Clauses 4-10

Clause 4: Context of the organization

Identify the key stakeholders and clarify their interests and needs. A document needs to be created that lists the external and internal stakeholders, regulatory environments, client lists, competitors. Define the scope of ISMS.

Clause 5: Leadership

Senior management should be accountable for the success of the ISMS. The top management should demonstrate effective leadership and establish information security policy. Executive leaders being interviewed is a required part of the ISO audit. Roles and responsibilities should be defined.

Clause 6: Planning

ISO 27001 applies a risk-based approach to IS. It required that you plan on how you will address the risks and opportunities and perform information security risk assessments. This is also a requirement on how to determine the suitable treatments for identified risks. Another requirement is to identify suitable set of IS objectives. These objectives need to be aligned to the risk assessments outputs, IS policy and overall business objectives.

Clause 7: Support

Need to ensure that the people are competent to provide training and awareness is raised. A plan needs to be created to ensure support resources are always available. Another important requirement is a communication system. The people responsible must have dedicated channels to discuss implementation and improvisation of ISMS policies.

Clause 8: Operation

Required to ensure any process need to meet the IS processes are planned, implemented and controlled. We need to ensure that the plans made in clause 6 and 7 are implemented. It is also required to control planned changed and document evidence. Conduct internal audit and management reviews.

Clause 9: Performance Evaluation

Check if your efforts in ISMS are working. This is achieved through internal audit, management review along with monitoring, measurement analysis and evaluation of activities. The process of monitoring and measurement must determine- what needs to be monitored and measured, the methods for monitoring, when the monitoring is performed, who will complete the process.

Clause 10: Continuous Improvement

Need to ensure that there is continuous improvement and any identified nonconformities are corrected and prevented from reoccurring. A certifiable ISMS must be in a constant state of growth and improvement.