View Source

This section should also cover ISO 27001 chapter 10: Improvement

A guide on how to establish and implement an ISMS and the run of your ISMS (the CISO's planning for the year)

To make a yearly plan:
The CISO should make his own plan, implement it in the company, check internal (f.i. business) external (f.i. law) changes, check compliancy and make a plan for the next year to implement findings out of the evaluation.

1.1 Security Activities

Activity	Reason	Result	Date	Reference to Security goals in the ISMS	Status
Implement IDS	see an increase of attacks	Early warning of an attack	2 august 2018	Goal nr. 2 to detect and react and mitigate security attacks	In progress

1.2 Plan for Risk assessment

Department	Area	Date	Status*
Accounting	Logical Acces	11 November 2017	Planned

1.3 Awareness and Security training

Department/role	Training	Date	Status
All	How to detect phishing	4 October 2017	Completed

1.4 Internal Audit

Department	Type of Audit	Due date	Status
H.R.	Questionaire	18 april 2018	Planned

1.5 Annual management report

Due date for report	Due date for management review	Status
30th november 2017	14th december 2017	In progress

Establish an ISMS

what's needed to be planned is;

what will be done
what resources will be required
who will be responsible
when it will be completed
how the results will be evaluated (art. 6.2 of ISO. 27.001)

Implement an ISMS

Run your ISMS

What kind of planning, measurements will you have in place when the ISMS is in place.

Evaluate your ISMS
What have I learned

What's needed to be planned and put under the points above;

Make a risk registry
Make a risk inventory
Make sure that you have an asset inventory
Risk assessments
Make sure you have a Risk Treatment
Awareness training
Plan a security training
Plan to make policies
Check compliance with policies
- Reviewing
- Auditing

To put in: Security by Design - What to look at when you have a new product or service run.

Legend:

Status:

Planned -

In progress -

Completed -

Cancelled -