Risk Assessment – Firstly, you need to identify the risks of your organization. For example, coronavirus, theft, hacking, ransomware, and system crashes. The risk assessments help you gain an overview so you can narrow your efforts to areas that are above your risk appetite. The risk assessments are based on our threat and vulnerability catalogs as well as probability. Then, you can do an impact assessment - FIT, CIA, or your own setup.
Identify information assets - You must identify information assets that are relevant to your information security – i.e. data controllers, data processors, suppliers, and systems. It will provide an overview of the scope of your information security work. This means you get a strategic management tool that helps you determine the objectives, boundaries, and responsibilities of your IT security policy.
Gather information – Using a structured questionnaire, based on the control objectives of the ISO 27001 standard, you are guided through the information gathering process. The ISMS solution makes it possible to delegate information tasks to different people, so the most qualified employees provide the input. You can also create specific questionnaires that target your data processors and system administrators.
Gap Analysis - Once the necessary information has been collected, you need to create and associate risks with your systems and data processors. This will allow you to do a gap analysis where you compare the 114 Annex A control objectives with your information. Along the way, you can easily extract a complete Statement of Applicability (SoA) document and get a full documentation of the organization's security measures.
Mitigating Actions and Controls - When the gap analysis has been made, you will have a 114-step plan for your further work. Link controls or initiatives at each step that minimize the gap and mitigate the identified risk. Controls may include, for example, samples, logs, and back up tests.