Guide To Certification
A common route is as follows (10 point plan):

1.Prepare the ground: obtain copies of the ISO 17799 and BS7799-2 standards, research the background, set the objectives, understand the costs and benefits, and liaise with senior management to gain their support.

2.Define the scope: what's in, what's out, including issues like location, assets and so on. Prepare a Statement of Applicability.

3.Define a formal ISMS (Information Security Management System) policy.

4.Analyze the information security risks to identify the corresponding security control objectives.

5.Prepare a security implementation plan describing the implementation of specific information security controls to satisfy the objectives identified in step 4. Gain management approval and secure the budget.

6.Implement the plan. Prepare, review, approve and publish information security policies, procedures, standards and so forth. Bring controls protecting the IT infrastructure and facilities up to scratch. Review and where necessary improve application security controls. Prepare and exercise contingency plans.

7.Operate and maintain the information security management system. Keep records to document proper use of your system (e.g. information arising from the review of system security logs).

8.Perform an information security audit and management review to check that everything is in order (this typically involves an informal pre-certification assessment by the certification body).

9.Make any last-minute adjustments to the information security management system to address issues identified in the pre-certification assessment.

10.Undergo the formal certification assessment by an accredited certification body.

11.(Special bonus item) Celebrate your certification. Start talking to your business partners about their information security management systems. Consider updating this guide.

Recently Changed
Certification (ages ago)
risk treatment plan (ages ago)
Spanish (ages ago)