin
sh

Module 3: Implementing Clause 6
.in
ac
cd
73
73
c@
jin
hi
-s
an
dr
an
ch
ijin
sh

Clause 6: Planning
ISMS
Interested Internal External boundaries
parties and issues issues and
expectations applicability
Consideration to
Information
determine risk and Define risk security risk
opportunities in
assessment assessment
relation to the process process
ISMS
Undertake
risk
assessment
Define risk
Documented
treatment
Risk information of
process and
treatment prioritized IS
determine risk
plan risks
treatment options
.in
ac
Establish
information
security
objectives
cd
74
c@
Clause 6 ensures the organization has the building blocks in place to determine that the ISMS can
achieve its intended outcome by preventing or reducing undesired effects and achieving continual
jin
improvement. The planning clause identifies the processes to enable an organization to do this.
hi
The diagram on this slide depicts the overall planning process, which includes determining risks and
-s
opportunities that need to be addressed, by undertaking risk assessment and risk treatment
processes, through to setting appropriate information security objectives and plans to achieve them.
an
(Please refer to References: Overall Planning Process)

dr
an
ch
ijin
sh

ISMS
Interested parties Internal External
boundaries and
and expectations issues issues
applicability
.in
Consideration to Information
determine risk and Define risk security risk
ac
opportunities in assessment assessment
relation to the ISMS process process
cd
c@
jin
Undertake
risk
hi
assessment
-s
an
dr
an
Define risk Documented

Risk treatment process information of
ch
treatment and determine risk prioritized IS

plan treatment options risks
ijin
sh
Establish
information
security
objectives

Clause 6.1: Actions

to address risks and
opportunities
Preventative action is no longer referenced within
ISO/IEC 27001 but now comes under risks and
opportunities
Clause 4.1 – Internal and external issues
Clause 4.2 – Understanding the needs and

expectations of interested parties
.in
ac
cd
76
c@
Clause 6.1 relates to Actions to address risks and opportunities. So what do we mean by
opportunities? Those of you that are familiar with other management systems may recall the term
jin
preventative action, i.e. an action to eliminate the cause of a potential non-conformity or other
hi
undesirable potential situation. Preventative action is no longer referenced within ISO/IEC 27001 but
now comes under risks and opportunities.
-s
When determining the risks and opportunities that need to be addressed, it is important for an
an
organization to consider its context, i.e. internal and external issues (Clause 4.1) and understanding
the needs and expectations of interested parties (Clause 4.2).
dr
an
The organization shall plan actions to address these risk and opportunities, as well as plan how to
integrate and implement these actions into the ISMS processes and evaluate the effectiveness of
ch
these actions.
ijin
sh

Clause 6.1.2 Information

security risk assessment
Establish
Establish and
Risk acceptance criteria and
maintain
maintain
information
information
security risk
Criteria for performing security
criteria
RA risk criteria
Asset inventory
Identify information Identified information
security risks security risks
Causes and
sources of risk
Risk owners
Determined level of
Analyze the
risk based on
information
consequence and
security risks
likelihood
.in
Evaluate
Risks prioritized for
information
treatment
security risks
ac
Documented
information
cd
of risk
assessment 77
process
c@
Organizations are required to plan how they will undertake risk assessments. An information security
risk assessment process should be defined that includes criteria for accepting risks, when risk
jin
assessments should be performed, as well as ensuring that repeated information security risk
hi
assessments produce consistent, valid and comparable results.
-s
So what do we mean by risk acceptance criteria? Criteria are used to help decide whether the risk is
low enough to not require treating. For example, an organization may decide that any risks that fall
an
below a certain score will be accepted without treatment, but will be monitored to ensure the risk
score doesn’t change.
dr
an
ch
ijin
sh

Establish and Establish and

maintain Risk acceptance criteria maintain
information information
security risk security risk
criteria Criteria for performing RA criteria
Asset inventory
Identify information Identified information
.in
Causes and security risks security risks
ac
sources of risk
cd
c@
jin Risk owners
hi
-s
Analyze the Determined level of risk

information security based on consequence
an
risks and likelihood

dr
an
ch
ijin
sh
Evaluate information Risks prioritized for

security risks treatment
Documented
information of
risk
assessment
process

Clause 6.1.2 Information

security risk assessment
Significant changes to the business affecting
information security (determined by management)
A new contract involving bespoke information

security requirements (determined by
management)
After an information security incident (single or

series of unwanted or unexpected information
security events)
.in
A period not exceeding 3 years
ac
cd
79
c@
So, when should a risk assessment be undertaken? Clause 8.2 states that risk assessments should
be performed at planned intervals or when significant changes are proposed or occur. Therefore an
jin
organization may decide to undertake a risk assessments when there are:
hi
• Significant changes to the business affecting information security (determined by management)
-s
• A new contract involving bespoke information security requirements (determined by management)

• After an information security incident (single or series of unwanted or unexpected information
an
security events)
• A period not exceeding 3 years
dr
an
(Please refer to References: Information security - Risk Assessment Process)

ch

13) *Information Security Risk Assessment Procedure Example
ijin
14) Risk Management Policy (Source: Telstra Global)

sh

Activity 11: Risk and criteria
After reviewing the sample information

security risk assessment procedure
provided in the toolkit, please try a first
attempt at defining risk acceptance Determine different types of risk criteria
criteria and criteria for performing which will support decision-making
information security risk assessments for
your intended ISMS
.in
20
ac
cd
80
c@
Activity 11: Risk criteria
jin
Purpose:
hi
To define risk criteria that ensures repeated information security risk assessments produce consistent,
valid and comparable results.
-s
Duration:
an
20 minutes
dr

an
Directions:
ch
After reviewing the sample information security risk assessment procedure provided in the toolkit,
please try a first attempt at defining risk acceptance criteria and criteria for performing information
ijin
security risk assessments for your intended ISMS.

sh
13) *Information Security Risk Assessment Procedure Example

Risk Identification
 Asset Register
 Causes
 Sources
.in
ac
cd
81
c@
The risk assessment process should identify risks associated with the loss of confidentiality, integrity
and availability (CIA) for information within the scope of the ISMS.
jin
hi
So how do you identify risks associated with the loss of CIA for information?
-s
A risk is derived from various elements. Firstly, you need to know what information is within scope of
the ISMS and where and how that information is processed from creation all the way to destruction.
an
An information asset register is a good way of identifying your information.

dr
Risk identification also involves consideration of the sources and causes of risk (sometimes referred
an
to as threats and vulnerabilities). The source/threat is a potential cause of an unwanted incident,

which may result in harm, i.e. loss of power, flooding. The cause/vulnerability is a weakness that can
ch
be exploited by a one or more sources/threats.

ijin
sh

Risk
Identification
Each risk should be assigned an
owner, who will be responsible for
agreeing risk treatment and
residual risk
.in
ac
cd
82
c@
Therefore your risks may look something like this:
• Risk of unauthorised access to HR information stored in the HR Office, due to lack of access
jin
control measures.
hi
• Risk of loss of customer information stored on the network drives, due to backup failure.
-s
All this is doing is identifying risks, whether this risk is likely to happen or the consequences that
would result from the risk happening is part of the analysis stage.
an
Each risk should be assigned an owner, who will be responsible for agreeing risk treatment and
dr
residual risk.
an
Please note this course only provides the foundations of how to undertake a risk assessment.
ch
ijin
sh

Risk Assessment Tools

Simple Risk Estimator
Consequence
Likelihood
Low Medium High
Medium
Likely Low risk High risk
risk
Medium
Unlikely Low risk Medium risk
risk
Highly
Low risk Low Risk Medium risk
unlikely
.in
ac
cd
83
c@
Once you have identified your information security risks you can now analyze the potential
consequences if the risk materialized, referred to as the impact, and assess the likelihood (probability)
jin
of the occurrence of such a risk.
hi
A simple way to do this is to use a risk level estimator, for example:
-s
Impact:
an
• High - Loss of customer, breach of regulatory compliance, financial cost >$250k

• Medium - Customer service affected for 1 day, noncompliance with internal requirement, financial
dr
cost of $100k-$250k >

an
• Low - Internal services affected, minor inconvenience to customer, financial cost <$100k
ch
When analysing the likelihood of a risk occurring you will need to take into consideration whether
similar incidents have occurred and if so, how often and whether the items you assessing are close to
ijin
a source of risk, e.g. is the building located near a flood plain

sh
Likelihood:
• Highly Unlikely - Can assume it will not occur
• Unlikely - Seldom, could occur at some time
• Likely - Has happened before, has potential to happen
However, an organization will need to consider its own descriptions.

Risk Assessment
Tools
Consequence
Likelihood Less
Significant
significant
Likely 3 6 9
Unlikely 2 4 6
Highly
1 2 3
unlikely
.in
ac
cd
84
c@
Another approach to risk assessment is using numeric values rather than descriptions but it is
important for the person(s) undertaking the risk assessment to understand what a score means to the
jin
organization, so a combination of numbers and descriptions is often seen.
hi
There is no one good way, and you should understand the benefits of a common approach in your
-s
organization and adopting the most suitable approach.

an
A very important point in the approach selected always needs to be consistent and robust.
dr
Once the risks have been analyzed the results should be compared with the risk criteria established
an
and risks should be prioritized for risk treatment.

ch
ijin
sh

NO. Risk Details Consequence Likelihood

Risk Activity 12: Identify and
analyze information
Score
2
security risks
3
4 Identify the risks that would compromise

CIA of information and determine levels of
5 these risks
6
.in
9
20
ac
10
cd
85
c@
Activity 12: Identify and analyze information security risks
jin
Purpose:
hi
Determine the risks and opportunities associated with the scope and interested parties within the
context of your organization.
-s
Duration:
an
20 minutes
dr

an
Directions:
ch
Using the sample risk assessment procedure provided in the Toolkit:

• Identify 10 risks considering the sources and causes of risk that may be applicable to your own
ijin
organization
• Analyze those risks, to assess the potential impact that would result, if the risk were to materialize
sh
• Analyze those risks, to assess the realistic likelihood of the occurrence of the risks identified, to
determine the levels of risk
• Evaluate the risk, resulting from risk analysis, with the risk criteria in the sample procedure, and
prioritize the analyze risks for treatment
Write up your prioritized risks for treatment in the space provided.

Risk
NO. Risk Details Consequence Likelihood
Score
.in
ac
3
cd
c@
4
jin
hi
-s
5
an
dr
6
an
ch
7
ijin
sh
10

Please use the space provided to record your prioritized risks for treatment
.in
ac
cd
c@
jin
hi
-s
an
dr
an
ch
ijin
sh

Clause 6.1.3: Risk Treatment

Select appropriate
Risk prioritized for
risk treatment
treatment
options
Controls from other Determine all

sources controls necessary to
implement risk
treatment options
Designed controls
Compare controls
with controls in
Annex A to verify that
Annex A
no necessary Justification Justification
controls have been for Inclusion for Exclusion
omitted (all controls) (Annex A)
Produce statement of
Statement of applicability
applicability
.in
Formulate risk
Risk treatment plan
treatment plan
ac
Obtain risk owners Document information of
Risk owners
approval risk treatment process
cd
88
c@
Taking into account the results from the risk assessment, the organization shall define and apply a
risk treatment process to select appropriate risk treatment options and to determine all controls that
jin
are necessary to implement the risk treatment option chosen.
hi
So what does this mean?
-s
Risk Treatment
an
An organization, depending on its risk acceptance criteria, defined in Clause 6.1.2, can select one of a
number of options to treat a risk. We will cover these options in more detail on the next slide.
dr
an
Control
A control, which can be technical and/or organizational, if implemented, would reduce the likelihood of
ch
a risk materialising and/or consequence.

ijin
sh

Risk prioritized for Select appropriate

treatment risk treatment options
Controls from other Determine all controls

sources necessary to
implement risk
treatment options
.in
Designed controls
ac
cd
Compare controls with
c@
controls in Annex A to
Annex A verify that no jin
necessary controls Justification Justification
hi
have been omitted for Inclusion for Exclusion
(all controls) (Annex A)
-s
an
dr
Produce statement of
Statement of applicability
an
applicability
ch
ijin
sh
Formulate risk
Risk treatment plan
treatment plan
Obtain risk owners Document information of

Risk owners
approval risk treatment process

Clause 6.1.3:
Risk Treatment
Statement of Applicability
Risk treatment plan
Actions
Target dates
.in
Review dates
ac
Responsibilities
cd
90
c@
A Statement of Applicability (SoA) and a risk treatment plan (RTP) should be formulated and risk
owners approval shall be obtained for the risk treatment plan and acceptance of the residual risk. The
jin
risk treatment plan should ideally include actions to be taken, target dates for completion, review
hi
dates and responsibilities.
-s
Note: The Standard aligns the risk assessment and risk treatment processes with ISO 31000 Risk
an
management – Principles and guidelines.

dr
(Please refer to References: Information security - Risk Treatment Process)

an
ch
ijin
sh

Risk Treatment
Options
Reduce/Treat
Avoid/Terminate
Accept/Tolerate
Transfer/Share
.in
ac
cd
91
c@
The common risk treatment options are:
• Reduce/Treat – to change the likelihood of the risk occurring and/or consequence, by implementing
jin
a control measures
hi
• Avoid/Terminate – to decide not to start or continue with the activity that gives rise to the risk
• Accept/Tolerate – to retain risk by an informed decision
-s
• Transfer/Share – sharing the risk with another party or parties through contracts and risk financing
an
dr
an
ch
ijin
sh

ISO 27002:2022
93 controls and five
searchable and
selectable attributes
The controls an organization adopts
can be designed by the organization
or identified from any source
Any controls chosen must be

compared with the list of controls in
.in
Annex
ac
cd
92
c@
The organization shall determine all controls that are necessary to implement the information security
risk treatment options chosen. jin
hi
A control* is: ‘measure that is modifying risk’
-s
So what controls should be adopted?

an
The controls an organization adopts can be designed by the organization or identified from any
source, i.e. legal, regulatory required controls, client required or even product or service specific
dr
controls. Any controls chosen must be compared with the list of controls in Annex A – Reference
an
control objectives and controls of the Standard to verify that no necessary controls have been omitted.
ch
ijin
sh

ISO 27002:2022
searchable and Clause 5 - Organizational controls
37 controls: 34 existing, 3 new
Clause 6 - People controls
8 controls, all existing
Clause 7 - Physical controls

14 controls, 13 existing, 1 new
Clause 8 - Technological controls

34 controls, 27 existing, 7 new
.in
ac
cd
93
c@
Annex A of the standard has 4 different security control categories, namely:
• A.5: Organizational controls jin
• A.6: People controls
hi
• A.7: Physical controls
• A.8: Technological controls
-s
The order in which these categories are presented is not significant and any other lists that exist
an
within the standard are not presented in any kind of priority order.
dr
Organizations should determine which categories and associated controls are important for them to
an
implement based on the benefit obtained by doing so. If using this standard as an aide for
implementing controls associated with an ISMS based on ISO/IEC 27001, then the management
ch
system requirement for controls will be based on a risk management process.

ijin
sh

ISO 27002:2022
93 controls and
five searchable Control
attributes
Attribute values
and selectable Control type
Information
#Prevenative, #Detective, #Corrective
attributes security
property
#Confidentiality, #Intergrity, #Availability
Cybersecurity
#Identify, #Protect, #Detect, #Respond, #Recover
concepts
#Governance, #Asset_management,
#Information_protection, #Human_resource_security,
#Physical_security, #System_and_network_security,
#Application_security, #Secure_configuration,
Operational #Identity_and_access_management,
capabilities #Threat_and_vulnerability_management, #Continuity,
#Supplier_relationships_security,
#Legal_and_compliance,
#Information_security_event_management,
.in
#Information_security_assurance
Security #Governance_and_Ecosystem, #Protection,
domains #Defence, #Resilience
ac
cd
94
c@
The categorization of the controls given in each clause is referred to as a theme. Within each theme,
an organization can apply given attributes to allow them to manage their controls and present to
jin
different audiences in different ways.
hi
For each control, ISO/IEC 27002 provides extensive ‘implementation guidance’, and for certain
-s
controls, ‘other information’ which provides broader advice and considerations around that specific
control.
an
There are a total of 93 controls spread over the four clauses. Of those 93 controls, 58 were in the
dr
previous edition of ISO 27002 but have been updated to reflect technology changes and different
an
approaches.
ch
24 controls have been merged to streamline the control set and link controls that are linked together
inextricably.
ijin
sh

ISO 27002:2022
searchable and
Control
Attribute values
attributes
Control type #Prevenative, #Detective, #Corrective
Information
security #Confidentiality, #Intergrity, #Availability
property
Cybersecurity
#Identify, #Protect, #Detect, #Respond, #Recover
concepts
#Governance, #Asset_management,
#Information_protection, #Human_resource_security,
#Physical_security, #System_and_network_security,
#Application_security, #Secure_configuration,
.in
Operational #Identity_and_access_management,
capabilities #Threat_and_vulnerability_management, #Continuity,
#Supplier_relationships_security,
#Legal_and_compliance,
ac
#Information_security_event_management,
#Information_security_assurance
Security #Governance_and_Ecosystem, #Protection,
cd
domains #Defence, #Resilience 95
c@
Each of the 93 controls can be tagged with five attribute types, as seen here. This allows the
organization to manage, filter, sort, and present controls in different ways, as is needed by an
jin
organization. This can be done using a database or web-based application.
hi
Control type:
-s
Each attribute value is preceded with a ‘#’ to make them searchable.

an
Control type is designed to allow an organization to consider the control from the perspective of risk
dr
modification in relation to the occurrence of an information security incident.

an
Preventative – Used to prevent the occurrence of an information security incident.

ch
Detective – When the information security incident occurs.

ijin
Corrective – The control acts after the information security incident occurs.
sh

ISO 27002:2022 Cybersecurity concepts allows controls to be
.in
viewed in relation to the cybersecurity concepts
ac
searchable and selectable Security domains are an attribute to view controls
from the perspective of information security
attributes domains, expertise, services, and products
cd
96
c@
Information security properties relate to whether the control is preserving confidentiality, integrity,
and/or availability. jin
hi
Cybersecurity concepts allows controls to be viewed in relation to the cybersecurity concepts defined
in the cybersecurity framework, as described in ISO/IEC TS 27110 and the NIST cybersecurity
-s
framework.
an
The operational capabilities attribute allows controls to be viewed from the practitioner’s perspective
of information security capabilities and is similar to the previous version of ISO/IEC 27002 clauses.
dr
an
Security domains are an attribute to view controls from the perspective of information security
domains, expertise, services, and products.
ch
One of the ISO 27000 family’s strengths is in its flexibility and its ability to be applied to any
ijin
organization regardless of size, sector, or location. The five attributes we have discussed are
considered generic enough to meet this brief. However, it is also understandable that these attributes
sh
do not go far enough, nor be relevant to a given organization.

