04/20/23 1

The ISMS Compliance in 2009

GRC-ISMS Module for ISO 27001 Certification

04/20/23 2

ISMS in 2009

Up to now (2009) there are 5314 certified businesses The information security management system (ISMS)

certification process involves the accreditation of certification bodies.  Such accreditation is granted to organisations who have demonstrated that they fully meet the requirements of the international standards ISO/IEC 17021 Conformity Assessment Requirements for bodies providing audit and certification of management systems and ISO/IEC 27006 Requirements for bodies providing audit and certification of information security management systems.

The International Registrar of ISMS Certificate

04/20/23 3

The ISMS Compliance Implementation Program

GRC-ISMS-P3M Module for ISO 27001 Certification

04/20/23 4

04/20/23 5

Activities

1. Scope 2. Assessment 3. Asset Management 4. Risk Assessment and Management 5. Policies and Procedures Development6. ISMS Lifecycle Implementation and Auditing7. Certificate Process

04/20/23 6

The 4 Program Phases

1. Security Program Assessment

2. ISMS Framework Development

3. ISMS Implementation

4. ISMS Certification Preparation

04/20/23 7

Security Program Assessment (Phase I) Profile

Evaluate current information security program for conformance to ISO 27001 strategic, tactical, and operational requirements.

We assess your current infrastructure for "re-usability", in order to not "re-invent the wheel". This assessment serves as a foundation for enhancing corporate governance and establishing a formal Information Security Management System (ISMS).

Deliverables1. ISO 27001 Assessment

2. Written Gap Analysis Report

04/20/23 8

ISMS Framework Development (Phase II) Profile

Establish a defensible, comprehensive framework for the development of repeatable, auditable, and measurable information security practices as well as a governance model.

Deliverables 1. ISMS Implementation Workshop 2. Master Glossary - Definition of Terms and Information Security Policy Statement3. Statement of Applicability and Catalog of Controls 4. Defined and documented Program Level Roles and Responsibilities 5. Documented Responsibility Agreements between appropriate risk management

functions 6. Information Security Office Mission and Charter 7. Completed ISMS Framework as a Framework Schema reflective of your organization

Developed, documented and adopted risk assessment methodology 8. Templates and tools to align the risk assessment with controls implementation 9. Analysis, interpretation and documentation of laws and regulations impacting your

security program10. Defined and documented Program Goals which are mapped to risk management

strategies of your business 11. Conformance index for other regulations if any12. Re-alignment or development of security standards that address directive, preventive,

detective and/or reactive controls 13. Developed or realigned and documented security processes that meet ISO 27001

conformance including the identification of roles and responsibilities and relevant operational deliverables

14. ISMS Administration and Evaluation Plans

04/20/23 9

ISMS Implementation (Phase III) Profile

Understanding the business processes, where information is processed and stored, data types and flows, and span of control is essential to accomplishing a successful implementation.

Documenting these specifics is the goal of the Security Domain Definition Process. This will set the stage for implementation of the security processes on a domain level.

An operational level assessment of the selected Security Domain is then performed in a similar fashion to Phase 1. The focus of this assessment is to determine the current state of Information Security Service maturity within the selected Security Domain.

Deliverables1. Domain Definition Template 2. Gap Analysis against requirements developed in Phase II 3. Gap Analysis 4. Written Gap Analysis Summary 5. Domain Risk Treatment and Corrective Action Plans

04/20/23 10

ISMS Certification Preparation (Phase IV) Internal-Audit

The internal audit will look and feel like an ISMS certification audit and will help prepare you for the actual certification/registration audit. It is important to understand that the closed loop system for continual improvement, by definition, means that there are always improvement activities being conducted and tracked. All controls.

Evidence of conformance to corporate Policy, Standards and Program Strategy must exist, but 100% implementation is not the criteria that a certification is awarded upon.

Option 1: Oversight of an existing Internal Audit capability For those organizations with an existing internal audit program, our IRCA registered ISO

27001 auditors will act in a Lead Auditor capacity to establish a long term ISO 27001 conformant audit plan, as well as lead and mentor client auditors in the execution of an internal audit in preparation for certification.

Option 2: Contract Internal Audit For those organizations without an existing internal audit program, our IRCA registered ISO

27001 auditors will establish a long term ISO 27001 conformant audit plan, as well as execute the internal audit in preparation for certification.

This audit plan may serve as the basis for future contract audit RFP's Certification Advisory Services

Our Staff may be present during the certification audit; however, it is your staff that must be the primary participants. Advisory services provide onsite expertise from consultants that have been through the certification audit process and can ensure a successful audit experience.

Deliverables Audit report with findings such as, potentially Major/Minor Non-Conformities, observations

and areas for improvement in preparation for the certification audit

04/20/23 11

Questions?

I hope not … !!! ??? But please let me know when to sign a contract !!! That will be quicker reply …