<Logo> <Company Name> Normal

ISMS Manual

Organization:

Department:

Section: Sheet: 1 of 17

Contents
1. Scope..................................................................................................................................................3
2. Normative references.....................................................................................................................4
3. Definitions.........................................................................................................................................4
4. Context of the Organization...........................................................................................................4
4.1 Understanding the organization and its context................................................................5
4.2 Understanding the needs and expectations of interested parties..................................5
4.3 Determining the scope of the Information Security Management System....................6
4.4 Information Security Management System.........................................................................7
5. Leadership........................................................................................................................................7
5.1 Leadership and Commitment......................................................................................................7
5.2 Policy..........................................................................................................................................8
5.3 Organizational roles, responsibilities, and authorities....................................................9
6. Planning................................................................................................................................................9
6.1 Actions to address risks and opportunities..............................................................................9
6.1.1 General.....................................................................................................................................9
6.1.2 Information Security Risk Assessment............................................................................10
6.1.3 Information Security Risk Treatment..............................................................................10
6.1.4 Information security objectives and planning................................................................11
7.Support.................................................................................................................................................11
7.1 Resources......................................................................................................................................11

Document No: Sheet: 1 of 17

Revision No: Issue Date: xx-xxx-xx
 ISMS Manual

7.3 Awareness....................................................................................................................................12
7.4 Communication...........................................................................................................................12
8. Documented Information.............................................................................................................13
8.1 General..........................................................................................................................................13
8.2 Creating and Updating................................................................................................................13
8.3 Control of documented information........................................................................................13
9. Operation............................................................................................................................................14
9.1 Operational Planning and Control...........................................................................................14
10. Performance Evaluation................................................................................................................15
10.1 Monitoring, measurement, analysis, and evaluation.........................................................15
10.2 Internal Audit............................................................................................................................15
10.3 Management Review................................................................................................................16
11. Improvement...................................................................................................................................16
11.1 Nonconformity and corrective action...................................................................................16
11.2 Continual improvement...........................................................................................................16

DOCUMENT REVISION CONTROL

Document No: Sheet: 2 of 17

Revision No: Issue Date: xx-xxx-xx
 ISMS Manual

REVISION HISTORY

Date Author Version Change Reference

REVIEWERS

Name Position Date

DISTRIBUTION

Date Distributed to Version Distribution Format

Document No: Sheet: 3 of 17

Revision No: Issue Date: xx-xxx-xx
 ISMS Manual

1. Scope

This section of the manual provides an overview of the controls for information security
management as specified in ISO/IEC 27001:2013. The controls are intended to provide a
framework for organizations to use when implementing and managing an information
security management system.

[The Time to Reply Ltd.] Information Security Management System (ISMS) will be a
comprehensive and overarching system that encompasses all aspects of the company. This
will include:

 All administrative functions, IT Functions, sales functions, and operational functions.

In addition, it will also incorporate the management of employee and contractor
records, as well as customer commercial records.
 The ISMS will also manage operational records for customers, sub-contractors, staff,
contractors, and subjects of customer interest.
 Lastly, it will also include all sub-contractors that hold, or process information
related to the aforementioned.

2. Normative references

This section includes the normative references for ISO/IEC 27001:2013. A normative
reference is a source of requirements that must be followed in order to comply with the
standard. The documents included in this section are essential for understanding and
implementing the requirements of ISO/IEC 27001:2013.

3. Definitions

In order to understand the requirements of ISO27001:2017 and ISO27002:2013, it is

important to be familiar with the definitions used in these standards. This document
provides definitions for terms which are used in ISO27001:2017 or ISO27002:2013, and
which are not defined in ISO27000:2012. In particular, this document defines the
Information Security Management System (“ISMS”) as the part of an organization which
encompasses its organizational structure, policies, planning activities, plans, processes, and
procedures related to information security.
The ISMS is also responsible for the management of information security risks, and the
implementation of countermeasures to address these risks. Furthermore, the ISMS must be
able to demonstrate that it meets the requirements of ISO27001:2017 or ISO27002:2013.

