The structure of this unique methodology is based on the PPDIOO (Prepare, Plan, Design, Implement, Operate, Optimize) model, corresponds to the Deming Cycle, and covers all five above-mentioned approaches. It has a multi-layer structure with 21 steps:
The Prepare phase in this methodology, is the initial stage in the process of design and deployment. During this phase, an organization gets ready to start a successful implementation of the ISMS project. The Prepare phase is critical as it provides the basic requirements to start the project. During this phase, essential information and requirements to understand the organization’s goals and constraints will be gathered.
The primary objective of this step entails assessing the readiness to commence the ISMS project, identifying potential challenges, resolving them, and determining the whereabouts of necessary information throughout subsequent steps and phases. In other words, this step shows if organization is ready and capable of moving forward with the project. The activities of this step are:
The purpose of this step is to get information about different organization’s structures. The process of recognition can be done through interviewing and reviewing the documentation. The main activities of this step are:
The purpose of this step is to prepare a list of all assets and their characteristics and properties.
Assets can be divided into main categories of the Safe Area such as data centers, Hardware such as switches, Software such as applications, Information such as files and documents, Human resource such as personnel, Storage such as CD, Infrastructure such as LAN and Intangible such as patents.
The purpose of this step is to define business processes based on relevant standards. Activities of this step are:
After getting prepared for ISMS design and implementation, it is time to Plan for it. During this phase, essential information and requirements to understand the existing security posture will be gathered. The Plan phase is critical as it sets security architecture, defines the boundary of project, determines the gap and evaluates the assets.
The aim of this step is to evaluate the current security posture, establish the objectives of ISMS implementation, and develop a roadmap for transitioning from the current state to achieve the defined goals.
The security architecture design encompasses the strategic framework for safeguarding an organization’s assets, data, and information systems. It begins with defining the security organization, delineating roles, responsibilities, and reporting structures to ensure clear accountability. Setting standards involves establishing guidelines and protocols governing security practices, frameworks provide comprehensive structures for implementing security controls and risk management processes and relevant laws and regulations ensures legal adherence and protection of sensitive information, considering laws. This holistic approach ensures a robust security architecture capable of mitigating risks and supporting the organization’s objectives securely.
At this step, which is one of the most important and crucial parts of the definition of the Information Security Management System, the scope of the project is determined. The purpose of this step is to accurately define the scope of the project based on the indicators defined in ISO27001. In accordance with Clause 4.2 of ISO27001, the scope definition indices are:
The only activity of this step is:
Analyzing the gap between current situation and the ideal situation in designing a roadmap has a significant impact. In the ISO 27001 controls gap analysis section, the quality of the implementation of ISO / IEC 27001 controls is carefully assessed based on the criteria in ISO / IEC 27002, and by specifying the CMMI model, the maturity level of each control is separately determined and each control is examined in terms of design, implementation, review and improvement status, and ultimately will be in one of the sub-primary, primary, planned, defined, controlled, optimized levels of maturity. The purpose of this step is to formulate a Statement Of Applicability.
Also, the maturity level of each selected framework, law or maturity model is separately determined.
At this step, assets should be evaluated. A common method in this regard is the question of the owner of a property that is not very accurate and is not recommended by different standards. Based on the standard, the evaluation indicators should be chosen in such a way that they can be compared to different results at different times and by different people, while the conventional approach will certainly differ from those of the different people according to their relationship to the asset.
The method presented in this model is based on the role of each asset in achieving the goals of the organization, thus covering all standard features. To this end, the goals of the organization are first weighted. For this purpose, various methods such as AHP can be used. It is the time to rate the processes. Each process is valued based on the amount of impact it has on each objective, taking into account the target weight of the target. For each process, four indicators are which are presented at an acceptable time, maintaining the confidentiality of the data, maintaining the authenticity of data and quality, and for each index separately evaluated and ultimately the value of each process is calculated. The value of each asset is now determined by the role of each asset in each process, taking into account the value of that process. For this purpose, the types of assets involved must be identified for each business process.
The activities of this step are:
This phase is the basis for information security management system implementation and is critical as it sets the direction and framework for the entire deployment process, ensuring that the solution aligns with the organization’s needs and goals
After identifying assets and evaluating them, identifying the risks to them is a necessary part of the implementation of ISMS. Recognizing the risks to different assets and determining the probability of occurrence of each one and the extent of the damage and consequences in the event of occurrence and, finally, the quantitative and qualitative calculation of the amount of risk is the goal of this step. At this step, a list of risks is first provided for each type of asset. After identifying the risks of each asset, identifying the security threats that may lead to its occurrence is done. Ultimately, the vulnerabilities if each asset is identified. To identify risks and threats, one can use interviews with audiences and review are known risks. Also, upstream and downstream requirements and stakeholders’ needs are other sources for identifying risks. Ultimately, the vulnerabilities and weaknesses of the various assets that could lead to the occurrence of threat should be identified. The components of this step are:
From another point of view, it can be classified as follows:
Any threat to carry out its sabotage requires motivation. Threat motives can be one of these:
The security strategic plan outlines the overarching framework for safeguarding an organization’s assets and information systems. It begins with defining clear security goals aligned with business objectives, establishing measurable security objectives to guide implementation efforts. In order to measure the success rate in the implementation of the information security management system, the objectives and the method of measuring it should be determined. In fact, the effectiveness of this system and the concept of security, which is an intangible concept, can be measured. For this purpose, different indexes such as risk number, and maturity levels are used.
