There are a number of starting points, and not all organisations will choose the same route.
To help you quickly achieve success and make the job of implementing then managing your ISMS easier we have included a number of relevant ISMS policies for you to ‘Adopt’. These automatically take advantage of the powerful prebuilt tools and controls within ISMS.Online. We have also included how to deliver the 27001:2013 core requirements and proposed many other policies that you might wish to ‘Adapt’ for your local needs too.
Of course, every organisation is unique so the information security issues and risks encountered in one organisation will differ to another. As such there are some parts of the system which are unique to your environment and you will simply ‘Add’ your own policies into the relevant activity areas. Where relevant we have offered some guidance on what to consider here too. Having the powerful technology of ISMS.Online and the content from our Adopt, Adapt and Add based policies is going to help you achieve success much more quickly and at lower cost than alternatives.
As great as ISMS.Online is, it still needs you and your team to make it happen!
There are a few approaches to consider when implementing your first ISMS especially when aiming to achieve UKAS Accredited 27001:2013 certification.
Two alternative approaches to getting started with yourimplementation are shown below and we have included hyperlinks to learning materials to assist you:
1. The purist, newcomer approach to implementing your ISMS
The ideal approach to developing your ISMS involves starting with:
- Buying the ISO 27002 – this will help you understand what is involved. then reading and
- Using the ISMS.Online 27001:2013 policies and controls environment to act as your gap analysis and delivery project, harnessing the collaborative to assign owners, discuss, task and then document your work, before having it independently approved by another ISMS Board member (the accreditor expects to see independent evaluation)
- Demonstrate that your policies and controls actually follow the requirements and start with
4.3 Scope of applicability
Then look at how you need to Adopt, Adapt and Add to the relevant policy areas
Each of these requirements naturally filters and helps shape the following one. For example, understanding your internal and external issues helps you identify your Interested parties and that together with your scope for the system helps determine your information security risks. Understanding your risks and how to treat them leads to the policies and controls you put in place to mitigate those risks.
2. Already have an ISMS of sorts or some policies in use?
A variation on the approach above is when you already have policies and controls in your organisation, and are perhaps implicitly managing your ISMS and now want to take it to the next level. You might not have a formal risk register either but are savvy enough to have put in place policies to control the risks facing your business.
For each policy and control you are using today, ask yourself what underlying risk you are aiming to treat. Then simply (for starters) add your policy into the relevant place in the policies and controls area of ISMS.Online, create a risk in the risk tool and forge the link between the risk and your policy to show how that risk is being managed.
When you do get a chance to do the session on 4.1, 4.2, 4.3 and 6.1 etc, you can then check whether the needs from those areas affect your policies and what amendments need to be made.
Want more help?
If you need further support or guidance, we’re happy to help with implementation support and a coaching package. We also have information security consultants who can help you achieve your goals and provide more technical aspects for meeting Cyber Essentials, and other .to a range of specialist
Contact firstname.lastname@example.org if you would like to learn more.