Document No: Sheet: 4 of 17

Revision No: Issue Date: xx-xxx-xx
 ISMS Manual

4. Context of the Organization

4.1Understanding the organization and its context

[Organization Name] The organizational context includes external and internal issues
relevant to the Information Security Management System (ISMS). Besides being a
requirement of the standard (clause 4.1)
Clause 4 mandates that an organization define the scope of its ISMS. It must assess its own
needs and expectations, as well as those of interested parties, in order to determine the
scope of the ISMS. The new "context" clause necessitates a grasp of the organization and its
needs, as well as the identification of external and internal concerns and the consideration
of interested parties and their needs.
[ Name] is the CEO of the [ Organization Name]
[Name] is the Board of director [ Organization Name]
In order to protect information, have implemented an Information Security Management
System (ISMS) that meets or exceeds the minimum requirements set forth by our clients.
Our ISMS is tailored specifically to your organization's needs and will help ensure that your
data remains safe and secure.

4.2Understanding the needs and expectations of interested parties.

In order to ensure compliance with information security management system

requirements, it is important to work with all interested parties. This includes cognitive
employees, subcontractors, customer organizations, and any other entities who have access
to client data and who Cognitive may be required to interface with in the course of service
delivery. While some legal or regulatory requirements are applicable to all interested
parties, customer agreements may contain contract- or agency-specific information
security requirements. It is therefore essential that Cognitive management reviews and
understands any agency or contract specific IS requirements prior to initiating service
delivery.

# Stakeholders Internal/External Issues

Resource Availability, Organization Structure, roles and
1 Management Internal
accountabilities and strategies.

Document No: Sheet: 5 of 17

Revision No: Issue Date: xx-xxx-xx
 ISMS Manual

Fulfillment of commitments, adherence to organization policies,

processes, and guidelines and to ensure seamless
2 Employees Internal uninterrupted operations., Employees need to be able to rely on
their organization to fulfill its commitments, both in terms of
policy and process
Resource availability, resource competence, training,
3 HR Internal
background verification etc.,

4 Government External Fulfilling the legal, and regulatory requirement

Supply of goods and services to enable the organization to meet

5 Vendors External the requirement of the customer. Compliance with relevant
legal, statutory, and contractual requirements.

Natural and competitive environment, Key drives and trends

6 Society and environment External having impact on the objectives of the organization, Political,
financial status of the country.

4.3Determining the scope of the Information Security Management System

It is important to understand the scope of registration. This document defines the

boundaries within which your ISMS will be implemented and operated. In this case, the
[ Organization Name] headquarters location will be included in the scope of registration.
Our team works diligently to ensure that our clients receive information security solutions
that meet or exceed industry standards.
As the information assurance and risk assessment work will be following those parts of
your organization that need to be protected, you'll probably consider the organization,
subsidiaries, divisions, departments, products, services, physical locations, mobile workers,
geographies, systems, and processes for your scope. Remember to consider the
expectations of powerful stakeholder interested parties. What would be the impact on
those powerful interested parties if you looked at leaving any section of the organization
out of scope? Would you also have to run different systems and end up confusing your
employees about what was in and what wasn't?
The scope of registration for ISO 27001-2013 encompasses the [Organization Name]
headquarters location and ensuring information security within the boundaries of
headquarters operations. This is formally stated as follows: The Information Security
Management Systems (ISMS) which applies to the provision and management of cost-
effective workforce and IT solutions to Federal, State, Local and Commercial Customers.

Document No: Sheet: 6 of 17

Revision No: Issue Date: xx-xxx-xx
 ISMS Manual

4.4Information Security Management System

In accordance with the requirements of ISO/IEC 27001-2013, [ Organization Name] has

established and implemented this information security management system (ISMS), and
established procedures to maintain and continually improve the system. The master
document for the ISMS is this Information Security Management Plan, which follows the
same format as the ISO/IEC 27001-2013 standard. If [Organization Name] response to a
requirement can be adequately expressed in brief textual format, the response will be
included within this manual. Otherwise, this manual will reference the appropriate
documents and records, and provide contact information for further assistance.