ISO 27002:2022
searchable and
Organizations can develop their own attributes
A SoA shall then be developed identifying all

controls that have been selected
Along with a justification for any
.in
controls included as well as those
controls within Annex A that have
ac
been excluded
cd
97
c@
An organization can, therefore, choose to disregard one or all of these attributes. They may also wish
to add attributes of their own. This may be based on control maturity, a risk event scenario, or top
jin
management priority.
hi
It may well be that this may be used by industry bodies or trade associations to prioritize controls for a
-s
specific sector.
an
A statement of applicability (SoA) shall then be developed identifying all controls that have been
selected, along with a justification for any controls included as well as those controls within Annex A
dr
that have been excluded.

an
*ISO/IEC 27000:2018 – Overview and vocabulary

ch

ijin
15) *Statement of Applicability example

sh

Useful Guidance on
Risk
Risk analysis and management are key facets
of any management system
Some useful standards are:
ISO 31000 Risk management –

Principles and guidelines
IEC 31010 Risk management –

Risk assessment techniques
.in
ac
cd
98
c@
For interested delegates, BSI has Risk Management 31000 courses on Understanding and on
Implementation: jin
hi
Understanding Risk Management - ISO 31000, RMG01001ENGX
As a proven methodology, risk management is a systematic framework and process for maximizing
-s
those areas where outcomes can be controlled while minimizing those that cannot be predicted, and
over which control cannot be exercised.
an
Implementing Risk Management - ISO 31000, RMG02101ENGX

dr
an
There are other standards that may be of use, depending on level of interest or need:
ISO/IEC Guide 73 – Risk management vocabulary – Guidelines for use in standards
ch
BS 31100:2021 Risk management – Code of practice and guidance for the implementation of BS ISO
31000
ijin
IEC 31010
sh
Provides details on risk assessment concepts, process, and selection/comparison of risk assessment
tools/techniques

Risk
Activity 13: Risk treatment

NO. Treatment Controls Selected Source?
Options
3
Preparing risk treatment plan as per
Clause 6.1.3 and Clause 8.3
4
8
20
.in
9
ac
10
cd
99
c@
Activity 13: Risk treatment
jin
Purpose:
hi
To enable delegates to identify appropriate risk treatment options and to determine all controls that
are necessary to implement the risk treatment option chosen. Delegates will be required to consider
-s
designing controls, controls from other sources as well as those controls with Annex A.
an
Duration:
20 minutes
dr

an

ch
Directions:
Use the prioritized risks from the previous activity (Activity 12) to:
ijin
• Select appropriate risk treatment options for your prioritized risks

• Identify appropriate controls that could be implemented to reduce the risks to an acceptable level
sh
for the organization

• Consider a risk treatment plan for one of your prioritized risks. Record your considerations in the
space provided

Risk Treatment
NO. Controls Selected Source?
Options
.in
ac
3
cd
c@
4
jin
hi
-s
5
an
dr
6
an
ch
7
ijin
sh
10

Please use the space below to record your considerations
.in
ac
cd
c@
jin
hi
-s
an
dr
an
ch
ijin
sh

Establishing information
security objectives
What are the internal and external
issues?
What are the needs and expectations of

interested parties?
What are the results from the risk

assessment and risk treatment?
What are the technological options and

the financial, operational and business
.in
requirements?
ac
Are the objectives consistent with the IS
policy?
cd
102
c@
The organization needs to establish information security objectives at relevant function and levels.
Objectives should include plans on how to achieve them as well as how the results will be evaluated.
jin
hi
Objectives are required to be documented and must identify:
• What will be done
-s
• What resources will be required

• Who will be responsible
an
• When it will be completed

• How the results will be evaluated
dr
an
ch
ijin
sh

Establishing
information
security objectives
Objectives:
Specific
Communicated
Updated
.in
ac
cd
103
c@
Objectives should be specific and targets should be measurable wherever practical and where
appropriate should take into account applicable information security requirements, and risk
jin
assessment and risk treatment results.
hi
For example:
• Objective: Conduct a service continuity exercise with each customer
-s
• Resources: IT Department, customer representatives, internal auditor, ‘Customer live’ and

‘Customer failover’ systems,
an
• Responsible: IT Director
• When: Annually
dr
• Monitoring: Internal auditor will be present to assess exercise objectives against actual exercise
an
performance; results will be reviewed by the Information Security Manager and presented at the
Management Review meetings.
ch
Objectives need to be communicated and updated as appropriate. Documented information shall be

ijin
retained.
sh

16) *Information Security Objectives Example
17) Goals, Objectives, Strategies, Plans and Actions GOSPA (Source: Telstra Global)

Activity 14:
Establishing information security objectives
Create information security and planning to achieve them
objectives
After reviewing the sample objective provided,
please try drafting 2 objectives for your
intended ISMS
15
.in
ac
cd
104
c@
Activity 14: Create information security objectives
jin
Purpose:
hi
Enable delegates to create information security objectives and an action plan
-s
Duration:
15 minutes
an

dr
an
Directions:
After reviewing the sample objective provided, please try drafting 2 objectives for your intended ISMS.
ch
Activities 7, 8, 9 and 11 should assist you here.

ijin
sh

Clause 6.3: Change

management
The need for changes to the ISMS can be at any part
of the system including below:
External/internal issues of the

organization
Requirements relevant to information

security
Scope of the ISMS
Leadership
Risk and opportunities
.in
Information security controls
ac
cd
105
c@
Change management is a vital part of a robust ISMS as the evolution of information security
management and also the changes happening within an organization’s context can be rapid on
jin
today’s world. In this clause, expectation is to plan the change management before its implementation
hi
to ensure the purpose is clear, negative and positive consequences are considered and integrity of
ISMS is preserved. ‘Do’ part of the planned changes are implemented as per the requirements in
-s
Clause 8.1 of the standard.

an
Note: Clause 6.3 was added to the ISO/IEC 27001:2022 version of the standard.
dr
an
ch
ijin
sh

.in
ac
cd
106
106
c@
jin
hi
-s
an
dr
an
ch
ijin
sh

Clause 7: Support
Resources (7.1)
People
Systems
.in
Financial
ac
cd
107
c@
Clause 7 details the support required to establish, implement, maintain and continually improve the
ISMS, including ensuring there are adequate resources not just at implementation time, but to ensure
jin
continued improvement of the ISMS. Resources can include people, systems and financial resources.
hi
Any individual that has been allocated a role that could affect the information security performance
-s
needs to be assessed to ensure they posses the appropriate competence to undertake such a role.
As we mentioned earlier, a project manager needs to be a good leader but there will be other
an
competencies a project manager should have. Being competent is often seen as demonstrating or
having the appropriate behaviours and skills.
dr
an
ch
ijin
sh

