Once you have gone through clause 4 through to clause 10 as detailed above, you have designed and implemented your ISMS! An ISMS, once established, should be a well-oiled machine that continually operates within a yearly cycle.
Before AssuranceLab can certify your organisation against ISO 27001 or affiliated standards, you must have gone through the below cycle at LEAST once.
.png?width=636&height=358&name=ISO%2027001%20ISMS%20Diagram%20(1).png)
How do I know if I’ve completed the above cycle?
Since the full cycle of an ISMS is interconnected and each step feeds into the next – it’s important to understand the key action items for each step of the process. Below is a simple checklist you can follow to assess what is left to do in your first ISMS cycle.
|
ISO Ref |
Action Item / Key Document |
Completed |
|
4.3 |
Documented ISMS Scope |
|
|
5.2 |
Documented Information Security Policy |
|
|
6.1.1, 6.1.2 |
Completed and Documented Risk Assessment |
|
|
6.1.3 |
Documented Risk Treatment Plans against identified risks |
|
|
6.1.3 |
Documented Statement of Applicability |
|
|
6.2 |
Documented ISMS Objectives |
|
|
9.1 |
Evidence of metrics and measurements recorded to determine the performance of the ISMS. (Note: These should be in line with the ISMS objectives defined in 6.2) |
|
|
9.2 |
Completed and documented an Internal Audit |
|
|
9.3 |
Completed and documented a Management Review |
|
|
10.2 |
Documented Corrective Actions register with all identified non-conformities, be it from an AssuranceLab audit, internal audit or management review. |
|
I’ve completed the cycle – where does each piece of evidence go in Pillar?
|
ISO Ref |
Action Item / Key Document |
Pillar ID |
|
4.3 |
Documented ISMS Scope |
ISMS01 |
|
5.2 |
Documented Information Security Policy |
ISMS02 |
|
6.1.1, 6.1.2 |
Completed and Documented Risk Assessment |
RAP05 |
|
6.1.3 |
Documented Risk Treatment Plans against identified risks |
RAP08 |
|
6.1.3 |
Documented Statement of Applicability |
SOA01 |
|
6.2 |
Documented ISMS Objectives |
ETC02 |
|
9.1 |
Evidence of metrics and measurements recorded to determine the performance of the ISMS. (Note: These should be in line with the ISMS objectives defined in 6.2) |
ETC06 |
|
9.2 |
Completed and documented Internal Audit |
MOC14 |
|
9.3 |
Completed and documented Management Review |
MGT04 |
|
10.2 |
Documented Corrective Actions register with any/all findings from Stage 1, internal audit and management reviews logged |
MOC03 |