5. Leadership

5.1 Leadership and Commitment

In order for an organization to be successful, its top management must be committed to

providing effective information security. Through the implementation of an Information
Security Management System (ISMS), top management has taken steps to ensure that the
organization's information security policy and objectives are in line with its strategic
direction.

 Accountability for the management system's effectiveness.

 Ascertaining that the policies and objectives are defined and that they are
compatible with the organization's context and strategic direction.
 ensuring that the management system's integration is integrated in company
processes.
 Promoting the use of a process-oriented approach as well as risk-based thinking
 ensuring that sufficient resources are available.
 Assuring that the management system produces the desired results.
 Persons are engaged, directed, and supported in order to contribute to the
management system's effectiveness.

Furthermore, the ISMS requirements have been integrated into the organization's
processes, and the necessary resources are available to support it. Communication is a
critical component of any successful initiative, and top management has ensured that the
importance of information security is understood by all employees.
5.2 Policy

In order to protect your company's valuable information, it is important to have a

comprehensive information security policy in place. This policy should set

Document No: Sheet: 7 of 17

Revision No: Issue Date: xx-xxx-xx
 ISMS Manual

 Information security policies must be created, authorized by management,

published, and conveyed to employees and other stakeholders. Policies must be
driven by business needs, as well as any regulations and legislation that influence
the company.
 These policies are the Annex A controls, which are also included in a higher-level
master information security policy document that supports the organization's
important security statements for sharing with stakeholders such as customers.
 Policies are also the foundation of information security and should be included in
A7.2.2's education, training, and awareness programmed.
 The policies establish the concepts that all members of the organization, as well as
essential stakeholders such as suppliers, must adhere to. In accordance with A.5.1.2
below, these policies should be reviewed on a regular basis and changed as needed.
 Information security policies must be created, authorized by management,
published, and conveyed to employees and other stakeholders. Policies must be
driven by business needs, as well as any regulations and legislation that influence
the company.
 These policies are the Annex A controls, which are also included in a higher-level
master information security policy document that supports the organization's
important security statements for sharing with stakeholders such as customers.
 Policies are also the foundation of information security and should be included in
A7.2.2's education, training, and awareness programmed.

The policies establish the concepts that all members of the organization, as well as essential
stakeholders such as suppliers, must adhere to. In accordance with A.5.1.2 below, these
policies should be reviewed on a regular basis and changed as needed.

Document No: Sheet: 8 of 17

Revision No: Issue Date: xx-xxx-xx
 ISMS Manual

5.3 Organizational roles, responsibilities, and authorities

Two Main Aspects

Responsibilities ensuring the Responsibilities for Monitoring the

ISMS fulfills the requirement performance of the ISMS and
of ISO 27001 reporting to top management

In order to protect your company's valuable information, it is important that you designate
specific individuals with responsibility and authority for roles relevant to information
security. At [Organization Name], our top management is responsible for ensuring that the
appropriate responsibilities and authorities are assigned and communicated. The
Operations Manager is currently designated as the individual responsible for:

a) ensuring that the information security management system conforms to the

requirements of the ISO/IEC 27001:2013 International Standard.

b) reporting on the performance of the information security management system. As our

company grows, additional qualified personnel will become available, and management
will have the authority to assign these responsibilities and authorities accordingly.