Clause 7: Support
Competence (7.2)
Training
Mentoring
Re-assignment
.in
ac
Hiring
cd
108
c@
The organization will need to determine the competency required for roles and then assess the
individuals allocated to those roles to ensure they possess the required competency. What
jin
competencies a role requires will need to be decided by the organization and can be demonstrated
hi
through education, training or experience. Where an individual is found not to meet the competency
level required the organization will need to devise an action plan to address the gap and then
-s
evaluate the effectiveness of those actions. Those actions may include training, mentoring, re-
assignment of current employees or the hiring or contracting of competent persons.
an
The organization is required to retain appropriate documented information as evidence of

dr
competence.
an

ch
18) *Competency Gap Analysis Example

ijin
sh

Activity 15: Competency

of individuals
Identify 5 core competency requirements

for the 3 roles listed below
Determine necessary competence for
• Member of an Information Security individuals as everyone would have affect
Management Forum (ISMF) on the information security performance
• Information Security Manager
• Internal Auditor
.in
15
ac
cd
109
c@
Activity 15: Competency of individuals
jin
Purpose:
hi
Enable delegates to identify core competency requirements for person(s) doing work under their
control that affects information security performance.
-s
Duration:
an
15 minutes
dr

an
Directions:
ch
Using the space provided on the next slide, identify 5 core competency requirements for the 3 roles
listed below.
ijin
• Member of an Information Security Management Forum (ISMF)

• Information Security Manager
sh
• Internal Auditor

Member of an Information Security Management Forum (ISMF)
.in
ac
cd
Information Security Manager
c@
jin
hi
-s
an
dr
an
ch
Internal Auditor
ijin
sh

Clause 7: Support
Awareness (7.3)
.in
ac
Communications (7.4)
cd
111
c@
It is a requirement of the Standard that any persons doing work under the organization’s control shall
be aware of: jin
• ISMS policy
hi
• Their contribution to the effectiveness of the ISMS, including roles and responsibilities
• Implications of not conforming with the ISMS requirements
-s
Awareness can take many forms from class room style, e-learning, news letters, signs, notice boards,
an
emails. However awareness is not a one-off exercise and will probably use many of the methods
mentioned above.
dr
an
When awareness takes place, and how, really leads on from Communication (Clause 7.4) and how an
organization is going to communicate to both internal and external parties relevant to the ISMS. It’s
ch
important that people are kept informed of those aspects of the ISMS that affects them. If you inform
everybody of everything, people will start to ignore communications because they will think it doesn’t
ijin
apply to them. Therefore decisions will need to be made on what needs to be communicated, when it
should be communicated, how it will be communicated, to whom, as well as who will be responsible
sh
for those communications and what form of medium that communication will take.

Clause 7: Support
Document information (7.5)
Have an appropriate identification and

description
Be reviewed and approved for suitability and

adequacy
Be available and suitable for use where and

when it is needed
.in
Be adequately protected
ac
Be in the appropriate format for the
organization, and media
cd
112
c@
The people responsible for the communication must be aware they are responsible and must have
the appropriate competency to undertake the tasks allocated to them.
jin
hi
The final clause (in Clause 7) is around documented information. As covered briefly earlier, the
Standard references elements that have to be available as documented information, i.e. information
-s
security policy, statement of applicability, as well documented information applicable to the

organization that is necessary for the ISMS to be fully effective.
an
Documented information needs to be controlled, so what does that mean? Well documented
dr
information should:
an
• Have an appropriate identification and description, (e.g. title, data, author, reference number)
• Be reviewed and approved for suitability and adequacy, where appropriate
ch
• Be available and suitable for use where and when it is needed,

• Be adequately protected, e.g. from loss of confidentially, improper use or loss of integrity
ijin
• Be in the appropriate format for the organization, (e.g. language, software, version, graphics) and
media (e.g. paper, electronic)
sh

Clause 7: Support
Classification
.in
Distribution, access retrieval and use Control of changes
ac
Storage and the preservation Retention and disposal
cd
113
c@
Therefore organizations should address the following, as applicable:
• Classification jin
• Distribution, access retrieval and use
hi
• Storage and the preservation
• Control of changes
-s
• Retention and disposal

an

dr
19) *Communications Procedure Example

an
20) Control of Documented Information (Source: Telstra Global)

ch
ijin
sh

Activity 16: Create

communication process
Establish a process which will fulfil the

requirements of Clause 7.4
15
After reviewing the sample communications

procedure provided, please try a first attempt
.in
at drafting a simple one of these for your
intended ISMS
ac
cd
114
c@
Activity 16: Create communication process
jin
Purpose:
hi
Enable delegates to create a simple communications process for their own organization
-s
Duration:
15 minutes
an

dr
an
Directions:
After reviewing the sample communications procedure provided, please try a first attempt at drafting a
ch
simple one of these for your intended ISMS. Activity 7, 8, 9, 11 and 15 should assist you here.
ijin
sh

Clause 8: Operation
Operational planning and control (8.1)
Information security risk assessment (8.2)
.in
Information security risk treatment (8.3)
ac
cd
115
c@
Clause 8 is closely linked to Clause 6 Planning. The processes determined in Clause 6 will be put into
operation in Clause 8, i.e. the Standard requires that organizations plan, implement and control those
jin
processes needed to address risks and opportunities.
hi
Most importantly this will include:
-s
• Establishing criteria for those processes

• Implementing the control of these processes in accordance with the criteria
an
• Keeping documented information to demonstrate that the processes have been carried out as
planned
dr
• Controlling planned changes and review consequences of unintended changes

an
• Ensuring outsourced processes are controlled

ch
The tutor will specifically elaborate on the last two bullet points above.
ijin
We are not going to cover this clause in any detail as we covered most of it during Clause 6 Planning.
sh

.in
ac
cd
116
116
c@
jin
hi
-s
an
dr
an
ch
ijin
sh

Clause 9: Performance
Evaluation
9.1 Monitoring, measurement, analysis and evaluation
Determine what needs to be monitored and

measured
Determine the
methods for
monitoring,
measuring,
.in
analysis and
evaluation
ac
cd
117
c@
Clause 9.1 is about the organization’s evaluation of its information security performance and the
effectiveness of the ISMS. jin
hi
The organization needs to determine what needs to be monitored and measured, this should include
information security processes and controls. The methods chosen by an organization for undertaking
-s
the monitoring, measuring, analysis and evaluation, must produce comparable and reproducible
results to be considered valid.
an
In addition, the organization should determine when the monitoring and measuring shall be
dr
performed, who shall monitor and measure, when the results will be analyzed and evaluated and by
an
whom. Your organization may require processes for legal and regulatory monitoring.
ch
ijin
sh

Evaluation
Example:
The organization has a requirement to ensure that all new starters
attend awareness training within 3 days of starting
Therefore, when someone has attended training, their training

record is updated by the training team
Every quarter, the Training Administrator, who is responsible for the

monitoring and measuring, runs a report of people that have
attended awareness training, this report will also show the date the
person started with the organization
Every quarter, the HR Manager will analyze these results to
evaluate whether new starters are attending awareness training
.in
within the 3 days of starting and will report any conformance/non-
conformance to Management via the quarterly management report
ac
cd
118
c@
An example of a security control that could be measured is:
The organization has a requirement to ensure that all new starters attend awareness training within 3
jin
days of starting. Therefore, when someone has attended training, their training record is updated by
hi
the training team. Every quarter the Training Administrator, who is responsible for the monitoring and
measuring, runs a report of people that have attended awareness training, this report will also show
-s
the date the person started with the organization. Every quarter, the HR Manager will analyze these
results to evaluate whether new starters are attending awareness training within the 3 days of starting
an
and will report any conformance/non-conformance to Management via the quarterly management
report.
dr
an
Appropriate documented information should be retained as evidence of the results.

ch

21) *ISMS Monitoring and Measurement Example
ijin
22) Performance Monitoring Policy (Source: Telstra Global)

sh

Activity 17: Monitoring

1) What exactly would you monitor and measure? and measurement
2) What methods would you use for monitoring, measuring, analysis

and evaluation?
Establish a process which will fulfil the

3) When the monitoring and measuring will be performed?
requirements of Clause 7.4
4) When the results from the monitoring and measurement will be

analyzed and evaluated?
.in
10
ac
cd
119
c@
Activity 17: Monitoring and measurement
jin
(Part 1)
hi
Purpose:
Review and identify monitoring/measurement activities within ISO/IEC 27001.
-s
Duration:
an
10 minutes
dr

an
Directions:
ch
Using your copy of ISO/IEC 27001, identify what would need monitoring, measuring, analyzing and
evaluating within the Standard.
ijin
sh
(Part 2)
Purpose:
Review and identify monitoring/measurement activities for specific requirements/criteria or controls.
Duration:
10 minutes
Directions:
Considering one item, identified from the last activity/or a specific control you have in mind,
determine:

1) What exactly would you monitor and measure?
.in
2) What methods would you use for monitoring, measuring, analysis and evaluation?
ac
cd
c@
jin
hi
-s
3) When the monitoring and measuring will be performed?

an
dr
an
ch
ijin
sh
4) When the results from the monitoring and measurement will be analyzed and evaluated?

Clause 9: Performance Evaluation
.in
Internal Audit (9.2) Management Review (9.3)
ac
cd
121
c@
As with other management system standards, internal audits and management review continue to be
key methods of reviewing the performance of the ISMS and tools for its continual improvement.
jin
hi
Clause 9.2.1 General: Internal audits shall be conducted at planned intervals to provide information
on whether the ISMS conforms to the requirements of the Standard and to the requirements of the
-s
organization. Therefore an audit programme should be established which takes into consideration the
importance of the processes concerned and shall ensure that all areas of the ISMS are audited.
an
However, it is likely that key or high risk areas will be audited more frequently. The audit programme
can include a mixture of process, function and control audits, e.g.:
dr
an
• An organisational function or area, e.g. Finance, IT, HR

• A process or activities, e.g. recruitment, incident management, financial reporting
ch
• Protecting against malicious code

ijin
sh

Evaluation
Management Review (9.3)
Continuing suitability, adequacy and

effectiveness by reviewing nonconformities,
corrective actions, audit results, monitoring and
measurement results, reviewing the status of
.in
Identify opportunities for continual improvement
which could include feedback from interested
ac
parties and results from risk assessments
cd
122
c@
Clause 9.2.2 Audit programme: The audit programme shall include the frequency of audits, the
methods used for auditing as well as the planning and reporting requirements.
jin
hi
The final clause in this section is Management Review (9.3).
In order to ensure an effective management system, ISO/IEC 27001 identifies the need for a periodic
-s
management review to:

• Ensure its continuing suitability, adequacy and effectiveness by reviewing nonconformities,
an
corrective actions, audit results, monitoring and measurement results, reviewing the status of
dr
• Identify opportunities for continual improvement which could include feedback from interested
an
parties and results from risk assessments

ch

23) Internal Audit Policy (Source: Telstra Global)
ijin
sh

General 9.3.1
Management Review (9.3) Management review inputs (9.3.2)
Management review outputs (9.3.3)
What has been achieved? What needs to change?
• Audits - Internal - External

• Actions Outstanding
• Objectives and Targets
• New Technologies
• Operational Control Review Improvement action plan
• Legal Compliance
.in
• Policy
ac
• Training Needs
• ISMS Performance
cd
123
c@
It is important for management to review the ISMS to determine whether it’s still effective. In simple
terms, management review can be seen as a gap analysis between what the business has said will
jin
happen (policy, objectives, processes etc.) and what is actually happening. Management reviews
hi
shall be undertaken at planned intervals. If your organization already has management meetings
taking place then Information Security could be added as an agenda item, rather than scheduling a
-s
separate meeting just for information security.

an
Organization’s may prefer to hold regular operational meetings to review and discuss elements of the
ISMS with key personnel representing all areas of the business, within scope. This may enable the
dr
organization to undertake a management review less often. During the ISMS implementation stages
an
more regular meetings may be required as there are a significant amount of decisions to be made and
actions to be agreed but once the ISMS is established these meetings could become less frequent.
ch
ijin
sh

Management Review (9.3)

