Scribd Logo
Upload

Welcome to Scribd!

  • ISO27001 LI Procedure

    Uploaded by

    Yadnesh Charekar
    3 views4 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    3 views4 pages

    ISO27001 LI Procedure

    Uploaded by

    Yadnesh Charekar

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    ISO 27001 Implementation

    1. Gain Leadership Support:


     Secure Management Buy-In: Convince top management about the importance and benefits
    of ISO 27001 compliance. Obtain commitment and resources for the implementation
    process.

    2. Establish the ISMS Framework:


    1. Define the Scope:

    Steps:

     Identify the scope in terms of departments, systems, processes, and physical locations.

     Document the scope statement indicating what is included and excluded from the ISMS.

    2. Appoint Roles and Responsibilities:

    Steps:

     Identify key stakeholders and their roles related to information security.

     Define responsibilities for implementing security measures, conducting risk assessments,


    managing documentation, etc.

     Appoint an Information Security Manager or team responsible for overseeing the ISMS.

    3. Establish Information Security Policies:

    Steps:

     Create an Information Security Policy document outlining objectives, commitment, and


    expectations regarding information security.

     Ensure the policy is endorsed and communicated across the organization.

     Align the policy with the organization's goals and compliance requirements.

    4. Conduct Risk Assessment:

    Steps:

     Identify assets: List all information assets (e.g., data, systems, processes).

     Assess risks: Evaluate threats, vulnerabilities, and potential impacts on the organization.

     Prioritize risks: Rank risks based on their likelihood and potential impact.
    5. Develop Risk Treatment Plan:

    Steps:

     Select risk treatment options: Determine how to address identified risks (e.g., apply controls,
    transfer risks, avoid risks).

     Create an action plan: Detail specific actions, responsibilities, timelines, and resources
    required to mitigate or manage risks.

    6. Implement Security Controls

    Steps:

     Select controls: Refer to Annex A of ISO 27001 and the Statement of Applicability to choose
    relevant controls.

     Deploy controls: Put in place technical, administrative, and physical controls as necessary to
    address identified risks.

    7. Establish Documentation:

    Steps:

     Develop policies, procedures, guidelines, and work instructions related to information


    security.

     Establish a document control system to manage and update ISMS documentation.

     Ensure easy accessibility of documents to relevant personnel.

    8. Implement continuous Monitoring and Improvement:

    Steps:

     Establish regular audits and reviews to evaluate the effectiveness of the ISMS.

     Use feedback and findings to identify areas for improvement.

     Update policies, controls, and processes based on lessons learned and changing security
    requirements.

    3. Perform Initial Gap Analysis:


    Steps:

     Review ISO 27001 Requirements: Study the Standard.

     Assess Current Practices: Evaluate existing information security policies, procedures, and
    controls in place within the organization.
     Identify Discrepancies: Compare existing practices against ISO 27001 requirements to
    pinpoint gaps and areas lacking compliance.

     Document Findings: Record identified gaps, deficiencies, and areas requiring improvement in
    a clear and structured manner.

     Prioritize Actions: Rank identified gaps based on their significance and potential risk impact,
    creating a prioritized action plan for addressing deficiencies.

    4. Develop an Implementation Plan:


     Create a Project Plan: Outline a comprehensive plan detailing tasks, timelines,
    responsibilities, and resources required for ISO 27001 implementation.
     Allocate Resources: Allocate necessary resources (financial, human, technological) for
    effective implementation.

    5. Create Policies and Procedures:


    Policies and Procedures required to be created mandatorily -

    6. Define the SoA (Statement of Applicability):


     Identify Applicable Controls: Determine which controls from Annex A of ISO 27001 are
    relevant and necessary for your organization.

     Document the SoA: Create a comprehensive document outlining the selected controls and
    justifications for their inclusion or exclusion.

    7. Training and Awareness:


     Training Programs: Conduct training sessions for employees to raise awareness about
    information security practices and their roles in complying with ISO 27001.
     Communication Plan: Establish effective communication channels to disseminate
    information about the ISMS implementation.
    8. Prepare for Internal Audits:
     Plan Internal Audits: Develop an internal audit schedule to assess the effectiveness of
    implemented controls and processes.

    9. Review and Improve:


     Establish Review Mechanisms: Set up regular reviews to assess the performance of the ISMS
    and identify areas for improvement.
     Continual Improvement: Encourage a culture of continual improvement within the
    organization's information security practices.

    You might also like