6. Planning

6.1 Actions to address risks and opportunities

6.1.1 General

When planning for the information security management system, Cognitive considers the
issues referred to in 4.1 and the requirements referred to in 4.2 and determines the risks

Document No: Sheet: 9 of 17

Revision No: Issue Date: xx-xxx-xx
 ISMS Manual

and opportunities that need to be addressed to: a) ensure the information security
management system can achieve its intended outcome(s); b) prevent, or reduce, undesired
effects; and c) achieve continual improvement.
Some of the risks and opportunities that Cognitive considers include:
 The potential for data breaches and the impact they can have on an organization
 The need to protect against evolving threats, such as ransomware
 The importance of managing risk throughout the life cycle of information assets
 The value of proactive threat intelligence in mitigating risk

6.1.2 Information Security Risk Assessment

Cognitive has long been a proponent of information security risk assessment processes that
conform to the requirements of the ISO/IEC 27001:2013 standard. Our approach is based
on the Cognitive Risk Analysis and Treatment Plan, which provides a consistent, repeatable
methodology for assessing risks and implementing mitigating controls. The process is
accomplished through the structure of our risk assessment framework, and continued
maintenance of the Risk Assessment Plan.
Avoiding the Risk by electing not to begin or continue the action that causes the Risk, or by
deleting the Risk source (for example, by closing an e-commerce portal);
To pursue a business opportunity (e.g., creating an e-commerce portal), one must take
greater risk or increase risk.
Changing the likelihood (e.g., by reducing vulnerabilities), the outcome (e.g., by diversifying
assets), or both.
Sharing the Risk with others through insurance, subcontracting, or risk finance; and
Retaining the Risk based on the Risk Acceptance Criteria or by making an informed
decision (e.g., maintaining the prevailing e-commerce portal because it is).
6.1.3 Information Security Risk Treatment

Information systems risk management may be a crucial method for all organizations. The
psychological feature Statement of pertinence and therefore the Risk Analysis and
Treatment arrange offer details regarding the controls that area unit applied to manage
info systems risks. each documents area unit reviewed a minimum of annually by the
selected risk homeowners to make sure that known risks area unit still applicable to the
organization, to make sure that applied controls still be adequate and effective, and to
suggest actions to boost presently applied controls. By having a proper method in situ for

Document No: Sheet: 10 of 17

Revision No: Issue Date: xx-xxx-xx
 ISMS Manual

info systems risk management, a corporation will make sure that it's taking the mandatory
steps to safeguard its information and its operations.

6.1.4 Information security objectives and planning

In order to effectively manage and measure the information security posture of the
organization, it is necessary to establish objectives, measurements, and reporting. The
Information Security Metrics Repository (ISMR) defines these items and assigns
responsibility for their implementation. This allows for consistent measurement of
information security at relevant functions and levels across the organization.

The primary objective is to establish a management framework that will provide visibility
into progress and effectiveness of the organization's information security program. This is
accomplished by establishing objectives, measurements, measurement methodologies and
time frames for each process in the ISMS. Once defined, this data can be used to track
progress and measure success.

7.Support

7.1 Resources

[ Organization Name] Executive Leadership is fully committed to the establishment,

implementation, operation, monitoring, review, maintenance, and improvement of the
ISMS. Sufficient resources are dedicated to enable an efficient and proactive IS program.
The Management Review Board (MRB) ensures that all stakeholders remain informed.
Additionally, the MRB confirms and monitors proactive coordination of activities between
departments with overlapping responsibilities for information security including but not
limited to Compliance & Ethics Department; Human Resources Department; Information
Technology Department; Marketing Department; and Operations Department.
The MRB reviews and approves all information security policies and procedures, as well as
the management system for overall ISMS performance. The MRB meets quarterly or on an
ad hoc basis to review progress related to:
 Incident Management.
 Risk Assessment & Mitigation.
 Compliance with Regulations/Legislation.
7.2 Competence
[Organization Name] is committed to ensuring that all personnel assigned responsibilities
within the Information Security Management System (ISMS) are competent to perform the

Document No: Sheet: 11 of 17

Revision No: Issue Date: xx-xxx-xx
 ISMS Manual

required tasks. This includes providing the necessary training and making sure that
employees have the appropriate skills, competencies, and certifications. Our
comprehensive training program helps ensure that our personnel are well-equipped to
handle any situation. Additionally, our HR department maintains records of employee
training so that we can track progress and identify any areas where additional training may
be needed.
7.3 Awareness

In order to protect the confidentiality, integrity, and availability of your company's

information, you need to have an Information Security Management System (ISMS) in
place. An ISMS is a framework that allows you to identify and manage the security risks to
your information. In this blog post, we will discuss the basics of information security and
introduce you to the ISMS Plan. We will also explain how personnel are made aware of
their information security responsibilities and what changes may be necessary to the ISMS
Plan.