Important issues to the business
It’s important to note that

implementing an ISMS isn’t about
.in
saying you won’t have any breaches,
but it’s about managing and
minimizing the risks and impacts in a
ac
structured effective way
cd
124
c@
Conducting a Management Review will ensure that you know which issues are important to the
business. Without knowing this, you could be wasting time, effort and money on addressing the lower
jin
risk activities than focusing on the high impact, high risk activities.
hi
So not having an ISMS can make managing your IS performance less effective. This could lead to
more breaches and more fines! And less effective use of resources. It is important to note that
-s
implementing an ISMS is not about saying you won’t have any breaches, but it is about managing and
minimizing the risks and impacts in a structured effective way.
an

dr
24) Management Review Process - Example

an
25) ISMS Management Review Policy (Source: Telstra Global)

ch
ijin
sh

Clause 10: Improvement
Continual improvement (10.1)
.in
Nonconformity and corrective action (10.2)
ac
cd
125
c@
When a nonconformity, i.e. a non fulfilment of a requirement occurs the organization needs to have
processes in place to detect them and respond to them. Organization’s should look to implement an
jin
event and/or incident reporting process to ensure that nonconformities are reported to the correct
hi
people in a timely manner so appropriate actions can be taken.
Nonconformities of the ISMS have to be dealt with, and together with corrective actions, prevent a re-
-s
occurrence.
an
It is important for an organization to identify why a nonconformity occurred. Was it because, as an

example, there is a weakness in the control the organization implemented. If so, why? Had the risk
dr
assessment not determined the level of control required?

an
When investigating nonconformities the organization should continue to ask why something has
happened to determine the root cause of the problem rather than just treating the symptom.
ch
Once the organization is aware of the root cause it will then be able to determine if similar
ijin
nonconformities exist or could potentially occur.

sh

Clause 10: Improvement

Organization
Corrective action
Retain documented information
Evidence
.in
ac
cd
126
c@
Once it is known why something has happened, the organization can identify what the corrective
action should be. It is always possible that there will be multiple corrective actions required to treat a
jin
single nonconformity. Corrective actions should be reviewed to ensure they have been effective.
hi
Documented information should be retained as evidence of the nonconformity and corrective actions.
-s

an
26) *Nonconformity and Corrective Action Procedure- Example

dr
an
ch
ijin
sh

.in
Continual improvement (10.1)
ac
“Recurring activity to enhance performance”
ISO/IEC 27000
cd
127
c@
The final requirement of the Standard is Continual improvement. As with all management system
standards, continual improvement is a core requirement of the Standard.
jin
hi
The continual improvement process can be broken down into a series of identifiable actions:
-s
• Find opportunities to improve the ISMS

• Identify possible solutions
an
• Implement solutions
• Measure effectiveness of actions taken
dr
• Undertake corrective action if needed

an
• Document changes and make sure those who need to know do know
ch

27) Continual Improvement Action Management (Source: Telstra Global)
ijin
sh

Activity 18: Continual

improvement process 1) In your pairs, as directed by the tutor, please try and
identify a range of continual improvement processes
that need implementing within ISO/IEC 27001; which
should have an impact on information security
performance
Grasp the knowledge on the benefits of 2) Once you have done this, select two or three and draw
improving information security some pictures on a flipchart; as if you were explaining
performance to your colleagues back at work, how these work, and
how they could be implemented within existing systems
of the organization
3) Finally, try and answer the above question from your

responses – the tutor will ask a selected pair to explain
.in
10
ac
128
cd
Activity 18: Continual improvement process
c@
Purpose:
To enable delegates to answer questions like: ‘How is this system going to improve our information
jin
security performance and therefore its benefit to us?’
hi
-s
Duration:
10 minutes
an

dr
Directions:
an
Please, answer the three supplied questions

ch
ijin
sh

1) Please try and identify a range of continual improvement processes that need implementing within
ISO/IEC 27001; which should have an impact on information security performance. Write them in
the space below.
.in
ac
cd
2) Once you have done this, select two or three and draw some pictures on a flipchart; as if you were
c@
explaining to your colleagues back at work, how these work, and how they could be implemented
within existing systems of the organization. jin
hi
-s
an
dr
an
ch
ijin
3) Finally, try and answer the above question from your responses – the tutor will ask a selected pair
sh
to explain.

Integration - High-level Structure Diagram
Records Context of the Customers and

INPUT organization
management stakeholders
requirements
and
expectations Leadership
Planning Improvement
Performance
Support
evaluation Right
managerial
decisions to
.in
Operation
achieve policy
Customers and and
ac
stakeholders Quality records OUTPUT expectations
cd
130
c@
This is a diagram from PAS 99:2012 and shows the new high level structure for all new/revised
management systems. jin
hi
Therefore it is now possible to integrate many elements of your ISMS into other management systems
i.e. 45001, 9001, 22301, etc.
-s
The key common elements are all shown above.

an
dr
an
ch
ijin
sh

Strategy for
Implementation
“To meet the requirements of a specific MSS

it will be necessary to carry out an analysis
of each of the requirements in detail and
compare them with those that have already
been incorporated in the integrated system
Even elements which are considered
common can have subtle differences within
the content of the individual standard”
(PAS 99:2012 Introduction)
.in
ac
cd
131
c@
Please be aware though ‘Even elements which are considered common can have subtle differences
within the content of the individual standard’. jin
hi
-s
an
dr
an
ch
ijin
sh

Module 6: Course review and final questions
.in
ac
cd
132
132
c@
jin
hi
-s
an
dr
an
ch
ijin
sh

Overall project management

Normal Route
< IMPLEMENTATION PROCESS > Key:
Potential Route
Top Management Management Representative or Team
process and link to PDCA

Activities
Yes Identify organizational goals
Commitment to for the management system
implement? Understanding ISO/IEC 27001 requirements, legal,
and review available guidance
No
Where we are now! END

Appoint a Management
Activities
Baseline review
Identify minimum Conduct baseline gap

documentation analysis
requirements
Consider
certification
Activity
Communicate interest to Identify project milestones
the business
Create Gantt
chart
Approve and communicate

the implementation plan Estimate costs and
secure resources
PLAN
Activities
Support project
Implement the plan Operate the system
Monitor project
DO
Activity
CHECK
.in
Management No
Implementation complete?
review
ACT
ac
Yes
Activity This process is meant to be used only as an
certification continually Improve modifies and developed to your business as
system appropriate, including consideration of scale,
cd
style, culture and complexity.
133
c@
During this course you have worked through a typical framework for implementing ISO/IEC 27001
following the PDCA cycle, and have conducted a baseline review of your organization’s current
jin
position with regards to ISO/IEC 27001.
hi
You have identified project milestones and created a Gantt chart/task sheet. You have looked at the
-s
requirements of ISO/IEC 27001 from an implementation perspective in the context of your

organization, from understanding the context of the organization through to continual improvement.
an
dr
an
ch
ijin
sh

