Back to Service Library
Service Catalog / Strategic Advisory & Professional Services / Compliance Readiness / ISO 27001 – ISMS Implementation
157ISOII Base

ISO 27001 – ISMS Implementation

On this page

    Service Overview

    Many businesses make significant investments in IT and information security and place substantial emphasis on protecting confidential or personal information while ensuring availability, and integrity of systems and data.


    To further mature their information security posture and to demonstrate their commitment to protecting the security and resilience of stakeholder information, organizations are implementing an ISO 27001:2022 Information Security Management System.

    Objectives

    The objectives of this initiative are as follows:

    • Meet the spirit and intent of numerous information security or privacy-related compliance requirement under one common program framework, or Information Security Management System (ISMS).
    • Include top leadership in governance of information security to take advantage of a defensible and sustainable information security program.
    • Leverage program transparency to better incorporate accountability, openness and communication in the Client's business operations and include this as a component of the Client's information security program strategy.
    • Achieve a world class certification issued by an independent registration body.

    Methodology

    This solution consists of the following service elements:

    1. Project Management
      1. DeepSeas Resources
        1. Security Program Manager (SPM).
      2. Projects are planned, executed, and closed using the following steps:
        1. Initialization / Initiation
          1. A meeting with project stakeholders and DeepSeas delivery resources to align on project objectives, timelines, and deliverables.
        2. Pre-Requisites / Planning
          1. Collection of all necessary information needed to execute the project.
        3. Service Delivery / Execution
          1. Execution of the project and in-scope activities, including:
            1. Workshops, interview sessions, office hours, scanning, testing, training, and other in-scope project-specific work.
        4. Project Close / Close Out
          1. Review and approve of deliverables.
          2. Project close.
    2. Gap Assessment
      1. Planning - Preparation necessary to conduct an effective gap assessment, including:
        1. Schedule Development - Scheduling, project plan creation, and resource identification.
      2. Assessment - Evaluation of controls maturity including:
        1. Interviews - Interviews with Subject Matter Experts, business leaders, and other parties with knowledge of Client's processes and environments.
        2. Artifact Review and Discussion - Evaluation of policies, procedures, plans, reports, and on-screen review of supportive documents or artifacts.
      3. Documentation - A Gap Assessment Report
        1. Gap Assessment Report - includes an executive summary of the process and maturity scoring.
        2. Maturity score - A score for each control which may include recommendations to enhance maturity of the Client's posture in this area.
          1. It is important to understand, it is possible to have a higher maturity score for a control that may score low for risk. However, this is not normally the case. A current risk assessment should be the touchstone for actionable items.
      4. Report - A report will be delivered and may include controls maturity recommendations, if any.
    3. Implementation

    Shared responsibility between Implementation Lead and Client ISMS Lead.


    Project Phases shall consist of the following:

