ISMS_implementationplan

1. 1 S 1. Management Support
2. 2 T Outline business case
3. 3 T Present business case
4. 4 M Management support is obtained
5. 5 T Initiate project
6. 6 T Plan project
7. 7 S 2. Determine Scope
8. 8 T Determine external issues
9. 9 T Determine internal issues
10. 10 T Identify external interested parties
11. 11 T Identify internal interested parties
12. 12 T Identify requirements of interested parties
13. 13 T Determine preliminary scope
14. 14 T Determine refined scope
15. 15 T Determine final scope
16. 16 T Document final scope
17. 17 T Approve final scope
18. 18 M Scope is approved
19. 19 S 3. Define Information security policy
20. 20 T Determine information security objectives
21. 21 T Write information security policy
22. 22 T Publish information security policy
23. 23 S 4. Inventory of assets
24. 24 T Identify primary assets
25. 25 T Identify supporting assets
26. 26 T Map primary and supporting assets
27. 27 T Identify asset owners
28. 28 T Develop information classification policy
29. 29 T Classify assets
30. 30 T Develop procedures for information labelling
31. 31 T Label assets
32. 32 T Document asset inventory
33. 33 S 5. Risk Management Methodology
34. 34 T Define information security risk criteria
35. 35 T Define information security risk acceptance criteria
36. 36 T Approve information security risk acceptance criteria
37. 37 T Define information security risk assessment process
38. 38 T Define information security risk treatment process
39. 39 S 6. Information security risk assessment
40. 40 S Risk identification
41. 41 T Identify threats
42. 42 T Identify existing controls
43. 43 T Identify vulnerabilities
44. 44 T Identify consequences (impact)
45. 45 S Risk analysis
46. 46 T Assess consequences (impact)
47. 47 T Assess likelihood
48. 48 T Determine risk level
49. 49 S Risk evaluation
50. 50 T Evaluate risks
51. 51 M Risk assessment is completed
52. 52 S 7. Information security risk treatment
53. 53 T Select risk treatment options
54. 54 T Determine controls
55. 55 T Produce Statement of Applicability (SoA)
56. 55 T Formulate risk treatment plan
57. 56 T Obtain approval for risk treatment plan
58. 57 M Risk treatment plan is approved
59. 58 T Implement risk treatment plan
60. 59 T Update Statement of Applicability (SoA)
61. 60 M Risk treatment plan is implemented
62. 61 S 8. Performance Evaluation
63. 62 S Monitoring
64. 63 T Identify information needs
65. 64 T Create and maintain measures
66. 65 T Establish procedures
67. 66 T Monitor and measure
68. 67 T Analyse results
69. 68 T Evaluate information security performance
70. 69 T Evaluate ISMS effectiveness
71. 70 T Document results
72. 71 S Internal audit
73. 72 T Establish audit programme objectives
74. 73 T Determine audit programme risks and opportunities
75. 74 T Evaluate audit programme risks and opportunities
76. 75 T Establish audit programme
77. 76 T Implement audit programme
78. 77 T Conduct internal audits
79. 78 T Report audit results
80. 79 S Management review
81. 80 T Review reporting of the performance of the ISMS
82. 81 T Provide results of management review
83. 82 S 9. Improvement
84. 83 T Identify nonconformities
85. 84 T Review nonconformities
86. 85 T Perform root cause analysis
87. 86 T Determine corrective actions
88. 87 T Plan corrective actions
89. 88 T Inplement corrective actions
90. 89 T Assess corrective actions
91. 90 M ISMS is compliant
92. 91 S 10. Certification audit
93. 92 T Contact certfication bodies
94. 93 T Request proposals
95. 94 T Review proposals
96. 95 T Select certification body
97. 96 T Sign engagement letter
98. 97 T Schedule stage 1 audit
99. 98 T Undergo stage 1 audit
100. 99 T Schedule stage 2 audit
101. 100 T Undergo stage 2 audit
102. 101 M ISMS is certified