Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...


A guide on how to establish and implement an ISMS and the run of your ISMS. Planning consists of annual activities and of monthly or quarterly activities. (the CISO's planning for the year/quarter/month)

To make a yearly plan:
The CISO should make his own plan, implement it in the company,  check internal (f.i. business) external (f.i. law) changes, check compliance compliancy and make a plan for the next year to implement findings out of the evaluation.  Part of the yearly plan will be quarterly or monthly activities.

1.1 Security Improvement Activities

ActivityReasonResultRecurrrenceDateReference to Security goals in the ISMS

Status*

Implement IDSsee an increase of attacksEarly warning of an attack
2 august 2018Goal nr. 2 to detect and react and mitigate security attacksIn progress
GAP analysisPrioritisationProject initiationAnnually


Review of existing controlsEvaluate risk treatment controlsProject initiationAnnually



1.2 Plan for Risk assessment

DepartmentAreaRecurrenceNext Date

Status*

Quality ManagementRisk registerQuarterly

Quality management

Risk acceptance (system owner/senior management)2/year

Quality managementSecurity and risk management systemAnnual

Risk assessmentAll new major changes must be approvedOn need

Risk assessmentAll new systems must be approvedOn need


1.3 Awareness and Security training

Department/roleTraining/AwarenessRecurrenceDate

Status

AllHow to detect phishing2/year4 October 2017Completed
AllNewsletter/blog on actual eventsMonthly

All or targeted groupsPhishing testBi-monthly

New employeesInitial security training/onboardingMonthly


Existing employeesSkill upgradeAnnual

Quality managementReview training materialAnnual


1.4 Internal Audit

AreaTypeRecurrenceNext Date

Status*

AccountingLogical AccessQuarterly11 November 2017Planned
HR systemLogical AccessQuarterly

DatacenterPhysical Access2/year

All admin accountsLogical Access2/year

All user accountsLogical AccessAnually

Quality ManagementSecurity Processes, procedures, SOP's etc.Anually


1.5 Reporting

TypeReccurenceDue date for reportDue date for management review

Status

Annual reportAnnual30th november 201714th december 2017In progress
Board reportQuarterly14 days before board meetingFeb 20th 2018Planned
Board presentationQuarterly14 days before board meetingFeb 20th 2018Planned
Top risksMonthlyMarch 1st 2018March 5th 2018In progresss


Establish an ISMS

what's needed to be planned is; 

...


Implement an ISMS


Run your ISMS

What kind of planning, measurements will you have in place when the ISMS is in place.


Evaluate your ISMS
What have I learned

whatWhat's needed to be planned and put under the points above

  • Make a risk registerregistry
  • Make a risk inventory 
  • Make sure that you have an asset inventory
  • Risk assessments
  • Make sure you have a Risk Treatment
  • Awareness training
  • Plan a security training
  • Plan to make policies
  • Check compliance with policies
    • ReviewingAuditing 
    • Auditing


To put in: Security by Design - What to look at when you have a new product or service run.


Legend
Status
Planned
In progress
Completed
Cancelled

Future work

References to ISO 27K framework