How to prepare the organisation for starting an implementation of ISMS.

This section will discuss what need to be in place before starting an implementation of a ISMS.

4. Context of the context of the organisation

4.1 Understanding the organization and its context

Determine external and internal issues that are relevant to the intended outcome of its ISMS.

4.2 Understanding the needs and expectations of interested parties

What interested parties are relevant to the ISMS and what are their requirements.

4.3 Determining the scope of the ISMS

The boundaries and applicability of the ISMS will determine the scope of the ISMS. The scope shall be available as documented information.

4.4 ISMS - Information Security Management System

The organization shall establish, implement, maintain and continually improve an information security management system, in accordance

with the requirements of this International Standard.

5. Leadership

5.1 Leadership and commitment

The top management shall committ to the ISMS by;

a) ensuring the information security policy;
b) ensuring the integration of the ISMS requirements into the organization’s processes;
c) ensuring that the resources needed for the information security management system are available;
d) communicating the importance of effective information security management and of conforming to
the ISMS requirements;
e) ensuring that the ISMS achieves its goals;
f) directing and supporting persons to contribute to the effectiveness of ISMS;
g) promoting continual improvement; and
h) supporting other relevant management roles to demonstrate their leadership as it applies to their
areas of responsibility.

5.2 Policy

Top management shall sign and ensure that the information security policy are/is:

a) appropriate to the purpose of the organization;
b) includes information security objectives (see 6.2) or provides the framework for setting information
security objectives;
c) includes a commitment to satisfy applicable requirements related to information security; and
d) includes a commitment to continual improvement of the information security management system.

The information security policy shall:

e) be available as documented information;
f) be communicated within the organization; and
g) be available to interested parties, as appropriate.

5.3 Organisational roles, responsibilities and authorities

Top management shall ensure rolebased and communicated roles and authorities to information
security.
Top management shall assign the responsibility and authority for:
a) ensuring that the information security management system conforms to the requirements of this
International Standard; and
b) reporting on the performance of the information security management system to top management.

6. Planning

6.1 Actions to address risks and opportunities

6.2 Information security objectives and planning to achieve them

7. Support

7.1 Rescources

7.2 Competence

7.3 Awareness

7.4 Communication

7.5 Documented information

8. Operation

8.1 Operational planning and control

8.2 Information security risk assessment

8.3 Information security risk treatment

The last two chapters, 9, performance evaluation and 10, Improvement will be discussed in the group later.