ISMS Initial Planning and Implementation
The PDCA model is a cyclical model with intent of imposing an ongoing management
system for information security. The initial preparation is similar to, but a
special case of, the ongoing efforts. The initial planning and implementation set
up in the ISMS and the subsequent iterations of Plan–Do–Check–Act (PDCA)
begin with checking the status of the ISMS (Check Phase) and proceed with acting
upon necessary revisions (Act Phase), planning how to act upon the revisions (Plan
Phase), and implementing revisions (Do Phase), all in a continual cycle.
 Note: The table closely follows the outline of ISO 27002 standards and represents the intent;
however, the details in this table, and generally in this text, are not a replacement for the ISO
standards, and the authors recommend acquiring the relevant ISO security standards to use in
conjunction with the information herein.
AU3648_C003.indd 67 10/22/07 4:44:36 PM
68 n  How to Achieve 27001 Certification
The objectives for initial planning and implementation include the following:
Collect background details on the organization.
Business type
Site locations
Identify key players for the ISMS development process.
Identify drivers (motivations) behind risk management and the need for an
Obtain a high-level snapshot of the organization’s security posture, that is,
current ability and practices to identify and address business risks.
Collect details that will contribute to establishing the scope of the ISMS.
Sites, operations, business functions, information, information technology,
infrastructure, etc.
Define the objectives of an ISMS, e.g., good-enough practice? ISO 27001
Begin to outline the contents of the prospective ISMS.
Establish schedule for ISMS development.
Begin to outline the processes to establish and maintain an ISMS.
The material below presents details on how to approach initial planning and
implementation and achieve the objectives in the list above.
3.4 Establishing Current Status of Organizational
Security Management (Assessment Process)
The discovery process to obtain these details takes place in two macro-phases: background
discovery and compliance level discovery.
3.4.1 Background Discovery
The background discovery task begins by learning more about the organization,
organizational goals, mission, operations, general background, role of security,
and overall cultural perception of security. Background discovery gathers these
details by way of questionnaire or survey. Many of the questions in background
discovery are not traceable to the ISO standards; however, they still represent
important information to assist in determining the current compliance level (the
next discovery phase) and ultimately generate the documentation necessary for
ISO 27001 certification.


Leave Comment

Your email address will not be published. Required fields are marked *