TLP:AMBER ISMS Implementation Checklist

5.0, 25.01.2024

Company: Date:

Topic Tasks Status

☐ 1. ISO Standards Purchase the following ISO 27k standards: ISO 27000,
ISO 27001, ISO 27002, ISO 27003, ISO 27005 and
ISO 19011.
☐ 2. Guidelines and Make sure to carefully review the standards and any
courses additional guidelines that apply to ISMS. If necessary,
take training courses and collect the relevant
certificates to ensure that you have the necessary skills
and knowledge to perform ISMS implementation and
operation.
☐ 3. Management Make sure that the top management is fully supportive
commitment and committed, particularly in terms of allocating
the necessary resources required for the ISMS
implementation. If required, provide training to the top
management to increase their awareness.
☐ 4. Gap analysis Conduct a Gap analysis to understand the current state
of the ISMS.
☐ 5. Context and Identify internal and external factors affecting ISMS.
requirements Determine legal, normative, regulatory, and contractual
requirements.
☐ 6. Interested parties Determine internal and external interested parties, their
needs and expectations.
☐ 7. Communication Define the need for internal and external
communications relevant to the ISMS and develop a
communication plan if needed.
☐ 8. ISMS Scope Determine the boundaries and applicability of the ISMS
to establish its scope.
☐ 9. IS Committee Establish an Information Security Committee to oversee
all significant activities related to information security.
☐ 10. Project plan Create and approve a project charter and plan.
☐ 11. IS Objectives Establish clear information security objectives and
plans to achieve them.
☐ 12. IS Policy Establish a concise Information Security Policy outlining
intentions and directions for information security, and
share it with relevant interested parties.
☐ 13. Roles and Clarify roles and assign the responsibilities and
responsibilities authority for the ISMS. Create a RACI chart and review
job descriptions, if necessary.
☐ 14. Evidence of Determine the necessary competence of personnel
competence responsible for information security and collect
evidence of their competence.

Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001

TLP:AMBER www.patreon.com/AndreyProzorov || www.linkedin.com/in/AndreyProzorov
TLP:AMBER
☐ 15. Documented
information
☐ 16. Inventory of
assets
☐ 17. Risk management
procedure and
methodology
☐ 18. Risk assessment
☐ 19. Risk treatment
and SoA
☐ 20. Organizational
controls
☐ 21. People controls
☐ 22. Physical controls
TLP:AMBER www.patreon.com/AndreyProzorov || www.linkedin.com/in/AndreyProzorov
ISMS Implementation Checklist
5.0, 25.01.2024
Define the necessary requirements for managing ISMS
documentation and prepare appropriate templates
accordingly. Additionally, create a register for ISMS
documents and records.
Developed and maintained an inventory of information
and other associated assets, including owners.
Develop an information security risk management
procedure and methodology (including the risk
acceptance criteria and criteria for performing
information security risk assessments). Create relevant
templates and guidelines.
Identify the information security risks and the risk
owners. Analyze and evaluate the risks.
Select appropriate information security risk treatment
options, produce a Statement of Applicability (SoA),
formulate an information security risk treatment plan
(RTP), obtain risk owners’ approval of the RTP and
acceptance of the residual information security risks.
Implement the necessary organizational controls.
Pay attention to the following:
• Acceptable use of assets
• Information classification, labeling and handling
• Information transfer
• Access management
• Information security in supplier relationships (especially
for cloud)
• Incident management and notification
• Business continuity
• Privacy and Data protection
Implement the necessary people controls.
Pay attention to the following:
• Onboarding and offboarding
• Awareness and education
• Confidentiality or non-disclosure agreements
• Remote working
Implement the necessary physical controls.
Pay attention to the following:
• Security perimeter and zones (especially secure areas)
• Physical security monitoring
• Clear desk and clear screen
• Security of assets off-premises
• Equipment maintenance
• Secure disposal or re-use of equipment
Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001
TLP:AMBER ISMS Implementation Checklist
5.0, 25.01.2024

☐ 23. Technological Implement the necessary technological controls.

controls Pay attention to the following:
• Protection against malware and endpoint security
• Information backup
• Logging
• Network security
• Secure coding and secure development life cycle
• Change management
☐ 24. Awareness Plan, prepare and conduct information security
awareness trainings.
☐ 25. Operational Plan, implement and control the ISMS processes,
planning and especially externally provided.
control Perform information security risk assessments at
planned intervals or when significant changes are
proposed or occur.
Operate the ISMS and collect evidence related to
information security operations (e.g., plans, tasks,
MoMs, reports).
☐ 26. Monitoring and Determine the essential metrics and key performance
measurement indicators (KPIs) related to the ISMS, then collect,
analyze, and evaluate them regularly.
☐ 27. Internal audit Plan, establish, implement, and maintain an audit
programme to evaluate the effectiveness of the ISMS.
Conduct internal audits of the ISMS to identify any
potential areas of weakness or non-compliance.
☐ 28. Management Review the ISMS at planned intervals to ensure its
review continuing suitability, adequacy and effectiveness.
The results of the management review shall include
decisions related to continual improvement
opportunities and any needs for changes to the ISMS.
☐ 29. Nonconformity Develop a procedure for Nonconformity Management
management along with a register and related templates.
☐ 30. Continual Continually improve the suitability, adequacy and
improvement effectiveness of the ISMS. React to the nonconformity,
implement any action needed, review the effectiveness
of any corrective action taken and make changes to the
ISMS, if necessary.
Collect evidence of the results of any corrective action.
☐ 31. Certification Choose a certification body, request information,
bodies proposal, and quotation, sign NDA and contract, and
plan audits.
☐ 32. Preparation for Prepare for the audit by organizing the team, gathering
the certification and updating necessary documentation, agreeing on an
audit interview plan, and preparing an introductory
presentation about the ISMS.
Statuses:
Not Applicable To Do In progress (MI) In progress (PI) Done
[Minimally implemented] [Partially Implemented]

Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001

TLP:AMBER www.patreon.com/AndreyProzorov || www.linkedin.com/in/AndreyProzorov