Section 1: Your ISMS
Define and document the scope of your ISMS
Scope defines your limits/boundaries for which your information security management system ISMS implementation will be applicable. Your scope should cover all your organisation’s systems, processes, physical locations, services, products and departments that need to be protected.
Create a list of all the information you are protecting
Examples include information stored in cloud services (Office, G-Suite), or inside tools like Salesforce, Pipedrive, Workday, Cognos, and Slack. It also includes prototyping tools like Figma and Miro or any other cloud-based tool or platform that your team uses. It should also include information on servers, information that resides with subcontractors/suppliers, information received from customers, etc.
Define and document your information security objectives
This should cover all the ways you intend to ensure confidentiality, integrity, and availability of company information.
Define principles for the secure operation of your systems
Your principles should ensure that your information is protected against unauthorised disclosure and unauthorised or accidental modifications (e.g., deletion or editing of the data). All information should be easily accessible for authorised users.
Section 2: Your Team
Define roles and responsibilities
Nominate the responsible members of your team who will help prepare for the assessment. As noted previously, this should include a cross-section of staff, not just IT.
Define and implement a method for training your employees
Regular trainings should take place to ensure that all staff are up to date on information security topics and how this affects their daily work.
Create a guideline for access controls
You need to define rules and guidelines for how access to your information is given, controlled, and monitored.
Section 3: Risk Assessment and Treatment
This should cover both natural and physical risks, legal and contractual risks, compliance risks and financial risks.
Create a risk treatment plan and document the results
Your plan should cover what possible risks can occur and how they will be responded to. For example, what would happen if your servers crash, or an important cloud service became unavailable.
Create a risk assessment report
This report is a detailed summary of any potential threats to your organisation. For each risk, you should determine the probability of occurrence, the resulting impact, and the security controls required to prevent it.
Section 4: Customers, suppliers and partners
Create a guideline for compliance with suppliers
This document is critical to clarify your company’s requirements, expectations, and penalties regarding matters relating to business operations (e.g. service standards, deliveries, product conditions).
Include clauses for your greatest concern (e.g. how information about confidential prototypes is shared and processed).
Document how you protect the data of your customers
Are you processing the personal or sensitive data of your customers? If so, auditors will check that you have the necessary measures in place to protect this data.
Ensure all legal and contractual requirements are recorded and fulfilled
Define a clear method for documenting requirements for each business relationship.
Section 5: Testing and evaluation
Devise a method for monitoring and measuring your ISMS
The best way to determine this is to evaluate how detailed your ISMS is and how smoothly it is running. For example, your progress on risk identification, evaluation and treatment, the status of your documentation, regular management reviews and analysis, etc. An auditor will look to see if the ISMS is working in practice.
Evaluate the results of your monitoring and measuring process
What incidents have occurred, and how many? What incidents have been prevented? Has each staff member been trained effectively? Is each objective you set out at the beginning being met?
Document the corrective measures you have taken based on your findings
This could be anything that you do to avoid or neutralise threats. For example, setting up a new fence or relocating your servers.
Complete a self-assessment on TISAX®
To be ready for an assessment on TISAX®, you must ensure that your ISMS is stable and effective. To find out whether it matches the expected level, you should conduct a self-assessment based on the ISA.