Before applying for ISO27000 certification, enterprises should do a good job in internal education and training in advance. On the one hand, it is to strengthen employees' awareness of corporate information security and clarify the basic requirements of the information security management system; on the other hand, it can also allow relevant staff to better understand what ISO27000 certification is and prepare for the next certification work. In short, it is very necessary for enterprises to train employees on information security management system standards and related knowledge, which is also one of the key factors for enterprises to do a good job in information security management.

  1. Make a plan

  The establishment and maintenance of an information security management system is a complex system engineering, including a lot of work such as internal training, risk assessment, document preparation, operation, audit, corrective and preventive measures. In order to ensure the smooth establishment of the system, the enterprise should make overall arrangements, that is, formulate a practical work plan, clarify the work task objectives and division of responsibilities in different time periods, control the work progress, and highlight the work focus, such as the use of a project schedule. Once the master plan is approved, detailed plans for specific work items, such as document preparation plans, can be developed. When formulating plans, enterprises should consider resource requirements, such as personnel needs, training funds, office facilities, and the cost of hiring a consulting firm. If seeking third-party certification of the system, the cost of certification should also be considered. The human and financial resources necessary to establish the system.

  2. Determine the information security policy and the scope of the information security management system

  Information security policy is about the rules and instructions on how to manage, protect and distribute assets, including sensitive information, within an enterprise. The information security policy mentioned here is the overall policy of enterprise information security. The enterprise should first formulate an information security policy, describe the importance of information security in the enterprise, indicate the commitment of the management, and propose methods for enterprise management of information security in order to provide Provide management direction and support for enterprise information security.

  3. Status investigation and risk assessment

The investigation of the status quo of enterprise information security management and risk assessment work are the foundation and key to the establishment of an information security management system. In the entire process of system establishment, the workload of risk assessment accounts for a large proportion, and the quality of risk assessment work directly affects the security control. Therefore, the enterprise should instruct a special department to be responsible for this basic work. The risk assessor should understand the basic requirements of the standard, master the method of risk assessment, and be familiar with the business operation process and information system of the enterprise. Risk assessment requires the participation of management, information technology, and operation personnel from different departments, and the support of information security experts should be obtained when necessary. The results of the risk assessment should be confirmed.

  4. Information security management system planning

After completing the status quo investigation and risk assessment, the enterprise should clarify the enterprise information security structure and responsibilities, select the control objectives and control methods, write Control summary, develop business continuity plan