This methodology is licensed as Creative Commons Attribution-Non Commercial-ShareAlike 3.

0 Unported licence

T&P METHODOLOGY for implementation of Information Security Management System

Version: 02 Type: Final Confidentiality: Internal use Date: 01-02-2010

Skopje 2010

WE ARE PROUD OF TRAJKOVSKI & PARTNERS PROFESSIONAL ACHIEVEMENTS

AND ITS EXPERTS

Certificate for successfully implemented and managed Quality Management System based on ISO 9001:2008. The system is implemented and initially certified by British Standard Institute UK in 2004. With the last recertification the validity of the certificate is extended till 2010. FS 84157 ISO9001:2008

Certificate for successfully implemented and managed Information Security Management System based on ISO 27001:2005. The system is implemented and initially certified by British Standard Institute UK in 2004. With the last recertification the validity of the certificate is extended till 2010. IS 84158 ISO27001:2005 Trajkovski & Partners is member of British Standard Institute UK Associate Consultant Programme. ACP is network of consulting companies. Membership in ACP network assures proved competence for implementation of management systems based on ISO standards. In case of T&P (ACP 182) this means competence for ISO 9001:2008 and ISO 27001:2005. Trajkovski & Partners is founder and member of the International Telecommunications and IT Consultants Group ITIC. The group is founded by 15 European companies including Trajkovski & Partners from Republic of Macedonia. Trajkovski & Partners is founder and member of IT Service Management Forum Macedonia itSMF Macedonia. This forum contributes and works for promotion of quality of the IT service management profession through training and certification of its members.

Trajkovski & Partners consultants are: 4 Certified Management Consultants

ISACA

Information System Audit and Control Association http://www.isaca.org/

Trajkovski & Partners experts competence is proved with worldwide known professional certificates in the IT area design, implementation and managing of Information systems. Specific certificates T&P consultants own are: CISA Certified Information Systems Auditor CISM Certified Information nformation Security Manager CGEIT Certified Governance of Enterprise IT

T&P METHODOLOGY FOR IMPLEMENTATION OF INFORMATION SECURITY MANAGEMENT SYSTEM

Revision No. 02 Page 3 of 9 Print date: 01.02.2010

T&P Methodology for implementation of Information Security Management System

1. Introduction
Through our years of experience we have worked with many different methodologies for implementation of management systems based on corresponding standards. Adopting more suitable elements of all those methodologies, T&P has extended the recommended BSi methodology to include specific activities and steps for implementation which are in accordance with the requirements of the client. Trajkovski & Partners Consulting has developed specific Methodology for implementation of Information Security Management System - ISMS based on ISO27001:2005.

Objective The purpose of the T&P Methodology for implementation of Information Security Management System is to ensure high quality implementations that bring maximum benefits and achievement of desired outcomes with a minimum disruption to the clients operations during the project. The T&P Methodology for implementation of Information Security Management System is designed to be a flexible roadmap of the paths to be taken to ensure the best possible outcomes from the implementation projects.

T&P METHODOLOGY FOR IMPLEMENTATION OF INFORMATION SECURITY MANAGEMENT SYSTEM

Revision No. 02 Page 4 of 9 Print date: 01.02.2010

Relevant terms and definitions

Terms
Information security

Definitions
security preservation of confidentiality, integrity and availability of information that part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security coordinated activities to direct and control an organization with regard to risk set of interrelated or interacting activities which transforms inputs into outputs specified way to carry out an activity or a process deliberate plan of action to guide decisions and achieve rational outcome(s)

ISMS Information security management system

Risk management Process Procedure Policy

2. Approach for implementation

Good implementations are balance of three elements: people, process and technology. This methodology will ensure that the people who will use the management system each day and need to improve operational performance are placed at the centre of all considerations. productivity from new management systems. This is the key to delivering high

T&P METHODOLOGY FOR IMPLEMENTATION OF INFORMATION SECURITY MANAGEMENT SYSTEM

Revision No. 02 Page 5 of 9 Print date: 01.02.2010

T&P METHODOLOGY FOR IMPLEMENTATION OF INFORMATION SECURITY MANAGEMENT SYSTEM

Revision No. 02 Page 6 of 9 Print date: 01.02.2010

The activities that are part of this methodology reflect integrative aspect. The key activities of this implementation approach, which are presented on the figure, are organized in four phases and described below:

Phase 1: Readiness for Implementation Creating a project team consisted of Clients employees for continual involvement in the implementation process and collaboration with consultant team Definition and acceptation of the project ground rules (implementation plan, roles and responsibilities of the Clients project team members and consultant team members, communication plan) by defining and signing the Project charter Training for managers and project team for introduction to the basic aspects and requirements of ISMS Understanding the business and operations of the Client Definition of the scope of the Information Security Management System GAP / readiness assessment this assessment will help us understand the preparedness of Client for implementation of ISMS and will result in concrete steps for the implementation Definition of the corporative Policy for the ISMS and the roles and the responsibilities of the employees regarding the ISMS

