1. Preparatory stage of the project

  Purpose: Fully embody the principles of leadership and full participation, and ensure that all levels are aware of the need for an information security management system and the determination of management

  Content: Organizational preparation necessary to start the project

  include:

  ① Understand management intentions and penetrate management ideas;

  ② Communicate the decision, purpose, meaning and requirements of the ISO27001 project within the organization, which is also a necessary means to reflect internal communication and improve the awareness of all employees;

  ③ Organizational construction, including the appointment of management representatives, the establishment of standard implementation organizations, and information security management personnel at all levels, and clarify their responsibilities.

   2. On-site investigation and diagnosis

  Purpose: Understand the current situation of the organization and find the gap with the ISO27001 standard

  Content: Implementing research and diagnosis

  include:

  ① Determine the security requirements according to the information flow generated by your company's main business processes and the computing environment (including hardware, software, data, manpower, services, etc.) on which it depends;

  ② Conduct a comprehensive understanding of the company's current business processes and evaluate the company's information security management system according to standards;

  ③ Identify the management processes and management responsibilities adopted by each business process;

  ④ Look for improvement opportunities against standard requirements;

  ⑤ According to the ISO27001 standard risk assessment methodology and national standards, formulate scientific, effective and applicable risk assessment methods.

  Three, personnel training

  Purpose: Improve the information security awareness of leaders at all levels and all staff, so that internal auditors have corresponding capabilities

  Content: Mobilization meeting, ISO27001 standard training, information security management system document preparation training, training is an important means to implement the requirements

  include:

   Mobilization meeting: Raise the information security awareness of all staff, including:

  What is information security? What is ISO27001 information security management system? Why should ISO27001 be implemented? What is the significance of ISO27001 information security management system to enterprises? How is the entire work process and progress arranged? Who are required to train this work?

  ISO27001 standard training: mainly explain the understanding and application of the terms of ISO27001 information security management system standard.

  Expand management training to middle-level leaders, and finally train together with senior leaders. The participation of senior leaders is a kind of role model, which helps to improve the information security awareness of all employees;

  4. Integrated system file shelf design

  Purpose: To plan the documented procedures of the system covering each business process.

  Content: According to the results of on-site diagnosis, sort out all management activity processes, and form a list of information security management system documents according to the ISO27001 standard.

  include:

  ① According to the identified business process, form a flow chart of management activities; optimize or re-engineer the business process to ensure the system and smoothness of management activities;

  ② According to the flow chart and the complexity of the process, plan a list of information security management system documents that meet the standard requirements and actual business requirements;

  ③ Form the document description of the information security management system, including the purpose of the document, scope of management and control, responsibilities, management activity interface, management process, etc.; communicate with the person in charge of each business process to revise the document list

  5. Determine information security policy and objectives

  Purpose: To clarify the information security policy and objectives, and to provide guidance for the information security management system.

  Content: According to business requirements and the actual situation of the organization, formulate safety policies and goals,

  include:

  ① Communicate with the top management, understand the management intention and management requirements, and determine the information security management policy;

  ② According to the requirements of the policy, formulate goals and decompose them into various management activities to form a measurable index system to ensure that the policy and goals are achieved;

  6. Establish a management organization

   Purpose: To establish a sound internal control organizational structure to provide support for the integration system.

  Content: A good organizational structure is the foundation to ensure the implementation of various management activities.

  include:

  ① Establish an integrated system management committee to make decisions on major information security matters;

  ② Establish a management coordination group to communicate and improve information security matters in daily management activities;

  ③ The responsibilities of each process owner in management activities are clearly defined and documented.

  7. Information security risk assessment

  Purpose: Implement risk assessment, identify unacceptable risks, and clarify management objectives;

  Content: Risk assessment is the basis of the entire risk management, this stage will be based on the risk assessment method planned in the previous stage

  include:

  ① According to business requirements and the classification of information, determine the importance of information assets, identify the list of information assets that play a key role in key core businesses; identify threats to important information assets from internal and external sources;

  ② Identify weaknesses in important information assets from both management and technology perspectives based on threats;

③ According to the method guide of risk assessment, evaluate the impact of the threat of exploiting weak points on the risks of important information assets in terms of confidentiality, integrity and availability; evaluate the possibility of exploiting vulnerabilities to cause security risk events ;

  ④ Evaluate the risk level according to the risk impact and the possibility of occurrence;

  ⑤ According to the information security policy and the security requirements of each core business process, communicate with the management to determine the standard of unacceptable risk level;

  ⑥ For unacceptable high risks, formulate risk treatment plans, select appropriate risk control measures from ISO27002 and the industry experience of consultants; implement the selected control measures to reduce, transfer or eliminate security risks;

  ⑦ Prepare a risk assessment report.

  8. ISMS system documentation

   Purpose: To establish a documented information security management system.

  Content: According to the results of document system planning, prepare information security management system documents,

  include:

  ① Integrate the information security management system manual to clarify the sequence and interrelation of each management process;

② Integrate the program documents required by the information security management system, from the aspects of system maintenance management, asset management, physical environment security, human resource security, access control, communication and operation management, business continuity management, information security incident management, compliance, etc. Document various management activities and work instructions;

  ③ Formulate various security policies, such as: email policy, Internet access policy, access control policy, etc.

  9. Design of ISMS management system records

  Purpose: To design scientific information security management system records to ensure the controllability and traceability of each management process.

  Content: According to the record requirements of each management process and document for the management process, design the record table format

  include:

  ① Collect original management records;

  ② Optimize records or redesign;

  ③ The form of communication records and the necessity of filling in management records to ensure the balance between the controllability of the information security management system and the number of records kept.

  10. ISMS management system document review

   Purpose: To ensure the systemic, effective and efficient documentation of ISMS information security management system.

  Content: Review of information security management system documents

  include:

  ① Compare the results of risk assessment and core business processes to review the systematicness of procedure documents and work instructions;

  ② For each specific management process, review whether the management responsibilities and management activities described in the document conform to the actual situation, and whether the person in charge of the process can perform management activities in accordance with the requirements of the document;

  ③ For the management activities required by the document, review whether the efficiency meets the management requirements; form the conclusion of the document review, and revise the document through the approval of the management to form a release draft

  11. ISMS system document release and implementation

  Purpose: Publish ISMS information security management system documents and implement management requirements.

  Content: The top management organizes the release of management documents and puts forward management requirements

  include:

  ① Hold a document conference, and the top management puts forward the general requirements for the operation of the information security management system, so that all staff realize that the information security management system documents are the action guide and mandatory requirements for management activities;

② Each process responsible person implements various management activities according to the requirements of the information security management system documents, and maintains the records required by the information security management system; the certification project team collects problems found in the operation of the system, including processes, responsibilities, Resource, technical, etc., uniformly revise, process, and reply.

  12. Organize all staff to study documents

  Purpose: To ensure that the information security management system document requirements are effectively communicated and understood at all levels and positions.

  Content: Training is an effective way to improve information security awareness and clarify information security requirements, organize all employees to participate in the operation and maintenance of the system, and play an important role of each employee

  include:

  ① Fully consider the scope of management activities, and design a systematic training plan in layers and stages;

② The content of management requirements and technical requirements will also be taken into account in the training. It is not simple to follow the script of the system documents; to evaluate the effect of the training, use various methods such as examinations, practical operations, and discussions to ensure that the training is effective. effectiveness.

  XIII. Business Continuity Management

   Purpose: To ensure that the core business maintains the ability to provide continuous service under any circumstances.

  Content: According to the standard requirements, the design of emergency response and disaster recovery for business interruption caused by major catastrophic events

  include:

  ① Consider business continuity and sustainable operation from the strategic level, and clarify the maximum allowable interruption time of each core business process;

  ② Identify catastrophic risk events that the core business may suffer from;

  ③ Assess the impact of catastrophic events;

  ④ For catastrophic events, design management and control measures, and formulate detailed business continuity plans, including the organizational structure of emergency response, personnel responsibilities, response procedures, recovery procedures, etc.;

  ⑤ Implement the management and technical improvements required by the business continuity plan;

  ⑥ Test each step of the business continuity plan to ensure its effectiveness; further improve the business continuity plan based on the results of the test to provide confidence in responding to disaster events.

  14. Audit training and internal audit

  Purpose: To implement internal audit, find out the non-conformity in the operation of the information security management system, and find opportunities for improvement.

  Content: Carry out internal audit according to the project plan

  include:

  ① Develop an internal audit plan and communicate with the auditee;

  ② Hold the first internal audit meeting to clarify the audit plan, audit scope, audit purpose, and arrangement of audit activities;

  ③ Lead internal auditors to implement on-site audit activities:

  ④ Issue a non-conformance report based on the audit findings, clarify the audit object, audit findings, non-conformance facts, and improvement requirements, and determine the person responsible for rectification, and improve within a time limit:

  ⑤ Hold the final meeting of internal audit and report all audit findings: follow up and verify non-conformities to ensure that all non-conformities are effectively closed.

  15. Measurement of the effectiveness of the management system

   Purpose: To measure the effectiveness of the information security management system according to quantitative indicators.

  Content: formulate a measurement methodology, and measure the effectiveness of the information security management system according to the content of the ISO27004 guidelines.

  include:

  ① Design measurement methods and formulate safety key performance indicators (KPIs) from various management processes;

  ② Collect the recorded data in the operation process, and use quantitative data analysis to reflect the improvement brought by the information security management system;

  ③ Compare the information security management objectives and indicator systems, and measure whether the KPIs meet the requirements of the management objectives;

  ④ Communicate the problems found, formulate corrective and preventive measures and assign responsible persons to improve the effectiveness of the management system.

  16. Management Review

  Purpose: To report the results and problems during the operation of the system to the management, and the top management to put forward requirements for improvement and the support of resources.

  Content: Carry out management review according to the requirements of the management review process,

  include:

  ① Develop management review plan;

  ② Prepare input materials for management review, including risk status, implementation of security measures, feedback from relevant parties, business continuity management structure, internal review of information security management system, system effectiveness measurement report, etc.;

  ③ Hold a management review meeting; implement corrective and preventive measures or management improvement plans according to the management requirements put forward by the top management;

  ④ Track the implementation of corrective and preventive measures and management improvement plans.

  17. Formal audit by certification body

  Purpose: To review the effectiveness of the information security management system by a third-party authority.

  Content: The certification body will conduct further audit and verification of the established information security management system, and find opportunities for improvement