ISO 27001/22301 Implementation and Process Definition Steps.

Project phases and Structure.


ISMS (ISO 27001) and BC 27001 Implementation Consulting services include.

  • Planning phase: Objectives, Risk Assessment and SOA preparation.
  • Implementation of the selected controls.
  • Internal audit Process.
  • Measurement and Metrics Process.
  • Management Review and Continual Improvement.

Steps 3, 4 and 5 are also applicable for ISO 9001:2015 Implementation. Please visit our services for ISO 9001 here.

Responsibilities for ISO 27001 Implementation.


SS Consulting will steer the entire implementation Processes and will work through CISO (Chief Information System Officer). The Customer organisation will share all the necessary details during ISO 27001 implementation and support the process by strictly following the SOPs and Procedures.

Resources.


SS Consulting Team configuration will be determined at the time of Project Kick Off.  Our ISO 27001 implementation team will work under the guidance of the Lead Auditor K. Sridhar.

The Customer organization will provide the Core team members to work along with the implementation team of SS Consulting. The core team may include Steering Committee, System Admin, IQA team and other support teams.

Deliverables.


The following documents will be provided based on the ISO 27001 model requirement.

  • Procedure for Document and Record Control– procedure prescribing basic rules for writing, approving, distributing and updating documents and records.
  • Procedure for Identification of Requirements – procedure for identification of statutory, regulatory, contractual and other obligations
  • Scope of the Information Security Management System a document precisely defining assets, locations, technology, etc. thatare part of the scope.
  • Information Security Policy– this is a key document used by management to control information security management.
  • Risk Assessment and Risk Treatment Methodology– describes the methodology for managing information risks.
  • Risk Assessment Table– the table is the result of assessment of asset values, threats and vulnerabilities.
  • Risk Treatment Table– a table in which appropriate security controls are selected for each unacceptable risk.
  • Risk Assessment and Risk Treatment Report – a document containing all key documents made in the process of risk assessment and risk treatment.
  • Statement of Applicability– a document that determines the objectives and applicability of each control according to Annex A of the ISO 27001 standard.
  • Procedure for Internal Audit– defines how auditors are selected, how audit programs are written, how audits are conducted and how audit results are reported.
  • Procedure for Corrective Action – describes the process of implementation for corrective and preventive actions.
  • Form for Management Review Minutes– a form used to create minutes from the management meeting held to review ISMS adequacy.
  • Risk Treatment Plan– an implementation document specifying controls to be implemented, who is responsible for implementation, deadlines and resources.

During ISO 27001 Implementation or ISMS and BC systems, the following policies will be provided.

  • Business Continuity Management Policy– sets a basic framework for the BCMS, determines the scope and responsibilities.
  • Business Impact Analysis (BIA) questionnaires– analysis of qualitative and quantitative impacts on business, of necessary resources, etc.
  • Business Continuity Strategy– defines critical activities, inter dependencies, recovery time objectives, strategy for managing and ensuring business continuity, strategy for recovering resources, strategy for individual critical activities.
  • Business Continuity Plan– a detailed description of how to respond to disasters or other business disruptions, and how to recover all critical activities.
  • Training and Awareness Plan– a detailed overview of how employees will be trained to execute planned tasks, and how they will be made aware of the importance of business continuity.
  • Business Continuity Exercising and Testing Plan– describes how plans will be exercised and tested with the objective of identifying necessary corrective actions and improving the plan.
  • BCMS Maintenance and Review Plan– a detailed overview of how plans and other BCMS documents should be maintained to ensure their functioning in the case of business disruption.
  • Post-incident Review Form– a form used for reviewing effectiveness of plans after an incident.

PDCA Summary


At the end of the ISO 27001 implementation, the customer organization will have the capability to maintain the PDCA cycle of ISMS, ably supported by our 27001 Consulting experts

StageISO 27001:2013 ReferenceRemarks
PlanClause No. 4, 5, 6, 7SOA preparation
DoClause No. 8Security and BC Controls in place
CheckClause No. 9Audit and Measurements
ActClause No. 10Conclusion.

Interested in our ISO 27001 Implementation services?

Let's Talk