Difference between revisions of "ISO"
| Line 2: | Line 2: | ||
<!--T:3--> | <!--T:3--> | ||
| + | == STEP 1 == | ||
First get support from your top management. They must demonstrate their commitment and determination to implement an ISO27001 Information Security Management System in your organisation. Without top management commitment, no information security initiative can succeed. | First get support from your top management. They must demonstrate their commitment and determination to implement an ISO27001 Information Security Management System in your organisation. Without top management commitment, no information security initiative can succeed. | ||
| Line 19: | Line 20: | ||
#better managing and minimising risk exposure | #better managing and minimising risk exposure | ||
#raising awareness of security issues | #raising awareness of security issues | ||
| + | |||
| + | <!--T:3--> | ||
| + | == STEP 2 == | ||
| + | Top management should appoint an Information Security Management Representative (ISMR), as its project manager to plan and oversee implementation, and a supportive team, including representatives of all organisational functions who fall within the scope. | ||
| + | |||
| + | The "Information Security Management Representative" will have to (and be keen to) become expert in and champion ISO27001, have the necessary attributes and authority to lead the implementation team and, should you go for third party certification, to represent your organisation to the certifier. | ||
| + | The ISMR should: | ||
| + | #have the total backing of the CEO or equivalent | ||
| + | #have a genuine and passionate commitment to Information Security in general and the implementation of an ISO 27001 ISMS in particular | ||
| + | #have the ability and presence to influence staff at all levels and functions of the organisation | ||
| + | #be organised, a clear and logical thinker, computer literate | ||
| + | #have a wide understanding of the processes that underlie business operations | ||
| + | #have a good knowledge of Information Security methods in general and ISO 27001 in particular (or a quick learner, training would be highly advantageous) | ||
| + | |||
| + | ISO 27001 requires that the ISMR has clear responsibility for: | ||
| + | |||
| + | #ensuring that ISMS defined, implemented, maintained and improved in conformance with the requirements of ISO 27001 | ||
| + | #reporting to top management on how well, or poorly, the ISMS is performing, including identifying any needs for improvement | ||
===Why is there no score or graph?=== <!--T:4--> | ===Why is there no score or graph?=== <!--T:4--> | ||
Revision as of 00:29, 10 December 2021
How/Where do I start?
STEP 1
First get support from your top management. They must demonstrate their commitment and determination to implement an ISO27001 Information Security Management System in your organisation. Without top management commitment, no information security initiative can succeed.
To provide evidence of commitment to the development and implementation of an ISMS and continually improve its effectiveness, top management should:
- make clear to the organisation the importance of meeting customer, statutory and regulatory requirements,
- define the organisation's information security policy and making this known to every member of staff
- ensure that information security objectives are established at all levels and for all functions
- ensure the availability of those resources required for the development and implementation of the ISMS
- lead the required management review meetings
- encourage the involvement of all staff
- identify and communicate the key objectives to be achieved through the ISMS, such as:
- keeping confidential information secure
- providing customers and stakeholders with confidence in how we manage risk
- allowing the secure exchange of information
- ensuring that legal obligations are met
- providing a competitive advantage
- better managing and minimising risk exposure
- raising awareness of security issues
STEP 2
Top management should appoint an Information Security Management Representative (ISMR), as its project manager to plan and oversee implementation, and a supportive team, including representatives of all organisational functions who fall within the scope.
The "Information Security Management Representative" will have to (and be keen to) become expert in and champion ISO27001, have the necessary attributes and authority to lead the implementation team and, should you go for third party certification, to represent your organisation to the certifier. The ISMR should:
- have the total backing of the CEO or equivalent
- have a genuine and passionate commitment to Information Security in general and the implementation of an ISO 27001 ISMS in particular
- have the ability and presence to influence staff at all levels and functions of the organisation
- be organised, a clear and logical thinker, computer literate
- have a wide understanding of the processes that underlie business operations
- have a good knowledge of Information Security methods in general and ISO 27001 in particular (or a quick learner, training would be highly advantageous)
ISO 27001 requires that the ISMR has clear responsibility for:
- ensuring that ISMS defined, implemented, maintained and improved in conformance with the requirements of ISO 27001
- reporting to top management on how well, or poorly, the ISMS is performing, including identifying any needs for improvement
Why is there no score or graph?
The Cetbix ISMS concept is that risk is zero if there are no threats or vulnerabilities, which means that nothing is shown on the graph.