Hello Mr. Richard
Your replies looks very promising to me. So I just want to get your some advice.
I am working on a project where I am trying to build a tool for automating whole ISMS implementation.
So I am just confused, how actually organization do scope, policies, boundaries recognition and how can I automate it. I just want to build a tool, which will direct and guide organization at every step.
Can you please give some enlightenment on this.
Thanks in advance.
Dear Himanshu, there are parts of the ISMS that can be automated such as the risk assessment process, the NC/CA/PA process and many others. Scoping, I am afraid, is not.
To determine the scope of the ISMS for your organization you have to look at:
- contractual obligations
- legal requirements
- your own business requirements
- areas of the business at risk
Maybe you can create a spreadsheet that has a pivottable to determine the importance and criticality of the above requirements but based on experience, the best tool is to talk to management. Ask them what are the drivers for information security. Is it required by a customer? Is it based on management's decision? The answers will help you determine the scope.
Richard