Search in ISMS Guides


Saturday, August 18, 2007

Implementing an Information Security Management System

There are key steps that every company implementing an Information Security Management System will need to consider:

Step1: Purchase the Standard
Before you can begin preparing for your application, you will require a copy of the standard. You should read this and make yourself familiar with it.

Step 2: Consider Training
There are training courses available to help you implement and assess your Information Security Management System.

Step 3: Assemble a team and agree your strategy
You should begin the entire implementation process by preparing your organizational strategy with top management. At this stage you should determine the Scope of your Registration - whether the system will be adopted company wide or by one or more departments.

Step 4: Review Consultancy Options
You can receive advice from independent consultants on how best to implement your information security management system.

Step 5: Undertake a Risk Assessment
During this phase you should undertake a review of all potential security breaches. This should not relate solely to IT systems, but should encompass all sensitive information within your organization.

Step 6: Develop a Policy Document
This will demonstrate management support and commitment to the Information Security Management System process.

Step 7: Develop Supporting Literature
Put together a Statement of Applicability and Procedures to support your security policy. This will cover a range of areas including asset clarification and control, personal security, physical and environmental security and business continuity management.

Step 8: Choose a registrar
The registrar is the 3rd party, like BSI, who come and assess the effectiveness of your information security management system, and issue a certificate if it meets the requirements of the standard. Choosing a registrar can be a complex issue as there are so many operating in the market. Factors to consider include industry experience, geographic coverage, price and service level offered. The key is to find the registrar who can best meet your requirements. A great place to start is by contacting us.

Step 9: Implement your Information Security Management System
The key to implementation is communication and training. During the implementation phase everyone begins operating to the procedures of the management system.

Step 10: Gain registration You should arrange your initial assessment with your registrar. At this point the registrar will review your Information Security Management System and determine whether you should be recommended for registration.

Step 11: Continual assessment
Once you have received registration and been awarded your certificate, you can begin to advertise your success and promote your business. Your ISMS will be periodically checked by your registrar to ensure that it continues to meet the requirements of the standard.

From :

No comments: