ISMS Framework Development (Phase II)

An Information Security Management System is an organization's structure for managing its people, processes and technology. It's the framework within which the activities of a business or business unit are defined, organized, managed and monitored.

In this phase, we take the findings in Phase 1 (Assessment Phase), and establish a defensible, comprehensive framework for the development of repeatable, auditable, and measurable information security practices as well as a robust governance model.

Often times, it becomes a simple matter of packaging. Since we've done this so many times, we have the expertise, tools and methodologies in place to package everything up into a cohesive management system. Many of our clients have a solid foundation already in place, and we simply step in to make certain the ISMS is being designed and implemented in an efficient manner, saving our client both time and money.

Deliverables:

• ISMS Implementation Workshop
• Master Glossary - Definition of Terms
• Information Security Policy, which serves as the foundation for the creation and implementation of enterprise-wide information security standards and processes
• Statement of Applicability
• Catalog of Controls
• Defined and documented Program Level Roles and Responsibilities
• Documented Responsibility Agreements between appropriate risk management functions
• Information Security Office Mission and Charter
• Completed ISMS Framework (from Policy all the way to completion of Tactical Processes)
• Framework Schema reflective of your organization (i.e. your core ISMS as well as multiple division ISMS structures)
• Developed, documented and adopted risk assessment methodology
• Templates and tools to align the risk assessment with controls implementation
• Analysis, interpretation and documentation of laws and regulations impacting your security program (PCI, SOX, HIPAA, GLBA, SB 1386, etc., etc.)
• Defined and documented Program Goals which are mapped to risk management strategies of your business
• Conformance index for: PCI, SOX, HIPAA, GLBA, or any other regulations
• Re-alignment or development of security standards that address directive, preventive, detective and/or reactive controls
• Developed or realigned and documented security processes, e.g., security incident response, that meet ISO 27001 conformance including the identification of roles and responsibilities and relevant operational deliverables
• ISMS Administration Plan
• ISMS Evaluation Plan

Next Phase: ISMS Implementation