The ISMS Plan provides you with a framework for managing your information security
risks. You will be required to identify and document the controls that are in place to protect
your company's information assets, as well as any additional measures that may need to be
implemented in order to address identified risks.

7.4 Communication

Internal Vs External
Internal Communication - Plan for Internal Communication. The internal Communication Plan is
used by top management to communicate its goals and commitment to information security. The
Information Security Policy, the security organization with essential roles and duties, the
Awareness plan, and the general and specialized requirements for responding to incidents are just
a few examples.
The internal communication plan, on the other hand, should not be one-way. The channels (for
example, telephone and email) should also be known and used to communicate "bottom-up" from
the users to management about occurrences or new vulnerabilities.
External Communication - The majority of the examples presented above are for an internal
communication plan, but they can also be used for an outward communication plan.
You may need to interact with the outside world, including regulatory agencies, public authorities,
shareholders, clients, and partners, to announce positive (successes) or negative (failures)
occurrences (incidents, accidents, and crises). You'll need a Communication Plan here as well,
answering the same questions as before.

Document No: Sheet: 12 of 17

Revision No: Issue Date: xx-xxx-xx
 ISMS Manual

However, you'll have to be more cautious in this circumstance because you don't want to divulge or
disseminate critical information that would exacerbate your position.

In order to ensure that your information security management system (ISMS) is

maintained in a compliant and effective manner, [ Organization Name] Operations Manager
takes on the critical role of representing the management review board (MRB). The MRB is
responsible for overseeing the organizational risk assessment process, as well as ensuring
that all employees and other stakeholders are kept up to date on changes or updates to the
ISMS. Additionally, any changes or updates to documentation concerning the ISMS will be
posted in our document control system (DCS) and made available to affected parties.
8. Documented Information

8.1 General

[Organization Name] has implemented an information security management system (ISMS)

that meets the requirements of the ISO/IEC 27001:2013 International Standard. The ISMS
is designed to protect the confidentiality, integrity, and availability of our customers’ data.
Part of this effort includes maintaining appropriate documentation for the ISMS.

The first part of [ Organization Name] ISMS documentation is the documented information
required by the ISO/IEC 27001:2013 standard. This includes the policies and procedures
that support our Information Security Management System (ISMS). All of our printed
documents are uncontrolled copies, meaning they may not be accurate or up to date.

8.2 Creating and Updating

The role of a process owner in document control is an important one. They are responsible
for the creation, review and updating of system documentation. This process is controlled
via the Document Control Procedure, which sets out the guidelines for how this process
should be carried out. In this blog post, we will discuss the role of a process owner in more
detail and outline the procedures that they must follow to ensure that system
documentation is accurate and up to date.
The process owner is responsible for creating system documentation, which includes:
- The process owner for document control department is responsible to record all the
organizational knowledge generated from the projects and operations and covering the
requirement of ISMS.

8.3 Control of documented information

Document No: Sheet: 13 of 17

Revision No: Issue Date: xx-xxx-xx
 ISMS Manual

Documented info needed by the data security management system and by this
International normal is controlled via the Document management Procedure and therefore
the DCS Master Listing to
ensure:
a) it's out there and appropriate to be used, wherever and once it's needed; and
b) it's adequately protected (e.g., from loss of confidentiality, improper use, or loss of
integrity).
The Document management Procedure provides direction and steerage for:
c) distribution, access, retrieval, and use.
d) storage and preservation, as well as the preservation of legibility.
e) management of changes (e.g., version control); and
f) retention and disposition.
Documented info of external origin, determined by the organization to be necessary for
the planning and operation of the data security management system, is known as
appropriate, and conjointly controlled via the Document management Procedure.