Phase 2: Setting the framework for the ISMS Identification of critical processes and activities Training for managers and project team for risk management Conducting a risk assessment based on T&P Risk Management Methodology Preparation of plan for risks treatment and selection of corresponding controls

Phase 3: Establishing the ISMS Training for project team members Establishing of ISMS Group session for defining the process goals and performance indicators and defining the documentation hierarchy ISMS development (development of core business procedures and supporting procedures, deployment and documentation of ISMS manual) Approving the ISMS manual and supporting documentation Training for project team members Implementing the ISMS Plan for implementation of the documented ISMS Training for all employees on subject ISMS awareness for all employees

T&P METHODOLOGY FOR IMPLEMENTATION OF INFORMATION SECURITY MANAGEMENT SYSTEM

Revision No. 02 Page 7 of 9 Print date: 01.02.2010

Phase 4: Monitoring and Control of the ISMS Training on subject ISMS Internal audit for the internal audit team Assistance in realization of internal audit Assistance in documenting the corrective and preventive actions Assistance in conducting and documenting a Management review meeting Measuring the effectiveness of corrective actions Preparation for certification audit

Supporting Activities (from start-to-end of the project) Project Management (planning, monitoring, coordinating and quality assurance) Project Management Office (virtual collaborative space with referent documents, templates and additional materials and communication tools chat, e-mail, discussion forums)

3. Expected results
Results that are expected from the above described activities are: R1 GAP/Readiness assessment report R2 ISMS Policy and Scope R3 Asset inventory R4 Risk assessment report R5 Risk treatment plan R6 ISMS Manual R7 Documented policies and procedures R8 Plan for implementation of the documented system R9 Training handouts R10 Internal audit plan and report R11 Management review meeting agenda and report R12 Corrective and preventive logs R13 Pre - certification assessment report There are also some internal results mentioned above, those are part of the T&P operative procedures and are implemented in this methodology: IR1 Project Charter IR2 Progress reports IR3 Project closure report IR4 Post assignment satisfaction survey

T&P METHODOLOGY FOR IMPLEMENTATION OF INFORMATION SECURITY MANAGEMENT SYSTEM

Revision No. 02 Page 8 of 9 Print date: 01.02.2010

4. Roles and responsibilities

For successful realization of project for implementation of ISMS we have defined the following roles to be crucial. Their responsibilities are defined below: Project manager The project manager should plan, organize and coordinate the project activities, communicate with all interested parties, control the project etc. Project team members Consultants, Information security experts, that are included in the realization of the project activities: performing the risk management, documenting the processes and procedures, delivering trainings, take part in the working sessions etc. Risk management expert A consultant with experience and extensive knowledge in the area of risk management will be responsible for coordination of the risk management process. This expert should introduce all participants with basic aspects of the risk assessment process and should be included in the conduction of the risk assessment and should sublimate the results from all risk assessment team members in one cohesive Risk assessment report and Risk treatment action plan. Quality assurance The responsible consultant should provide quality of the results by reviewing all results and making sure that all requirements and criteria are satisfied.

5. References to other standards or methodologies

BSi methodology for implementation of ISO 27001:2005 ISO/IEC27000:2009 Information technology - Security techniques - Information security management systems - Overview and vocabulary ISO/IEC 27002:2005 Information technology - Security techniques - Code of practice for information security management ISO/IEC FCD 27003 Information technology - Security techniques - Information security management system implementation guidance ISO/IEC 27005:2008 Information technology - Security techniques - Information security risk management ISO/IEC CD 27007 Information technology - Security techniques - Guidelines for information security management systems auditing T&P Risk management methodology ISO 31000 Risk management - Guidelines on principles and implementation of risk management

T&P METHODOLOGY FOR IMPLEMENTATION OF INFORMATION SECURITY MANAGEMENT SYSTEM

Revision No. 02 Page 9 of 9 Print date: 01.02.2010

6. Tools
GAP assessment toolkit Risk assessment toolkit Information security management toolkit Workspace for project collaboration

Important Note:
This methodology is used as a guide, the amount of work and the details required for each step remain on the judgment of the project team and the decision of the project manager. The implementation project is not an objective in itself it is merely a path to the real objectives - improved operations and business outcomes!

Attribution-ShareAlike 3.0 Unported

You are free:
to Share - to copy, distribute and transmit the work to Remix - to adapt the work

Under the following conditions:

Attribution. You must attribute the work in the manner specified by the author or licensor (but not in any way that suggests that they endorse you or your use of the work). Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one. For any reuse or distribution, you must make clear to others the license terms of this work. The best way to do this is with a link to this web page. Any of the above conditions can be waived if you get permission from the copyright holder. Nothing in this license impairs or restricts the authors moral rights.

The document was created by CC PDF Converter