1. 1. PLAN AND PREPARE
   1. Management support
      1. Obtain management interest
      2. Clarify organization’s priorities
      3. Define security objectives
      4. Create business case and project plan
      5. Identify roles and responsibilities
      6. Get approval from the management
2. 2. IDENTIFICATE & ISOLATE
   1. Scoping
      1. Define organizational scope
         1. Organizational units: department, service project, subsidiary, etc.
         2. Organizational structures and responsibilities of managers
         3. Business Process: Sales management. Procurement process, hiring, etc
      2. Define physical scope
         1. All physical locations, both internal and external, that are included in the ISMS should be considered.
         2. Identify area (data centre/server rooms/specific area)
         3. In the case of outsourced physical sites, the interfaces with the ISMS and the applicable service agreements have to be considered.
      3. Define technology scope
         1. Networks: internal networks, wireless networks, etc.
         2. Operating Systems: Windows, Linux, etc.
         3. Applications: CRM, software management payroll, ERP. utilities, database
         4. Data: customer records, medical data, research and development, etc.
         5. Processes: Consider processes that transport, store or process information.
         6. Telecommunications equipment: routers, firewalls, etc.
      4. Changes in scope
         1. Evaluated
         2. Approved
         3. Documented
   2. Create inventory lists
      1. Identify assets
      2. Identify asset owner and information classification
   3. Create SOA
      1. Statement Of Applicability
         1. Select the relevant controls from the standard
         2. Create a document with the objectives/exceptions for the selected controls
            1. Create a document with the objectives/exceptions for the selected controls
      2. Defines which controls from ISO/IEC 27001:2013 are selected for implementation
      3. ISO/IEC 27001:2013 does not specify the form of the SOA
      4. Good practice: Include the title or function of the responsible person, per control and list of the documents or records relating to it
3. 3. EVALUATE
   1. Perform gap analysis
      1. Conduct external assessments
         1. technology perimeter assessment
         2. physical security assessment
      2. Conduct internal assessments
         1. assessment of critical applications
      3. Review departmental processes
         1. interview department head
         2. interview mid-level employee in the department
         3. analyse process and practices
   2. Risk Management
      1. Risk Register
      2. RTP
         1. Risk Treatment Plan
      3. Risk Treatment Plan
      4. Risk Assessment Document
         1. Perform risk assessment
            1. Subtopic Create a risk treatment policy
            2. Define a risk calculation procedure
            3. Calculate the risk
            4. Identify controls to mitigate (remove/reduce/transfer) identified risks
      5. Risk Assessment Procedure
         1. Procedure for Risk Calculation
      6. Risk Management Policy
      7. Risk Management
      8. Procedure for Risk Calculation
   3. Perform risk assessment
      1. Subtopic Create a risk treatment policy
      2. Define a risk calculation procedure
      3. Calculate the risk
      4. Identify controls to mitigate (remove/reduce/transfer) identified risks
   4. Create Risk Treatment Plan (RTP)
      1. Create a risk treatment plan
      2. Obtain management approval
4. 4. FIX
   1. Create ISMS (Policies, Procedures, Training & Reports)
      1. Create security policy
         1. Change Management Policy
         2. Obtain management approval
         3. Incident Handling Policy
         4. Obtain management objectives
         5. Wireless Security Policy
         6. Acceptable Use Policy
         7. Refer individual policies
         8. Internet Use Policy
         9. Email Use Policy
         10. Mobile Use Policy
         11. Create the policy
         12. Security Policy
             1. Obtain management objectives
             2. Create the policy
             3. Refer individual policies
             4. Obtain management approval
      2. Create all referenced individual policies
      3. Create procedure documents
      4. Publish the policies
      5. Conduct awareness training
   2. Management review/Internal report
      1. Subtopic 1Review all documentation
      2. Review SOA, RTP and policies
      3. Review controls
      4. Measure effectiveness
5. 5. ASSESS
   1. Pre-certification audit
      1. Conduct a mock audit
      2. Identify all Non-Conformities(NCs)
      3. Take relevant actions to close identified NCs
   2. Identify and contact a certification body for the audit
   3. Certification
      1. Phase 1
         1. Document review
         2. 1 day
         3. Mandatory
      2. Phase 2
         1. Control review
         2. Multi-day based on scope
         3. Mandatory
      3. 1 day
      4. Mandatory
      5. Control review
      6. Multi-day based on scope
      7. Mandatory
6. 6. REPORT
   1. Accredited body reports on any non conformities or areas requiring improvement
7. 7. MAINTAIN
   1. Organisation's Security Steering Committee has a post-assessment wash up meeting
   2. Security Steering Committee schedules regular review meetings
   3. People with specific duties and responsibilities, schedule their actions for ongoing maintenance
   4. Consider the use of a suitable Governance, Risk & Compliance platform
   5. Regularly test the Business Continuity Plan (BCP) and Security Incident Response Plan (SIRP)
   6. Carry out periodic internal audits
   7. Carry out periodic due diligence activities on all 3rd parties