1. Industry Selection
Pick your primary industry. This will help pre-fill relevant risks and suggest starter controls for your ISMS.
Could not load industry list. Please check the 'industriesAnnexAData' script block. Using fallback options.
2. Project Charter
Define the high-level scope, executive sponsor, and key business drivers for your ISMS project.
- A distinct project name and its intended start date.
- The name and role of the executive sponsor who champions this initiative.
- The primary business drivers (e.g., regulatory compliance, enhancing customer trust, competitive advantage).
3. Scope & Context of the Organization
Define what parts of your organization are covered by the ISMS and understand the internal/external environment.
- Which departments, processes, locations, or services are in-scope?
- What are the key internal and external issues (e.g., company culture, legal requirements like GDPR, technological dependencies)?
- Who are the interested parties and what are their requirements (e.g., customers, employees, regulators, shareholders)?
4. Information Security Risk Assessment
Identify, analyze, and evaluate information security risks relevant to your organization.
- Define risk scenarios specific to your context.
- Assess Likelihood (1-5, where 5 is very likely) and Impact (1-5, where 5 is very severe).
- The system suggests some risks based on your industry (); feel free to customize or add more.
| Risk Scenario | Likelihood (1-5) | Impact (1-5) | Remove |
|---|---|---|---|
| No risks added yet. Risks may be pre-filled based on industry selection, or you can add them manually. | |||
5. Statement of Applicability (SoA)
- Initial controls are recommended based on your industry () and identified risks.
- All controls you manage (recommended or manually added) appear in the table below.
Your Statement of Applicability Controls
| Include | Control (Code & Description) | Priority | Rationale for Applicability / Exclusion | Remove |
|---|---|---|---|---|
| – |
No controls added to your SoA yet. Controls may be added automatically based on industry/risks, or use the accordion below.
Add Controls from Annex A
Annex A controls are loading or not available. Ensure the control data is correctly configured.
6. Information Security Policy
Draft the main sections of your high-level Information Security Policy document.
7. People Controls & Training (Annex A.6)
- Select applicable methods and processes for each control.
- Note where evidence of these processes is documented (e.g., HR system, Employee Handbook).
A.6.1 Screening
A.6.2 Terms and conditions of employment
A.6.3 Information security awareness, education and training
A.6.4 Disciplinary process
A.6.5 Responsibilities after termination or change of employment
A.6.6 Confidentiality or non-disclosure agreements
A.6.7 Remote working
A.6.8 Information security event reporting
8. Operational Planning & Control (ISO 27001 Clause 8)
Plan, implement, and control the processes needed to meet information security requirements and to implement the actions determined in risk treatment.
- Control Implementation Tasks: Translate your selected SoA controls into actionable tasks with owners and due dates.
- Change Management: Define how changes to the ISMS or critical systems are planned, approved, and implemented.
- Documentation: Note where evidence of these operational processes and their outputs is stored.
Control Implementation Tasks
| Task Description (derived from SoA control) | Owner | Due Date | Status | Notes/Evidence Link | Remove |
|---|---|---|---|---|---|
| No operational tasks added yet. Consider adding tasks for implementing your selected controls. | |||||
9. Performance Evaluation
Monitor, measure, analyze, and evaluate your information security performance and the effectiveness of the ISMS.
- Monitoring & Measurement (9.1): Define what will be monitored, how, and when (e.g., Key Performance Indicators - KPIs).
- Internal Audit (9.2): Plan and conduct internal audits at planned intervals to ensure the ISMS conforms to requirements and is effectively implemented.
- Management Review (9.3): Top management must review the ISMS at planned intervals to ensure its continuing suitability, adequacy, and effectiveness.
9.1 Information Security Objectives & KPIs
| Metric/KPI (What to measure?) | Target (What is good performance?) | Frequency (How often to measure?) | Data Source/Method (How to measure?) | Remove |
|---|---|---|---|---|
| No KPIs defined yet. Add metrics to track your ISMS performance. | ||||
9.2 Internal Audit Program
| Planned Audit Date | Lead Auditor(s) | Scope of Audit | Report/Evidence Location | Remove |
|---|---|---|---|---|
| No internal audits scheduled yet. Plan your audit program. | ||||
9.3 Management Review Meetings
| Review Date | Key Attendees | Main Agenda Items (Topics Discussed) | Minutes/Decisions Location | Remove |
|---|---|---|---|---|
| No management reviews recorded. Schedule regular reviews of the ISMS. | ||||
10. Continual Improvement & Export
- Nonconformity & Corrective Action (10.1): When a nonconformity occurs (e.g., from an audit finding or incident), take action to control and correct it, deal with consequences, and determine/implement corrective actions to prevent recurrence.
- Continual Improvement (10.2): Identify opportunities for improvement and make changes to enhance ISMS performance.
- Export: Prepare to generate your ISMS documentation.
10.1 Nonconformities & Corrective Actions Log
| Date Found | Nonconformity/Finding | Corrective Action(s) | Owner | Due Date | Status | Evidence of Closure | Remove |
|---|---|---|---|---|---|---|---|
| No corrective actions logged. This log is crucial for managing and tracking improvements. | |||||||
10.2 Continual Improvement Mechanisms
How does your organization capture and consider suggestions for improving the ISMS?
Export Your ISMS Documentation Pack
Step under construction
This step is not yet available. Please navigate to a previous step.