Project definition, justification, scoping and planning
⬚ Study
the standards, in depth: complete lead implementer training if possible.
⬚ Study
the business, in depth, to understand its objectives, strategies, culture, governance
arrangements, existing information risk and security management etc.
⬚ If
the organisation has a defined, structured approach for this phase, use it!
⬚ Build
a business case that identifies and promotes the business benefits of the ISMS.
⬚ Look beyond ‘security’ and ‘compliance’ e.g. helping management to manage business risks, supporting/enabling other business initiatives and strategies.