Review and final questions
.in
ac
cd
134
c@
The learning objectives identified at the beginning of the course were to:
•
jin
Explain key elements of a management system implementation process
• Identify a typical framework for implementing ISO/IEC 27001 following the PDCA cycle
hi
• Conduct a base line review of the organizations current position with regard to ISO/IEC 27001
-s
• Interpret the requirements of ISO/IEC 27001 from an implementation perspective in the context of
their organization
an
• Implement key elements of ISO/IEC 27001

dr
an
ch
ijin
sh

Summary
The Standard’s requirements start with understanding the organization and its context, which includes
internal and external issues and the information security requirements of interested parties. Top
management commitment and leadership is key and management must ensure that appropriate
resources are available, as well as directing and supporting individuals to contribute to the
effectiveness of the ISMS.
Processes should be in place to address risk and opportunities. Processes need to define criteria for
performing information security risk assessments as well as selecting appropriate information security
risk treatment options and establishing information security objectives at relevant functions and levels.
Controls should be determined to implement the necessary risk treatment options chosen, including
comparing controls within Annex A to ensure no necessary controls have been overlooked.
.in
ac
Resources needed for the establishment, implementation, maintenance and continual improvement of
the ISMS should be determined. Any person doing work under the organization’s control that affects
cd
its information security performance should be competent and made aware of the information security
policy through appropriate communications. The ISMS shall include documented information required
c@
by the Standard, as well as documented information determined necessary by the organization, all of
which shall be controlled. jin
The organization shall perform information security risk assessments and implement risk treatment
hi
plans in accordance with the criteria identified during the planning stage.
-s
The performance of information security and the effectiveness of the ISMS shall be evaluated through
an
appropriate monitoring, measurement, analysis and evaluation methods. Internal audits shall be
conducted at planned intervals to ensure the ISMS conforms to the organization’s and the Standard’s
dr
requirements. Top management shall review the ISMS at planned intervals to ensure its continuing
suitability, adequacy and effectiveness.
an
ch
Processes should be implemented to enable organizations to react, evaluate and implement

appropriate corrective actions in the event of a nonconformity.
ijin
Organizations shall continually improve the suitability, adequacy and effectiveness of the ISMS.
sh

Thank you for participating
.in
ac
cd
136
136
c@
Address: BSI
jin
Telephone:
hi
Fax:
Email: <general training email>@bsigroup.com
-s
Links: http://<local web address>

an
Add local/country contact information

dr
an
ch
ijin
sh

AI Notes 1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AI Notes 1

Uploaded by

Copyright:

Available Formats

shijin chandran - shijinc@cdac.in shijin chandran - shijinc@cdac.in shijin chandran - shijinc@cdac.

ISO/IEC 27001:2022 Implementation Training Course

BSI Training Academy

Version 2.0 October 2022

shijin chandran - shijinc@cdac.in shijin chandran - shijinc@cdac.in shijin chandran - shijinc@cdac.in

ISO/IEC 27001:2022 Implementation Training Course

Be aware of the emergency exits

Please switch mobile phone to

Please do not use recording

The tutor will inform you of the nearest restrooms.

If there are any special needs, please confirm these now.

shijin chandran - shijinc@cdac.in shijin chandran - shijinc@cdac.in shijin chandran - shijinc@cdac.in

ISO/IEC 27001:2022 Implementation Training Course

help of your tutor as needed.

shijin chandran - shijinc@cdac.in shijin chandran - shijinc@cdac.in shijin chandran - shijinc@cdac.in

ISO/IEC 27001:2022 Implementation Training Course

• Benefits to you, welcome and • Module 3: Implementing Clause 6

Agenda • Module 1: Implementing a management • Module 5: Implementing Clause 9 and

• Module 2: Implementing Clause 4 and • Module 6: Course review and final

shijin chandran - shijinc@cdac.in shijin chandran - shijinc@cdac.in shijin chandran - shijinc@cdac.in

ISO/IEC 27001:2022 Implementation Training Course

To enable you to implement and effective

Understand comprehensive quality

Take steps to ensure that information

within ISO 27001, and how this help in meeting requirements.

needed to plan and control an Information Security Management System.

alignment among its International Standards for management systems.

shijin chandran - shijinc@cdac.in shijin chandran - shijinc@cdac.in shijin chandran - shijinc@cdac.in

ISO/IEC 27001:2022 Implementation Training Course

shijin chandran - shijinc@cdac.in shijin chandran - shijinc@cdac.in shijin chandran - shijinc@cdac.in

ISO/IEC 27001:2022 Implementation Training Course

of your information and that of your

shijin chandran - shijinc@cdac.in shijin chandran - shijinc@cdac.in shijin chandran - shijinc@cdac.in

ISO/IEC 27001:2022 Implementation Training Course

shijin chandran - shijinc@cdac.in shijin chandran - shijinc@cdac.in shijin chandran - shijinc@cdac.in

ISO/IEC 27001:2022 Implementation Training Course

Module 1: Implementing a management system

shijin chandran - shijinc@cdac.in shijin chandran - shijinc@cdac.in shijin chandran - shijinc@cdac.in

ISO/IEC 27001:2022 Implementation Training Course

processes and procedures

• (Act) Take actions to continually improve the ISMS

The tutor will now explain a 3 stage process, identified above.

requirements in the Standard, and identifying gaps.

shijin chandran - shijinc@cdac.in shijin chandran - shijinc@cdac.in shijin chandran - shijinc@cdac.in

ISO/IEC 27001:2022 Implementation Training Course

implementation perspective. Using a workshop approach through activities we will be implementing

We start with understanding the requirements.

shijin chandran - shijinc@cdac.in shijin chandran - shijinc@cdac.in shijin chandran - shijinc@cdac.in

ISO/IEC 27001:2022 Implementation Training Course

< IMPLEMENTATION PROCESS >

Identify minimum Conduct baseline gap

Approve and communicate

required, through the process. It also maps to the PDCA process.

shijin chandran - shijinc@cdac.in shijin chandran - shijinc@cdac.in shijin chandran - shijinc@cdac.in

ISO/IEC 27001:2022 Implementation Training Course

END Appoint a Management

implementation plan secure resources

Monitor, measure, analysis and evaluation

Yes This process is meant to be used only as an

shijin chandran - shijinc@cdac.in shijin chandran - shijinc@cdac.in shijin chandran - shijinc@cdac.in

ISO/IEC 27001:2022 Implementation Training Course

Review the clause requirements of

Match the statements with correct clauses

5 minutes classroom discussion