Advertisement
opexxx

iso27001:2013steps.txt

Sep 27th, 2018 (edited)
80
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.54 KB | None | 0 0
  1. Implementing ISO 27001:2013 from scratch in 35 simple steps
  2.  
  3. Plan
  4.  
  5.  
  6. 1. Obtain top management approval for implementation of ISO 27001:2013 based ISMS in the organization
  7. 2. Gather information about the organization and its industry
  8. 3. Understand the organization industry
  9. 4. Gather background information about the organization products and services
  10. 5. Understand the organization external and internal issues
  11. 6. Identify the organization competitors
  12. 7. Identify the organization’s interested parties
  13. 8. Understand needs and expectations of interested parties
  14. 9. Understand the organization’s legal, regulatory and contractual requirements
  15. 10. Understand interfaces and interdependencies between activities performed by the organization
  16. 11. Understand the organization ISMS requirements
  17. 12. Understand the requirements of interested parties relevant to the ISMS
  18. 13. Determine scope for ISMS implementation (locations, sites and/or functions ready to implement ISMS)
  19. 14. Define overall IS Policy, including IS Objectives, applicable business requirements and top management commitment for continual improvement
  20. 15. Define risk assessment process (risk assessment criteria and risk acceptance criteria)
  21. 16. Define risk treatment process
  22. 17. Develop project plan for ISO 27001:2013 based ISMS implementation
  23. 18. Present project plan to the top management for approval and secure top management assurance for the project and necessary support and resources
  24.  
  25. Do
  26.  
  27.  
  28. 19. Define IS objectives at all relevant functions and levels
  29. 20. Perform risk assessment
  30. a. Identify IS risks
  31. b. Identify Risk Owners
  32. c. Analyze IS risks (assess consequences, likelihood and risk level)
  33. d. Evaluate IS Risks (compare with risk criteria and prioritizing)
  34. 21. Perform risk treatment
  35. a. Select appropriate controls
  36. b. Compare controls with Annex A of ISO 27001:2013 Standard
  37. c. Develop SoA
  38. d. Develop Risk Treatment Plans
  39. 22. Obtain Risk Owners’ approval
  40. 23. Implement risk treatment plans (Staff, Infrastructure, technical controls, managerial controls such as Employment/Contract agreements, NDA etc.)
  41. 24. Define ISMS performance measurements and metrics
  42. 25. Develop ISMS Audit program plan
  43. 26. Define and assign ISMS roles and responsibilities
  44. 27. Develop necessary IS documentation
  45. 28. Develop ISMS Communication Plan considering all ISMS interested parties
  46. 29. Conduct necessary IS training to employees and contractors
  47. 30. Carry necessary IS awareness initiatives
  48. 31. Operate ISMS (record IS events, activities, communications, changes, incidents, accidents and NCs)
  49.  
  50. Check
  51.  
  52.  
  53. 32. Check ISMS performance periodically
  54. a. Various ISMS performance measurements and metrics
  55. b. Conduct periodic risk assessments
  56. c. Perform periodic internal and regulatory audits
  57. d. Collect feedback from interested parties
  58. e. Carry periodic Management Reviews for reviewing ISMS performance
  59. 33. Report to appropriate management in defined time intervals
  60.  
  61. Act
  62.  
  63.  
  64. 34. Decide on corrective actions to be taken
  65. 35. Develop plans for implementing ISMS improvements
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement