1

Leadership Commitment

Obtain commitment from top management to support the implementation process. Appoint an Information Security Officer (ISO) or a responsible person.

2

Scope Definition

Identify the boundaries and assets to be covered. Consider the organisation’s context, legal requirements, and stakeholders.

3

Risk Assessment

Identify threats, vulnerabilities, and potential impacts. Prioritize risks and determine appropriate controls.

4

Risk Treatment

Develop a risk treatment plan to implement controls that mitigate identified risks. Consider technical, organisational, and procedural measures.

5

Documentation

Create necessary documentation, including policies, procedures, and guidelines. Document the risk assessment results, risk treatment decisions, and control objectives.

ISG's DISMISS product can simplify this activity, creating documents tailored to your structures and operations.

6

Training and Awareness

Train employees on information security policies and procedures. Raise awareness about security responsibilities. ISG has training materials available for your users to build and maintain their cyber security awareness.

7

Implementation of Controls

Implement controls based on ISO/IEC 27001 or select control baselines such as Essential Eight

Using ISG's software and methods they all work perfectly together, allowing you to implement an optimal solution.

8

Internal Audits

Conduct regular internal audits to assess compliance with ISO 27001. Correct any non-conformities identified during audits.

9

Management Review

Review the ISMS periodically with top management. Assess its effectiveness and make necessary improvements.

10

Certification (Optional)

Engage an accredited certification body for ISO 27001 certification. The certification process involves an audit of your ISMS.