1. BAU
Phase 1
Phase 2 – first cycle of Operate, Moni
Scope, Design and
Implement, Operate, Monitor and Improve tor and
Build
Improve
Implement and Operate Plan
Establish the Act Do
Monitor and Review
ISMS
Check
Maintain and Improve
ISMS scope Implementation Implementation First cycle of First cycle of ISMS BAU
& policy plan agreed complete internal audits and improvements
agreed management implemented
reviews completed
Certification
Confirmed
Choose and engage Stage 1 Audit Stage 2 Audit
Certification Board (The documentation (The Big One)
check)
Start 3 mths 6 mths 9 mths 12 mths 18 mths
2. BAU
Phase 1
Phase 2 – first cycle of Operate, Moni
Scope, Design and
Implement, Operate, Monitor and Improve tor and
Build
Improve
We follow a two-phased approach, in line with the BSI’s preferred method, to helping clients implement an ISO27001-
compliant ISMS. The objective of Phase 1 is to set up the scope and foundation elements of the ISMS, and to define
the scope of activities for the next phase. Phase 1 includes:
• identifying the gap between ISO27001 and current processes and controls. Using or refining existing processes and
controls to address these gaps will reduce the time and effort, but the design of new processes and controls may
also be required
• identifying and determining the value of your information assets through workshops and 1-to-1 meetings with key
staff and management
• assessing the threats, vulnerabilities and risks to your information assets, and determining the options for treating
these risks
• preparing the ISO27001 Statement of Applicability on your behalf
• preparing the scope and programme of work for Phase 2, and providing input to further business cases if funding or
internal/external resources are required for the implementation or operation of new or revised processes and controls
Our role in this phase of the engagement includes project management, facilitating, document writing and providing
subject matter expertise. We can also liaise with the certification body on your behalf.
3. BAU
Phase 1
Phase 2 – first cycle of Operate, Moni
Scope, Design and
Implement, Operate, Monitor and Improve tor and
Build
Improve
Phase 2 consists of four work streams:
• Implement is largely defined by the gap analysis and risk assessment activities from the prior phase.
Implementation will focus on integrating new and revised security processes and controls into your operational
security environment, including training of personnel earmarked for operating these processes and controls. Our role
in this work stream would be project management, facilitating integration and providing training.
• Operation is the normal day-to-day operations of information security management. This includes the management
of information security resources, security incident management, as well as training and awareness. Our role in this
work stream would be to provide support and hand-holding to staff responsible for running the ISMS.
• Monitor is the ongoing measurement and assessment of the effectiveness of security controls and of the ISMS itself.
This includes activities such as assessing control KPIs, testing of control effectiveness, internal audit of the ISMS
and management review. Our role in this work stream would be performing effectiveness reviews and internal audit
of the ISMS on your behalf.
• Improve is about taking the outputs from the Monitor work stream and identifying and determining improvements
that can be made to the ISMS and security controls. Our role here would be to help you design improvements and to
integrate these improvements back into the operational ISMS.
4. BAU
Phase 1
Phase 2 – first cycle of Operate, Moni
Scope, Design and
Implement, Operate, Monitor and Improve tor and
Build
Improve
Once the integration of the ISMS processes and controls
are complete, the ISMS becomes a Business-As-Usual
Plan (BAU) system, fully operated by your staff, continuously
monitoring and improving information security within your
business.
Act Do Our role from this point onwards would be to support the
‘Plan-Do-Check-Act ’ cycle required for continuous
improvement of the ISMS through providing resource and
expertise for effectiveness reviews, performing the
Check required internal audits of the ISMS, and providing advice
and support for managing ISMS change on a ‘call-off’
basis.