The introduction of an information security management system (ISMS) is a laborious and rather lengthy procedure. In general, the implementation process consists of several successive stages that are performed by the customer, usually with the help of third-party experts.
At the first stage, an audit of the security management system is carried out, according to the results of which the current status of Information Security is determined, an inventory and documentation of all key components of the ISMS are carried out.
At the second stage, an assessment of information risks is carried out, the main goal of this stage is the possibility of applying the ISMS standards and mechanisms at the customer’s enterprise.
At the third stage, an analysis of inconsistencies with the requirements of the ISMS standard is carried out, as a result of which the current state of control mechanisms in the organization is determined and discrepancies with the declaration of applicability are identified.
At the subsequent stages, the planning and implementation of the missing accounting and control mechanisms are carried out, for each of which a development strategy and implementation plan are developed.