Skip to content Skip to sidebar Skip to footer
Close
ISMS Implementation

ISMS Implementation

🔍 PHASE 1: Project Initiation & Scoping

Company Responsibilities:

  • Appoint an internal ISMS project manager and form a project team.
  • Define business objectives for ISMS (e.g., customer requirements, regulatory compliance).
  • Allocate resources (time, budget, people).

Consultant Responsibilities:

  • Kickoff workshop to explain ISO 27001 principles and project roadmap.
  • Help define the scope of the ISMS (e.g., departments, services, data types, geographical boundaries).
  • Advise on identifying key stakeholders and decision-makers.
  • Draft a project plan and timeline.

Deliverables:

  • ISMS project plan
  • Defined ISMS scope statement

🔎 PHASE 2: Gap Analysis & Risk Context Definition

Company Responsibilities:

  • Provide existing policies, procedures, and security controls.
  • Make key personnel available for interviews.

Consultant Responsibilities:

  • Conduct a Gap Analysis comparing current practices with ISO 27001 requirements.
  • Conduct a Context of the Organization assessment (internal/external issues, interested parties).
  • Facilitate stakeholder interviews to understand processes and identify existing risks.
  • Prepare a risk assessment methodology tailored to the organization.

Deliverables:

  • Gap analysis report
  • Risk assessment methodology
  • Context and Interested Parties analysis

🧩 PHASE 3: Risk Assessment & Risk Treatment

Company Responsibilities:

  • Validate and approve the risk assessment methodology.
  • Participate in workshops to identify risks and controls.

Consultant Responsibilities:

  • Facilitate the risk assessment workshop(s): identification, analysis, evaluation of risks.
  • Help identify existing and required risk treatment controls based on Annex A.
  • Draft the Statement of Applicability (SoA).
  • Develop a Risk Treatment Plan (RTP) with mitigation actions, responsibilities, and deadlines.

Deliverables:

  • Risk assessment report
  • Statement of Applicability
  • Risk Treatment Plan

🧱 PHASE 4: ISMS Design & Documentation

Company Responsibilities:

  • Review and approve policies.
  • Assign process owners and responsibilities.

Consultant Responsibilities:

  • Design the ISMS structure: policies, procedures, controls, records, and governance.
  • Write and deliver the core ISMS documentation, including:
    • ISMS Policy
    • Access Control Policy
    • Acceptable Use Policy
    • Backup Policy
    • Incident Management Policy
    • etc.
  • Tailor documents to reflect actual business and technical operations.
  • Advise on tooling (e.g., GRC software, document management, risk tracking).

Deliverables:

  • Full ISMS documentation set (policies + procedures)
  • Guidance for document control and versioning

🛠️ PHASE 5: Implementation of Controls

Company Responsibilities:

  • Implement the technical and organizational controls.
  • Involve IT, HR, legal, and other departments where necessary.

Consultant Responsibilities:

  • Provide technical and organizational control guidance (e.g., encryption, physical access, vendor management).
  • Recommend and help configure control mechanisms, templates, and logs (e.g., asset registers, access logs).
  • Train teams on control operation and security best practices.
  • Support the rollout of security awareness training.

Deliverables:

  • Security training material
  • Templates for control execution
  • Implementation support

🔁 PHASE 6: Monitoring, Internal Audit & Management Review

Company Responsibilities:

  • Nominate an internal audit contact or team.
  • Conduct the first management review meeting.

Consultant Responsibilities:

  • Perform or help conduct the initial internal ISMS audit (Clause 9.2).
  • Provide audit checklists and templates.
  • Assist in preparing the Management Review Report (Clause 9.3).
  • Identify nonconformities and advise on corrective actions.

Deliverables:

  • Internal audit report
  • Management review templates
  • Corrective action plan

📝 PHASE 7: Preparation for Certification Audit

Company Responsibilities:

  • Engage a certification body (you may provide recommendations).
  • Be available for audit interviews and documentation review.

Consultant Responsibilities:

  • Conduct a mock audit or readiness assessment.
  • Review documentation, control implementation, and logs for completeness.
  • Coach staff on what to expect during the external audit.
  • Act as support during the certification audit if desired.

Deliverables:

  • Pre-certification readiness report
  • Support during the audit (on-site or remote)

🔄 PHASE 8: Continuous Improvement & Maintenance (Post-Certification)

Company Responsibilities:

  • Continue running ISMS processes (risk reviews, audits, awareness training, etc.).
  • Maintain records and logs.

Consultant Responsibilities:

  • Provide ongoing ISMS support (optional, via support contract).
  • Perform periodic health checks or internal audits.
  • Update documentation and controls as the business evolves.
  • Support for surveillance audits (yearly follow-up audits by certification body).

Deliverables (optional based on SLA):

Updated documentationr sadipscing elitr.

Annual ISMS review reports

Audit support packages

    contact@feldmanncyber.com