This section should also cover ISO 27001 chapter 10: Improvement
A guide on how to establish and implement an ISMS and the run of your ISMS. Planning consists of annual activities and of monthly or quarterly activities. (the CISO's planning for the year/quarter/month)
To make a yearly plan:
The CISO should make his own plan, implement it in the company, check internal (f.i. business) external (f.i. law) changes, check compliancy and make a plan for the next year to implement findings out of the evaluation. Part of the yearly plan will be quarterly or monthly activities.
1.1 Security Improvement Activities
| Activity | Reason | Result | Recurrrence | Date | Reference to Security goals in the ISMS | Status* |
|---|---|---|---|---|---|---|
| Implement IDS | see an increase of attacks | Early warning of an attack | 2 august 2018 | Goal nr. 2 to detect and react and mitigate security attacks | In progress | |
| GAP analysis | Prioritisation | Project initiation | Annually | |||
| Review of existing controls | Evaluate risk treatment controls | Project initiation | Annually |
1.2 Plan for Risk assessment
| Department | Area | Recurrence | Next Date | Status* |
|---|---|---|---|---|
| Quality Management | Risk register | Quarterly | ||
Quality management | Risk acceptance (system owner/senior management) | 2/year | ||
| Quality management | Security and risk management system | Annual | ||
| Risk assessment | All new major changes must be approved | On need | ||
| Risk assessment | All new systems must be approved | On need |
1.3 Awareness and Security training
| Department/role | Training/Awareness | Recurrence | Date | Status |
|---|---|---|---|---|
| All | How to detect phishing | 2/year | 4 October 2017 | Completed |
| All | Newsletter/blog on actual events | Monthly | ||
| All or targeted groups | Phishing test | Bi-monthly | ||
| New employees | Initial security training/onboarding | Monthly | ||
| Existing employees | Skill upgrade | Annual | ||
| Quality management | Review training material | Annual |
1.4 Internal Audit
| Area | Type | Recurrence | Next Date | Status* |
|---|---|---|---|---|
| Accounting | Logical Access | Quarterly | 11 November 2017 | Planned |
| HR system | Logical Access | Quarterly | ||
| Datacenter | Physical Access | 2/year | ||
| All admin accounts | Logical Access | 2/year | ||
| All user accounts | Logical Access | Anually | ||
| Quality Management | Security Processes, procedures, SOP's etc. | Anually |
1.5 Reporting
| Type | Reccurence | Due date for report | Due date for management review | Status |
|---|---|---|---|---|
| Annual report | Annual | 30th november 2017 | 14th december 2017 | In progress |
| Board report | Quarterly | 14 days before board meeting | Feb 20th 2018 | Planned |
| Board presentation | Quarterly | 14 days before board meeting | Feb 20th 2018 | Planned |
| Top risks | Monthly | March 1st 2018 | March 5th 2018 | In progresss |
Establish an ISMS
what's needed to be planned is;
- what will be done
- what resources will be required
- who will be responsible
- when it will be completed
- how the results will be evaluated (art. 6.2 of ISO. 27.001)
Implement an ISMS
Run your ISMS
What kind of planning, measurements will you have in place when the ISMS is in place.
Evaluate your ISMS
What have I learned
What's needed to be planned and put under the points above;
- Make a risk registry
- Make a risk inventory
- Make sure that you have an asset inventory
- Risk assessments
- Make sure you have a Risk Treatment
- Awareness training
- Plan a security training
- Plan to make policies
- Check compliance with policies
- Reviewing
- Auditing
To put in: Security by Design - What to look at when you have a new product or service run.
| Legend | |
|---|---|
| Status | |
| Planned | |
| In progress | |
| Completed | |
| Cancelled |
Future work
References to ISO 27K framework