Hardware Reference
In-Depth Information
the creation of experts committees to the promotion of standardisation. Within this
association lies the CNLSI (Information Security Standardisation Committee: mirror
group of ISO/IEC JTC1 SC27 in Luxembourg) which is composed of a dozen of
experts in information security. They were mandated to review and comment the
guide (theoretical review) twice, thus ensuring the achievement of Objective 5.
On the first validation cycle, in November 2008, they conducted 3 iterative reviews
in the same way as ISO standards are reviewed. Overall, they issued 156 comments
requiring various modifications of the guide. Prior to the first experimentation stages,
this initial validation ensured the document's reliability, coherence and alignment with
ISO/IEC 27001.
The second reviewing process is planned to take place after the first SME experi-
ment (see Figure 2). It will expectantly give new feedbacks, thus ensuring the quality
of the final version of the guide.
5.6 Tool Support
In agreement with Objective 6, a methodological guidance does not help enough the
users in order to implement an ISMS. To cope with this issue, we have developed
numerous templates and documentation tools mostly based on Codasystem's experi-
ment. They ease and speed up the implementation of the ISMS, enabling users to
focus on more complex tasks, thus reducing the amount of human resources required.
Regarding documentation, we created numerous generic procedures to be com-
pleted and tailored by end-users. Our templates (i.e. management commitment, ISMS
policy, anomaly management procedure, etc.) only require to fill a few blanks, and
sometimes to be slightly adapted to the context of the organisation, before being used.
For the most complex part of the 'Plan' phase, that is to say risk assessment, a spe-
cific tool has been developed following an innovative model for risk management
[18]. It assists the user all along the risk assessment steps and is compliant with
ISO/IEC 27005 [19].
6 Further Experiments and Upgrades
Experimental results in Codasystem showed numerous opportunities to improve and
scale down an ISMS to fit to SMEs' needs. That is why the project's method integrates
two experimentation stages.
After 6 months of development and reviews, the guide is currently assessed in a
public (SME-sized) administration. Later on, a complete experimentation panel will
take place by supervising the deployment of the guide among three candidate SMEs
from various sizes and businesses. This second experimentation stage will be con-
ducted in a mutualised and interactive manner. Indeed, the ISMS implementation of
the three SME's will be synchronised. Collective training sessions will be performed
and completed with individual on-site coaching. During combined courses, the three
SMEs will discuss their progress together, bringing new ideas and more feedbacks to
improve the guide even further.
