The following material presents a brief information security management
system development plan. It summarizes the general approach you would
take to develop your own unique ISMS. It uses a PDCA approach and is
taken directly from our plain English version of the standard. If you use
our plain English standard to develop your organization’s ISMS, you
will automatically take the following steps:

1. Define the scope and boundaries of your ISMS.

2. Define your organization’s ISMS policy.

3. Define your approach to risk management.

4. Identify your organization’s security risks.

5. Analyze and evaluate your security risks.

6. Identify and evaluate your risk treatment options.

7. Select control objectives and controls to treat risks.

8. Prepare a detailed Statement of Applicability.

9. Develop a risk treatment plan to manage your risks.

10. Implement your organization’s risk treatment plan.

11. Implement your organization’s security controls.

12. Implement your organization’s educational programs.

13. Manage and operate your organization’s ISMS.

14. Implement your organization’s security procedures.

15. Use procedures and controls to monitor your ISMS.

16. Use procedures and controls to review your ISMS.

17. Perform regular reviews of your organization’s ISMS.

18. Verify that your security requirements are being met.

19. Review your risk assessments on a regular basis.

20. Review your residual risks on a regular basis.

21. Review acceptable levels of risk on a regular basis.

22. Perform regular internal audits of your ISMS.

23. Perform regular management reviews of your ISMS.

24. Update your organization’s information security plans.

25. Implement ISMS improvements.

26. Take appropriate corrective actions.

27. Take appropriate preventive actions.

28. Communicate ISMS changes to interested parties.

29. Establish records that document your decisions.

30. Document your organization’s ISMS.

31. Protect and control your ISMS documents.

32. Establish records for your organization’s ISMS.

33. Maintain records for your organization’s ISMS.

To see a detailed version of the above ISMS development plan, please
see our plain English ISO IEC 27001 2005 standard (Parts 4 to 8).

Of course, you may already have an existing ISMS. If this is true, you don’t
need to follow a detailed ISMS development plan. You would probably find
it easier and more efficient to use a gap analysis approach, instead. If you
already have an existing ISMS, a gap analysis is more targeted and more
efficient because it ignores areas that already comply with the standard.

A gap analysis would compare your existing ISMS with the ISO IEC 27001
requirements. Such a comparison would pinpoint the areas that fall short
of the standard (the gaps). By focusing on filling your unique information
security gaps, you will soon comply with the ISO IEC 27001 standard.