Setting a risk acceptance level helps determine the threshold for tolerable risk exposure, informing decision-making processes regarding risk mitigation strategies. The security strategy encompasses a comprehensive approach to risk management, including preventive, detective, and corrective measures, as well as incident response protocols, security awareness training, and continuous monitoring to ensure proactive threat mitigation and alignment with the organization’s risk appetite and operational needs.
Activities of this step are:
The purpose of this step is to develop the statement of the information security policy, technical policies & procedures for policy implementation.
The purpose of this step is to provide solutions to address the identified risks. Based on the acceptable level of risk, a solution and security plan is provided to manage risks that are beyond acceptable levels. Major tasks of this step are, developing risk management plan, determination the effectiveness of the solutions based on defined indicators, and the determination of the extent to which the objectives are achieved in the event of full implementation of the plan.
Definition of the required training and awareness programs are the output of this step. One of the factors that play an effective role in creating and maintaining information security is the awareness of the personnel about their rights, duties, responsibilities regarding the organization’s information security program. In order to develop proper training courses, each person’s role in the information security structure and the description of the respective security duties are considered, the training courses required by each individual to provide an optimal description of the services is identified and by considering the training records of the person his training calendar will be generated. This training calendar is tailor-made by an intelligent and targeted manner. Activities of this step are:
In the organization’s information security structure, a plan for managing the accidents including the definition of the duties and responsibilities of each person in different situations should be provided. In this step, while identifying key services, their importance for the organization and the definition of crisis situations and RTO, RPO for the key services are calculated.
The “Implement” phase involves the actual deployment of the security design that was developed during the earlier phases (Prepare, Plan, and Design). This phase is where the planned changes and configurations are put into action to create the desired level of security. The Implement phase is focused on executing the planned changes and configurations to build the security infrastructure according to the design specifications developed in earlier phases, while also ensuring minimal disruption to existing operations.
The goal of this step is to plan for risk treatment solutions implementation. In this step, implementation of the solutions presented in the design phase will be considered.
ROSI calculation consists of:
In this step, the project management plan for the approved projects for implemenatation is developed.
The “Operate” phase involves the actual management and operation of the Security Solutions that has already been designed and implemented. This phase focuses on the day-to-day security operation activities. The Operate phase is focused on ensuring the required level of security, and performance of the infrastructures to meet the needs of users and applications effectively.
The goal of this step is to operate risk treatment plan based on implementation planning and management steps.
Key activities of this step are:
In the last phase, the security situation after operating the RTP will be analyzed and all remaining issues observed are removed and the final corrections in the system are considered. This phase includes Audit, Review and Improvement.
In this step, effectiveness of implemented solutions is measured and has two activities:
In this step, the design is subject to review in accordance with the results of the effectiveness assessment and internal audit. After an internal audit and assessment of effectiveness, if the intended security objectives are not met, the necessary corrective actions are defined to achieve the objectives and are approved at the management review meeting. In accordance with the approvals of the management review and, if necessary, the technical documentation provided, in particular, the risk management plan, is revised. Activities of this step are:
In this step, corrective plans to improve the information security situation will be implemented. This step is very similar to the implementation, except that only corrective actions are performed. The three main activities of this step are the implementation of corrective plans resulting from the review phase, reassessment of the goals achieved after corrective actions, and finally informing stakeholders about the improvements.
Yes, it provides a toolkit to assess your current security posture from various perspectives and evaluates the urgency of any necessary improvements.
By utilizing this platform, you can define your security goals aligned with your business objectives and the necessity of ISMS implementation
Yes, based on your business goals and requirements, it defines the boundary very precisely.
Yes, this platform effectively aligns security with the strategic objectives and business goals of your organization. It supports your overarching mission while addressing specific security requirements and priorities.
Yes, it offers flexibility to accommodate the unique needs, size, and complexity of your organization. It is adaptable to various industries, regulatory environments, and organizational structures, allowing for customization as necessary.
Yes, it provides comprehensive coverage of all relevant aspects of information security, including risk assessment, policy development, controls implementation, training, auditing, compliance, and continual improvement processes.
Yes, it offers clear documentation, guidelines, templates, and tools to support each phase of the implementation process. Clear guidance facilitates consistency, reduces ambiguity, and streamlines the implementation effort
Yes, it emphasizes measurable outcomes and continuous improvement. It includes mechanisms for monitoring progress, measuring performance against predefined objectives and targets, and implementing corrective actions as needed to enhance the effectiveness of the ISMS over time.