As a responsible person for information security within your organisation, whether you are the owner, the CEO, the Chief Training Officer or Information Security Officer you should begin by acquiring a copy of the standard ISO/IEC 27002 code of practice. This code of practice is a risk management standard over-viewing the principals of ensuring confidentiality, integrity and accesiblity of your company data.
Involve your Team
Initiate the first round of discussions with your employees at all levels and perform information security profiling within your organisation.
Define the Scope of your Implementation
The ISMS stands for Information Security Management System. In the beginning it is important to define this scope, whether it is one layer of your company, a department, floor or even a process.
Get Started with a Risk Assessment
Define the risk assessment approach. You may want to take a look at ISO/IEC 27005 a sub section of the 2700x standard series, which is specially focused on risk assessment.
Identify your Information Assets
Define both the tangible and intangible assets within the field of your ISMS. These assets can be people and buildings and everything else in between.
Assess the Risk to the Assets
Perform risk assessment exercise for various assets within the range of your Information Security Management System. This involves identifying relevant threats towards the assets, identification of vulnerabilities of the asset towards each threat, impact of threat and the probability of a threat becoming a reality.
Design a Risk Management Strategy
The relationship between an Asset and a Threat is considered a Risk. Suggest controls from ISO/IEC 27001 that Hedge against the Identified Risks. Guidelines on the implementation of these controls are in ISO/IEC 27002. You may need to define your own specific controls.
Obtain the results of the Risk Assessment required by the standard ISO/IEC 27001
The most important report is the SOA report or the Statement of Applicability, which should display the information security risk within the scope.
Training and Awareness
Develop a customised and focused information security-training program to build awareness of information security for everybody in your company.
Get ready for Business Continuity planning
The Risk Assessment is only one part of three steps required for a full implementation of ISO/IEC 27001. The other two are Business Continuity planning and development of Organisational Manual such as procedures, processes and policies.
This information was provided by Svana Helen Bjornsdottir, ISO/IEC 27001 Lead Auditor and CEO of Stiki Information Security.