1.4 KiB
1.4 KiB
iso27DYI: How this works
Structure
We've divided the ISMS implementation into a number of Episodes.
- setting the goals
- what's the lay of the land (relevant external issues)
- how's our equipe, our assets that need to be protected (internal issues, strengths and weaknesses)
- knowing the risks
- identifying measures to mitigate the risks
- creating the recipes (policies) for resilience in different areas / domains
- implementing the risk mitigating measures
- ensuring resources to implement and maintain everything
- all the while documenting stuff as we go allong
- audit and review how we're doing.
For every element of the ISO 27001 you need to be able to tell the auditor:
- what your method is for implementing the requirement
- how and when you monitor the results of your implementation
- how and when you evaluate the results and identify possible improvements
- when you are planning to implement these improvements
- who's involved and who's responsible for each of these steps.
In ISO27DIY we deal with this by providing Policy Cards for every Clause and Control of the ISO 27001.
There's always our Controls Library with everything in Plain English, support by our consultants. When the time is ready, you can plan a preliminiary audit.
Principles
- work with what you got - keep doing what you do but make it 'compliant'
- work iteratively - you can always come back later
Metadata
- which 'slots' this scene fills