Various IT initiatives that can save time and cost on
implementation phases are illustrated in figure 2. As explained
earlier, an organization also needs to have the detailed
understanding of PDCA implementation phases to manage
the costs of the project. The cycle of PDCA is consistent with
all auditable international standards: ISO 18001, 9001 and
14001. ISO/IEC 27001:2005 dictates the following PDCA
steps for an organization to follow:
• Define an ISMS policy.
• Define the scope of the ISMS.
• Perform a security risk assessment.
• Manage the identified risk.
• Select controls to be implemented and applied.
• Prepare an SOA.
These suggested PDCA steps are further simplified and
mapped (figures 1, 3 and 4) to the implementation phases
developed for easy understanding and implementation—with
the end objective of time and cost savings in mind. The
following steps take into account the IT maturity within the
organization and the review/registration process (see figure 4
for the details of review and registration steps).
Phase 1—Identify Business Objectives
Stakeholders must buy in; identifying and prioritizing
objectives is the step that will gain management support.
Primary objectives can be derived from the company’s
mission, strategic plan and IT goals. The objectives can be:
• Increased marketing potential
• Assurance to the business partners of the organization’s
status with respect to information security
• Assurance to customers and partners about the
organization’s commitment to information security, privacy
and data protection
• Increased revenue and profitability by providing the highest
level of security for customers’ sensitive data
• Identification of information assets and effective
risk assessments
• Preservation of the organization’s reputation and standing
among industry leaders
• Compliance with industry regulations
Figure 3—Mapping ISO/IEC 27001 Suggested Steps to
Implementation Phases
ISO/IEC 27001:2005
Suggested Steps
Define an ISMS policy.
Define the scope of
the ISMS.
Perform a security
risk assessment.
Manage the
identified risk.
Select controls to
be implemented
and applied.
Prepare an SOA.
Implementation Phases
Phase 1—Identify business objectives.
Phase 2—Obtain management support.
Phase 3—Select the proper scope of
implementation.
Phase 4—Define a method of risk
assessment.
Phase 5—Prepare an inventory of information
assets to protect, and rank assets
according to risk classification
based on risk assessment.
Phase 6—Manage the risks, and create a risk
treatment plan.
Phase 7—Set up policies and procedures to
control risks.
Phase 8—Allocate resources, and train the
staff.
Figure 4—Mapping Implementation Phases
to Review and Registration Steps
Registration Steps
Implementation Phases
Management review
and internal audit
Registration and
certification
ISMS improvement
Phase 9—Monitor the implementation
of the ISMS.
Phase 10—Prepare for the certification audit.
Phase 11—Conduct periodic reassessment
audits:
• Continual improvement
• Corrective action
• Preventive action