    1. Pre-Requisites / Planning - Collection of all necessary information needed to execute the program and deliver the Information Security Management System (ISMS).
      1. Inclusions of Implementation
        1. Vision and Traction Exercise - conducted with top management, the Client Program Sponsor, and key internal stakeholders. The purpose of this exercise/working meeting is:
          1. Explain goals of and participation needs of the program so that charters can be drafted.
          2. Define/confirm business risks top leadership would like the program to assist in controlling.
          3. Document the key results that are the expectation of top leadership.
          4. Define the building of objectives and key metrics and governance model.
          5. Determine external stakeholders.
          6. Determine the needs and expectations of external stakeholders.
          7. Define internal interested parties for governance committee membership.
          8. Initial scoping discussion.
      2. Guided Documentation Development
        1. Development
          1. DeepSeas will provide documentation templates to the Client and advise on initial development based on the Implementation Plan selected or will review Client documentation for ISO 27001 conformance.
          2. DeepSeas will review documentation, the edits and accept all documents that align with ISO 27001 standards. Documents that require additional edits will be addressed through scheduled working sessions.
          3. DeepSeas will conduct working sessions for the duration and frequency defined in the scope.
            1. Working Session 1 - Foundational documents plus ISMS asset inventory and risk documentation.
            2. Working Session 2 - Client to complete an ISMS asset inventory and, in conjunction with DeepSeas, perform a risk assessment.
            3. Working Session 3 - Operational documentation (policies, standards) using output from the risk assessment and the control framework.
            4. If a Gap Assessment was performed, the results will be used as an additional factor in the risk assessment and treatment.
        2. Status Meetings
          1. DeepSeas will host regular status meetings to validate implementation tasks are on track and to address questions the Client may have regarding documentation development.
          2. DeepSeas will conduct status meetings for the duration and frequency defined in the scope.
    2. Service Delivery / Execution
      1. Program Execution / In-Scope Activities
        1. Workplan for implementation activities and status meeting for these required activities.
        2. Vision and Traction Exercise.
        3. Documentation interview/review sessions working sessions.
        4. Asset inventory guidance.
        5. Risk assessment.
        6. Internal audit.
        7. External audit guidance.
    3. Program Close / Close Out
      1. Internal audit, Closing Meeting Minutes.
    4. Asset Gathering & Risk Assessment
    5. Asset Inventory Development
      1. The client will develop an asset inventory based on the ISMS Asset Inventory document developed in Working Session 1 and used to conduct the risk assessment. The Client will assign asset owners and risk owners for each asset.
      2. DeepSeas will consult on the creation of risk profiles.
      3. DeepSeas will map the asset profiles to the Risk Assessment template.
    6. Risk Assessment Sessions
      1. The Risk Workbook template will be updated to reflect the acceptable risk threshold.
      2. DeepSeas will conduct risk interview sessions with the ISMS Manager and risk owners to evaluate harm and probability scoring and quantify CIA impacts for risks for all asset categories.
      3. Each risk will be assessed on:
        1. Likelihood of a measurable event occurring from vulnerability exploit.
        2. Potential Harm from vulnerability exploit.
      4. Vulnerability/weaknesses will be prioritized based on risk to the organization and the impact to confidentiality, integrity, and availability.
    7. Documentation
      1. DeepSeas will develop a formal Risk Assessment Report documenting the risks with advisories from DeepSeas, if needed.
      2. Client will conduct root cause analysis and document a risk treatment plan to remediate issues, thus reducing the risk. DeepSeas may perform guidance in this activity if required by the Client.
        1. If the Client has no root cause methodology in use, the 5 Whys method will be used for guidance.
      3. DeepSeas will guide the creation of risk treatment plans, if required.
    8. Internal Audit
    9. Planning - Preparation necessary to conduct an effective internal audit, including:
      1. Audit Scope Definition - Review the Scope of Registration, and Statement of Applicability and create the Internal Audit Plan (schedule). This Plan is sent by DeepSeas to the ISMS Manager for review and approval or changes.
      2. Evidence/Artifact Staging - DeepSeas will send an Information Request List in advance. This the guide for the Client to use for gathering evidence for audit review.
        1. Population requests will be a component of the Information Request List. These are reports of a specified type of information needed before evidence upload so that the auditor can product a sample list for the Client to use for the draw of specific evidence.
        2. The Auditor predetermines the sampling methodology he or she will employ on the populations for testing.
        3. Client to upload evidence into DeepSeas audit repository for internal auditor to access and review.
    10. Engagement - Conduct the opening meeting while communicating and clarifying the following:
      1. Audit scope, language, audit criteria including standards, regulatory, contractual, legal requirements.
      2. Communication channels, roles, and responsibilities.
      3. The audit process for collecting and verifying objective evidence.
      4. Generating and reporting of audit findings and conclusions including grading of non-conformities.
      5. Audits may be terminated if, through Client actions, it is determined by the Lead Auditor, that audit objectives cannot be met.
    11. Audit - Perform the audit through:
      1. Review of previous audit findings (if any) and corrective actions.
      2. Review of standards, processes, procedures, specifications, contracts, and other relevant documentation.
      3. Review of verifiable objective evidence or records to demonstrate compliance with documented policies, standards, and processes (Note: Evidence will be collected by appropriate sampling and must be verified).
      4. Review activities and supportive documentation.
      5. DeepSeas will evaluate the audit evidence against the audit criteria to generate audit findings. Audit findings will indicate non-conformities to mandatory and operational controls as well as opportunities for improvement.
    12. Presentation - Conduct Closing Meeting:
      1. The audit findings and conclusions will be presented in a manner that is understood and acknowledged by the Client auditees.
      2. Closing Meeting minutes are distributed so the Client may begin remediation activities including root cause analysis.
      3. Audit Reporting - An Internal Audit Report document will be securely delivered within two (2) to four (4) weeks of the Closing Meeting.
    13. External Audit Guide
    14. Pre-Audit - Preparation necessary to prepare for audit(s) including the following:
      1. Guidance on audit best practices.
      2. Advisory to Client to allow the Client to upload correct evidence to the External Auditor.
    15. Audit Guide - DeepSeas will attend audit interview sessions and assist if:
      1. Client needs guidance in support of the ISMS program.
      2. Substantiate any questionable findings that the auditor may have.
    16. Post Audit - Assist the Client in the following post-audit activities:
      1. Consulting on opportunities for improvement, if needed.
      2. Client files Corrective Actions with root cause analysis in the allowable timeframe.
      3. Consulting on corrective actions of non-conformities, if needed.

    Deliverables

    DeepSeas will produce the following deliverables:

    1. Communication Plan - DeepSeas will build and maintain a communication plan to:
      1. Identify DeepSeas points of contact for projects planning/updates and escalation.
      2. Identify client points of contact for project planning/updates and escalation.
    2. Gap Assessment
      1. Gap Assessment Report - DeepSeas will deliver a report summarizing the findings of the initiative.
    3. Guided Documentation Development
      1. ISO 27001 Documentation Templates.
    4. Asset Gathering & Risk Assessment
      1. Risk Assessment Report - DeepSeas will deliver a risk assessment report with details pertinent to identified risks and the recommendations for remediation.
    5. Internal Audit
      1. Internal Audit Report - DeepSeas will provide an ISO 27001 Internal Audit Report to address:
        1. Identification of nonconforming clauses and controls.
        2. Determination for nonconformance: major or minor.
        3. Identification of opportunities for improvement.

    Service Assumptions

    Project-specific Assumptions

    1. Services, including internal audit, will be conducted remotely unless otherwise agreed upon in advance. The exception to this will be any Client whose business model is a data center (IaaS) or cloud provider:
      1. For internal audits of non-datacenter entities, a Client representative shall be available to use ICT to perform a walk-through and around for audit purposes.
      2. Provision does not apply to virtual organizations.
      3. Should a non-datacenter client wish for an onsite audit, they shall request a form from DeepSeas to request and approve the onsite attendance.

    Client Responsibilities

    The Client is responsible for the completion of the following tasks, in accordance with agreed-upon timelines established as part of the project plan.

    1. Client to assign a point of contact (POC) responsible for client coordination and logistics.
    2. The Client is responsible for scheduling and coordination of internal client resources for all project work.
    3. Where applicable, Client to return completed interview schedule within two (2) weeks of initialization meeting.
    4. Where applicable, Client must accept or return amended interview schedule within two (2) weeks of commencement of the audit. Audit days are based on several factors and changes can be requested. However, the number of days and dates planned, cannot be changed by the Client.