There are key steps that every company implementing an Information Security Management System will need to consider:
Purchase the Standard
Before you can begin preparing for your application, you will require a copy of the standard. You should read this and make yourself familiar with it.
Review free guidance documents, publications and software
There are a wide range of free guidance documents, quality publications and software tools designed to help you understand, implement and become registered to an Information Security Management System.
There are training courses available to help you implement and assess your Information Security Management System.
Assemble a team and agree your strategy
You should begin the entire implementation process by preparing your organizational strategy with top management. At this stage you should determine the Scope of your Registration - whether the system will be adopted company wide or by one or more departments.
Review Consultancy Options
You can receive advice from independent consultants on how best to implement your information security management system.
Undertake a Risk Assessment
During this phase you should undertake a review of all potential security breaches. This should not relate solely to IT systems, but should encompass all sensitive information within your organization.
Develop a Policy Document
This will demonstrate management support and commitment to the Information Security Management System process.
Develop Supporting Literature
Put together a Statement of Applicability and Procedures to support your security policy. This will cover a range of areas including asset clarification and control, personal security, physical and environmental security and business continuity management.
Choose a Certification Body
The certification body is a third party, such as BSI Management Systems, who come and assess the effectiveness of your Information Security Management System against the industry best practice standard, ISO/IEC 27001:2005. BSI issues a certificate if the ISMS meets the requirements of the standard. Choosing a certification body can be a complex issue as there are so many operating in the market. Factors to consider include industry and auditing experience, geographic coverage, and service level offered. The key is to find the certification body who can best meet your requirements. A great place to start is by contacting BSI Management Systems.
Implement your Information Security Management System
The key to implementation is communication and training. During the implementation phase everyone begins operating to the procedures of the management system.
You should arrange your initial assessment with your registrar. At this point the registrar will review your Information Security Management System and determine whether you should be recommended for registration.
Once you have received registration and been awarded your certificate, you can begin to advertise your success and promote your business. Your ISMS will be periodically checked by your registrar to ensure that it continues to meet the requirements of the standard.