9. Operation

9.1 Operational Planning and Control

[ Organization Name] Information Security Management System (CISMS) is a term used in

business to describe the various methods and procedures used to protect company
information from unauthorized access, use, disclosure, alteration, or destruction. The
CISMS is under the direction of the CEO, with the Management Review Board (MRB)
providing guidance and oversight. The system includes both automated and manual
processes, as well as resources such as personnel, physical security, and technology.
Internal audits and management reviews are conducted on a regular basis to ensure that
the system is effective and that changes (controlled through Change Management) do not
introduce new risks. Where processes are outsourced, the company performs supplier
management activities to ensure that our suppliers also have effective security systems.

Document No: Sheet: 14 of 17

Revision No: Issue Date: xx-xxx-xx
 ISMS Manual

Reference Document:
 ISO 27001 Clause 8.1
 Clause 8.2
 Clause 8.3 Operational planning & control

10. Performance Evaluation

10.1 Monitoring, measurement, analysis, and evaluation

The Operations Manager and Management Review Board evaluated the performance and
effectiveness of the ISMS through management review of internal method audit results, and
also the assortment and analysis of specific method measurements. Internal audit records
were retained in RCS, and specific process measures were recorded in and reported from
the Metrics Repository. Process owners were responsible for collecting and reporting
specific process measurements.

Internal process audit results and the collection of specific process measurements are
collected, reviewed, and reported annually by the Management Review Board. Internal
audits were conducted every two years on average for processes that were not considered
core to the business or that had a history of poor performance (e.g., ISMS Manager).
10.2 Internal Audit

In order to ensure that your company is following ISO requirements for internal audit, it is
important to conduct scheduled internal audits. This blog post will walk you through the
process of conducting an internal audit in accordance with ISO requirements. We will also
discuss the forms and documentation that are used during the audit process. Having a
repeatable and documented process for internal audits will help ensure that your company
is compliant with ISO standards!

The first step in conducting an internal audit is to develop a plan. The plan should include
the following:
-Audit scope and objectives
-Audit schedule
-List of auditors
-List of documents to be reviewed

Document No: Sheet: 15 of 17

Revision No: Issue Date: xx-xxx-xx
 ISMS Manual

Once the plan is developed, the next step is to select qualified auditors.
10.3 Management Review

They provide a forum for management to assess progress against objectives, discuss issues
and problems, and make decisions that will ensure the organization meets its goals. This
document provides a detailed description of the process for performing quarterly
management reviews, including what to include in the meeting agendas and meeting
minutes.
Management reviews are typically held on a quarterly basis, following the schedule
outlined in the organization's formal management process document. The agenda for each
meeting is prepared in advance, using a standard template. Meeting minutes are entered
directly into the template, and then retained in the organization's records management
system (RCS).

11. Improvement

11.1 Nonconformity and corrective action

When a nonconformity is identified in an information security management system (ISMS),

the company must take appropriate action to maintain the effectiveness of the ISMS. This is
done by implementing corrective actions, which are formal changes that are managed
through change management processes and tracked using a Request for Change form
flagged “Corrective Action”. Change activity is entered directly into the form and retained in
records within the corporate change management system (CCMS).
The corrective action process begins with the identification of a nonconformity. Once the
nonconformity is identified, it must be assessed to determine the impact on the ISMS and
the required corrective actions. The assessment should include a review of the risk
associated with the nonconformity, as well as an evaluation of any potential impacts
11.2 Continual improvement

Cognitive is fully committed to the continual improvement of our information security

management system (ISMS). The ISMS is constantly monitored, and any areas that could be
improved are identified and investigated. This allows us to make changes under change
management and improve our overall information security.

Document No: Sheet: 16 of 17

Revision No: Issue Date: xx-xxx-xx
 ISMS Manual

Document No: Sheet: 17 of 17

Revision No: Issue Date: xx-xxx-xx