Instant traffic to any website






1st Step to ISO/IEC 27001 certification for Small Companies





Ads By CbproAds

Risk Assessment

  1. Get Acquainted with the Standard

As a responsible person for information security within your organization, whether your are the CEO, the owner, CTO or Information Security Officer you should obtain a copy of the standard ISO/IEC 27002 code of practice and read it. Upon reading, you will realize that this is a management standard. It is essentially an overview of best practices to ensure integrity, confidentiality and availability of your business data.

2. Involve your Team

Initiate the first round of discussions with your employees at all levels and perform information security profiling within your organization.

3. Define the Scope of your Implementation

The ISMS stands for Information Security Management System.  In the beginning it is important to define this scope, whether it is one layer of your company, a department, floor or even a process.

4. Get Started with a Risk Assessment

Define the risk assessment approach. You may want to take a look at ISO/IEC 27005 a sub section of the 2700x standard series, which is specially focused on risk assessment.

5. Identify your Information Assets

Define both the tangible and intangible assets within the scope of your ISMS.  These assets can be people and buildings and everything else in between.

6. Assess the Risk to the Assets

Perform risk assessment exercise for various assets within the scope of your ISMS. This involves identifying relevant threats towards the assets, identification of vulnerabilities of the asset towards each threat, impact of threat and the probability of a threat becoming a reality.

7. Design a Risk Management Strategy

The relationship between an Asset and a Threat is considered a Risk. Suggest controls from ISO/IEC 27001 that Hedge against the Identified Risks. Guidelines on the implementation of these controls are in ISO/IEC 27002. You may need to define your own specific controls.

  1. Obtain the results of the Risk Assessment required by the standard ISO/IEC 27001

The most important report is the SOA report or the Statement of Applicability which should display the information security risk within the scope.

9. Training and Awareness

Develop a customized and focused information security training program to build awareness of information security for everybody in your company.

10. Get ready for Business Continuity planning.

The Risk Assessment is only one part of three steps required for a full implementation of ISO/IEC 27001. The other two are Business Continuity planning and development of Organizational Manual such as procedures, processes and policies.

Svana Helen Bjornsdottir, CEO of Stiki Limited, is a ISO 27001 certified Auditor, Consultant and Trainer. She has many years of experience helping companies implement Quality systems. For more information, please visit http://www.riskmanagementstudio.com

Article Source:http://www.articlesbase.com/security-articles/1st-step-to-isoiec-27001-certification-for-small-companies-1493503.html




Affiliate Ads By CbproAds