There are actually a variety of way to approach the standard. The correct one for a specific organization will obviously depend upon the nature the organization itself. However, the following 'cycle' has been documented as one possible approach, and may be of use.
- Firstly, obtain a copy of the stand itself. Whilst this may seem rather obvious, it is surprising how often people attempt to judge suitability without actually every having studied the documents themselves. The documents can be obtained stand alone, or as part of the starter kit (The ISO 27000 Toolkit) from the sources given on the right hand panel.
- The merits of the standard itself are considered. Factors can include impact on confidence of new/existing customers/partners, enhancing the organization's security, etc.
- The decision is made to move forward with the standard. All options are available of course: from loose alignment with it, to compliance with it, to certification.
- The project is planned in terms of resourcing (ie: people and time). This could include external resources such as consultants.
- With the previous step the scope of the exercise is decided. In other words, the part(s) of the organization to be included are determined.
- A review of existing documentation is conducted. This will help establish extent and quality of th emeasures already in place (eg: security policies).
- An inventory is drawn up of all significant information assets.
- A 'gap analysis' is performed to identify the gaps between the existing situation, and those controls, processes and procedures documented in the standard.
- A risk analysis exercise is performed in order to determine the extent of risk to the organization through security breach. A Risk Assessment document is produced.
- The organization must determine how the identified risks are to be managed. Responsibilities for managing them assigned and documented.
- Controls to address the identified risks are slected, both from the standard and elsewhere. A "Statement of Applicability" is developed following selection.
- Security policies are created/adapted using the Statement of Applicability and other inputs. This is often based upon the template included in The ISO 17799 Toolkit.
- Appropriate policy based procedures are created.
- An awareness program is initiated to ensure employees and agents are familiar with the IS requirements of the organization.
- A method of compliance monitoring is introduced.
- At this point, the organization reviews its position. Commonly, certification is considered (which of course requires external audit by an accredited body).