Define the scope of the ISMS

The scope is the wording in which your organisation will confirm the compliance to an audit assessment but also will show your customers/clients that the ISMS is managing. (www.iso.org)

This can look like something like this:

“The provision of ICT Support to [Your company name], in accordance with Statement of Applicability version 1 dated 1st January 2019”

The wording of your scope can be drafted in preparation to application in accordance with the UKAS certification body. (www.ukas.com) or if in the USA (https://anab.ansi.org/)  Or in Australia  https://www.jas-anz.org/

You will require a Certification Body to assess your ISMS and the choice of suppliers can be found on the UKAS website. If you require guidance contact us for help on a good selected partner we know.

  • Define a security policy, also with associated ISMS Policies

IS27  know-how in governance, security policies and incident response processes, Thales’s experts can incorporate clients’ business objectives and current controls to develop a more effective framework that supports their operation in a secure manner. Thales partners with clients to define their future strategy and assist their transition to a more sustainable and holistic approach in cyber governance.

IS27 offers a framework of security policy, guidelines, architectural blueprint, incident response process and awareness training material development to assist any organizations that dedicate themselves to long-term security strategy development, which is crucial to achieving institutional effectiveness and management competency.

  • Conduct a risk assessment

The best way to do this is by an asset based approach. An example of this would be to list the areas in scope that may be a risk to information.

Assets: Mobile Devices, computers, servers, Routers, CCTV cameras, Token access cards etc..

Others will be : Software, People, Suppliers etc..

  • Manage identified risks

Once the risks are listed it’s time to get the asset risk owners defined and decide on how you calculate the score of the item.

So what is the probability?  this can be scored between 1 and 5 for example with 1 being low and 5 being high

If we think of how a risk is evolved this can change frequently, with the example of the COVID-19 which impacted on the world the probability of this on the 1st January 2020 would have been low but fast forward to March 2020 and the probability is now and should be 5 (High)

Impact- This is how much an asset risk can be damaged or made unstable, the impact score is usually on the same level between 1 and 5 and calculated to give a maximum score of 25 (5×5=25) The impact of Covid-19 to the risks in the above example would be dependant of how resilient (steady) your organisation can accept without being hit.

Risk Treatment: How can you avoid these risks? This is the part of the owners to be fully aware of what requires to be done to mitigate (treat) the level of exposure. The risk treatment is a very valuable exercise and one which can be done very early in the project. How to complete a gap analysis is one key part of what we are experts in by using the ability of what we know from other sector industries and the international standards for risk assessment ISO 27005  

  • Select control objectives and controls to implement a Plan

Listing the ISMS objectives is not going to cut it you have to show evidence of how you will achieve the objectives, Who, where, what and When.

An example of ISMS objective would be to have less than 5 information security incidents over 12 months. If this is set then track the objective either each month or week and make sure that the objective is being hit, if there has been 10 incidents after 12 months then what are going to do to review the objective, this could organically be fed as risk which then treat or at least assess.

  • Prepare a Statement of Applicability.

This is the part where ISO 27002 really comes into its own know as the annex a, this is the engine room of ISO 27001 there are 114 controls within this framework and when done correct will improve how you manage your ISMS but more importantly give you the confidence that creditability of your business.

An example of this is usually documented in a spreadsheet format

  • Define and implement an ISO 27001 Information Security Management System (ISMS)

Putting all this together requires a framework of Plan Do Check Act having a system to keep track is where our partner from 27k1 have the solution to help you keep everything from above in content management system.

You will require expert help so reach out to us at connect@is27.co.uk

www.is27.co.uk

Paul