ISO 27001
Suggested Template for the ISMS
There are a large number of sites where you can download for a fee a template (see IT Governance for a good one). I have included here what I think a useful ISMS would contain rather than just a compliant ISMS.
ISMS Scope
Physical Boundaries
System(s)/Network Description with boundaries
Information Description and Business reason
ISMS
Purpose
Executive Summary
Scope (see above) detail
Objectives (describe how)
-
Identifying assets and risks to those assets.
-
Reducing or eliminating incidents.
-
Minimising the impact of incidents.
-
Continuous improvement
-
Maintaining and enhancing esteem and reputation.
-
Reducing down-time.
-
Protecting privacy.
Principles
-
Top Management are responsible for the ISMS.
-
All employees will be educated in the ISMS.
-
Risks will be assessed and controls will be proportionate.
-
Risks will be managed (Transferred, Treated, Terminated, Tolerated).
-
Discipline (compliance with policy) will be enforced.
Responsibilities
-
For Governance – CISO.
-
For Management – Security Working Group.
-
For Training & awareness – Corporate.
-
Cross Reference with Roles & responsibilities.
Key Outcomes
-
Lower financial loss.
-
Confidence and assurance of privacy.
-
Satisfied customer / supplier base.
-
Enhanced employee satisfaction.
-
Shareholder values increase.
-
Society stakeholder (regulatory) confidence.
Related Policies and Procedures.
List with hyper link to all relevant (appropriate as compliant with Annex A / Statement of Applicability) including local interpretation as required.
Reference to other Mandatory documents (hyperlink when complete).m
Risk Assessment Methodology statement.
Qualitative or Quantitative.
Compliance with ISO 31000 / ISO 27001
Risk Attitude (Appetite / Tolerance) Statement.
Brief Outline of Audit Programme
Conclusion – Senior Management Commitment / Sign Off.