Hardware Reference
In-Depth Information
useless approach, it will not fund its implementation. Therefore, the guide starts with
some introduction chapters, which aim at answering most common doubts and mis-
conceptions, and motivate the use of the guide.
First, 10 key concepts are explained such as “asset” or “residual risk”. This intro-
duction page covers the most important concepts used all along the document into a
convenient condensed form. It gives the prerequisites to understand the guide and
keep it self-sufficient. Then, the reader is introduced to ISMS, by providing more
information on their goals and reducing common misconceptions regarding informa-
tion security. In order to highlight the scope of the guide, the gap with the actual
ISO/IEC 27001 is detailed and explained. Subsequently, quality management and
process approaches are presented by giving the necessary knowledge to understand
the PDCA paradigm.
In the end, raising awareness is tackled with some advices about the state of mind
and maturity required before implementing an ISMS. A whole chapter dedicated to
the estimated implementation period supports this last part. A generic distribution of
each stage is given as an example of how PDCA iterations should be conducted.
5.3 Transversal Guidelines
ISMS deployment does not only rely on the successive tasks recurring within the
PDCA cycle. Indeed, the standard contains requirements supporting the whole PDCA
chapters, as mentioned in Objective 3. Four chapters focus on those specific concerns
and serve as the very first steps of the implementation, prior to the beginning of the
“Plan” stage.
First, the guide insists on the importance of obtaining a written management com-
mitment regarding the requirements and consequences of ISMS. Indeed, the manage-
ment often takes lightly all the implications of such a project in the company. By asking
for this document, the guide ensures that management has considered those aspects.
Second, it gives all the required information on how to manage documentation
within the system. Focus is made on the importance of having a proper documentation
policy and generic guidelines are given to classify each document regarding its origin,
access restriction, storage and disposal.
Third, users are invited to build a document referencing and assigning human re-
sources. The guide proposes four generic categories of actors involved in the various
tasks of an ISMS. Assigning people on those roles eases the implementation because
each step is linked to those categories.
As a conclusion to transversal guidelines, the guide insists on deontological ethics
all along the life cycle of the management system.
5.4 Key Steps Presentation
The standard is not user-friendly enough to be handled by most SMEs (Objective 4).
Consequently, in order to facilitate the readability and comprehension of the guide,
each process is presented using a simple pattern inspired by Process Reference Mod-
els (PRM) [17].
