How AI, OpenAI, and ChatGPT impact business and software.
ISO 27001:2013 Implementation procedure
1. Implementing ISO 27001:2013 from scratch in 35 simple steps
Plan
1. Obtain top management approval for implementation of ISO 27001:2013
based ISMS in the organization
2. Gather information about the organization and its industry
3. Understand the organization industry
4. Gather background information about the organization products and services
5. Understand the organization external and internal issues
6. Identify the organization competitors
7. Identify the organization’s interested parties
8. Understand needs and expectations of interested parties
9. Understand the organization’s legal, regulatory and contractual requirements
10. Understand interfaces and interdependencies between activities performed
by the organization
11. Understand the organization ISMS requirements
12. Understand the requirements of interested parties relevant to the ISMS
13. Determine scope for ISMS implementation (locations, sites and/or functions
ready to implement ISMS)
Plan
DoCheck
Act
2. 14. Define overall IS Policy, including IS Objectives, applicable business
requirements and top management commitment for continual improvement
15. Define risk assessment process (risk assessment criteria and risk acceptance
criteria)
16. Define risk treatment process
17. Develop project plan for ISO 27001:2013 based ISMS implementation
18. Present project plan to the top management for approval and secure top
management assurance for the project and necessary support and resources
Do
19. Define IS objectives at all relevant functions and levels
20. Perform risk assessment
a. Identify IS risks
b. Identify Risk Owners
c. Analyze IS risks (assess consequences, likelihood and risk level)
d. Evaluate IS Risks (compare with risk criteria and prioritizing)
21. Perform risk treatment
a. Select appropriate controls
b. Compare controls with Annex A of ISO 27001:2013 Standard
Plan
Do
Check
Act
3. c. Develop SoA
d. Develop Risk Treatment Plans
22. Obtain Risk Owners’ approval
23. Implement risk treatment plans (Staff, Infrastructure, technical controls,
managerial controls such as Employment/Contract agreements, NDA etc.)
24. Define ISMS performance measurements and metrics
25. Develop ISMS Audit program plan
26. Define and assign ISMS roles and responsibilities
27. Develop necessary IS documentation
28. Develop ISMS Communication Plan considering all ISMS interested parties
29. Conduct necessary IS training to employees and contractors
30. Carry necessary IS awareness initiatives
31. Operate ISMS (record IS events, activities, communications, changes,
incidents, accidents and NCs)
Check
32. Check ISMS performance periodically
a. Various ISMS performance measurements and metrics
b. Conduct periodic risk assessments
Plan
DoCheck
Act
4. c. Perform periodic internal and regulatory audits
d. Collect feedback from interested parties
e. Carry periodic Management Reviews for reviewing ISMS performance
33. Report to appropriate management in defined time intervals
Act
34. Decide on corrective actions to be taken
35. Develop plans for implementing ISMS improvements
Plan
DoCheck
Act