Various IT initiatives that can save time and cost on
implementation phases are illustrated in figure 2. As explained
earlier, an organization also needs to have the detailed
understanding of PDCA implementation phases to manage
the costs of the project. The cycle of PDCA is consistent with
all auditable international standards: ISO 18001, 9001 and
14001. ISO/IEC 27001:2005 dictates the following PDCA
steps for an organization to follow:
• Define an ISMS policy.
• Define the scope of the ISMS.
• Perform a security risk assessment.
• Manage the identified risk.
• Select controls to be implemented and applied.
• Prepare an SOA.
These suggested PDCA steps are further simplified and
mapped (figures 1, 3 and 4) to the implementation phases
developed for easy understanding and implementation—with
the end objective of time and cost savings in mind. The
following steps take into account the IT maturity within the
organization and the review/registration process (see figure 4
for the details of review and registration steps).
Phase 1—Identify Business Objectives
Stakeholders must buy in; identifying and prioritizing
objectives is the step that will gain management support.
Primary objectives can be derived from the company’s
mission, strategic plan and IT goals. The objectives can be:
• Increased marketing potential
• Assurance to the business partners of the organization’s
status with respect to information security
• Assurance to customers and partners about the
organization’s commitment to information security, privacy
and data protection
• Increased revenue and profitability by providing the highest
level of security for customers’ sensitive data
• Identification of information assets and effective
• Preservation of the organization’s reputation and standing
among industry leaders
• Compliance with industry regulations
Figure 3—Mapping ISO/IEC 27001 Suggested Steps to
Define an ISMS policy.
Define the scope of
Perform a security
Select controls to
Prepare an SOA.
Phase 1—Identify business objectives.
Phase 2—Obtain management support.
Phase 3—Select the proper scope of
Phase 4—Define a method of risk
Phase 5—Prepare an inventory of information
assets to protect, and rank assets
according to risk classification
based on risk assessment.
Phase 6—Manage the risks, and create a risk
Phase 7—Set up policies and procedures to
Phase 8—Allocate resources, and train the
Figure 4—Mapping Implementation Phases
to Review and Registration Steps
and internal audit
Phase 9—Monitor the implementation
of the ISMS.
Phase 10—Prepare for the certification audit.
Phase 11—Conduct periodic reassessment
• Continual improvement
• Corrective action
• Preventive action