[organization name]
[confdentiality level]
[organization logo] [organization name]
PROJECT PROPOSAL FOR ISO 27001/ISO 22301 IMPLEMENTATION
Code: Version: Date o version: Created by: Approved by: Confdentiality level:
Project Proposal or I! "#$$%&I! ""'$% Implementation
ver [version] rom [date]
("$%) *PP services +td, ---,iso"#$$%standard,com
Page 1 o 6
[organization name]
[confdentiality level]
Change histo! "ate
#esi on
Ceate$ %!
"es&i'tion o( &hange
..&..&"$% )
$ ,%
Dejan /os0tic
1asic doc0ment template
Ta%)e o( &ontents 1*
P+RPOSE*** P+RPOSE******* ********* ********** ********** ********** ********** ********** ********** ********** ********** ********** ********** ********* ********** ****************** *********************** ************* **2 2
2*
REASONIN,*** REASONIN,******** ********** ********** ********* ********* ********** ********** ********** ********** ********** ********** ********** ********** ********** ********** ********* ********* ********** ******** ***2 2
3*
PROJECT PROJECT O-JECTI#ES* O-JECTI#ES****** ********** ********** ********** ********** ********** ********** ********** ********** ********* ********* ************ ******************* ******************3 ******3
.*
PROJECT PROJECT "+RATION "+RATION AN" AN" STR+CT+RE STR+CT+RE***** ********** ********** ********** *********** ****************** *********************** ******************3 *******3
*
RESPONSI-ILI RESPONSI-ILITIES* TIES****** ********** ********** ********* ********* ********** ********** ********** ********** ********** ********** ********** ************ ******************* *****************3 *****3
6*
RESO+RCES* RESO+RCES****** ********** ********* ********* ********** ********** ********** ********** ********** ********** ********** ********* **************** ************************ **********************3 **********3
7*
"ELI#ERA-LES "ELI#ERA-LES***** ********** ********** ********** ********** ********** ********** ********* ********* ********** ********** ********** ************* ******************** **********************. **********.
Project Proposal or I! "#$$%&I! ""'$% Implementation
ver [version] rom [date]
("$%) *PP services +td, ---,iso"#$$%standard,com
Page 2 o 6
[organization name]
[confdentiality level]
1* P' P'os ose e 23e p0rpose o t3is doc0ment is to propose t3e project project o I! "#$$% and&or I! ""'$% implementation to t3e top management, 23is doc0ment is not a project plan 4 t3e Project Project plan -ill be developed once t3e t3e project is ormally approved,
2* Reason Reasoning ing (o the i')e i')eent entati ation on Primary reasons or I! "#$$%&I! ""'$% implementation are: compliance -it3 la-s and reg0lations lo-er costs o incidents mar5eting advantage optimization o processes smaller dependence on individ0als • • • • •
3* Po Poe& e&tt o% o%e& e&ti tie es s 23e objectives or t3e project project are: implementation o I! "#$$% & I! ""'$% on or beore [date] implementation o inormation sec0rity & b0siness contin0ity may not interr0pt normal operating activities members o t3e project team can spend 0p to [.yz6] o t3eir time on t3is project • •
•
.* Poe& Poe&tt $a $atio tion n an$ an$ st&t st&te e 23e implementation project is divided divided into di7erent p3ases: %, Planning Planning p3ase8 p3ase8 incl0ding incl0ding t3e t3e development development o top9level top9level policy policy88 ris5 assessment and ris5 treatment ", Implementat Implementation ion o t3e t3e selected selected controls controls ', Inte Interrnal nal a0di a0ditt ), ana anage geme ment nt revi reviee;, Certifcation ain milestones o t3e implementation project are:
Mi)estone Planning p3ase Implementation o t3e controls Internal a0dit anagement revieCertifcation
Project Proposal or I! "#$$%&I! ""'$% Implementation
"e $ate
ver [version] rom [date]
("$%) *PP services +td, ---,iso"#$$%standard,com
Page 3 o 6
[organization name]
[confdentiality level]
Detailed content o t3e milestones and respective responsibilities -ill be described in t3e Project Plan doc0ment,
* Re Res' s'on onsi si%i %i)i )iti ties es Project -ill be led by [name]8 and project team members -ill be [list names],
6* Reso Reso&es &es inancial reso0rces incl0de: Amo0nt: [defne amo0nt o money needed to fnis3 t3e project] Cost types: [split costs according to t3e cost type and incl0de all o reso0rces listed 3ere8 e,g, 30man reso0rces 4 internal and e.ternal8 tec3nical and ot3er] •
?0man reso0rces incl0de: Internal reso0rces 4 [list internal reso0rces8 e,g, gro0p name8 project name8 etc,] *.ternal reso0rces 4 [list all e.ternal reso0rces8 e,g, cons0lting company8 etc,] •
•
2ec3nical 2ec3nical reso0rces incl0de: 2ool 2ool 4 tool name: [enter tool name] *=0ipment 4 [list e=0ipment needed] • •
!t3er reso0rces incl0de: Doc0mentation 4 [list all doc0mentation t3at is re=0ired8 e,g, I! "#$$% or I! ""'$% Doc0mentation 2ool5it8 2ool5it8 t3e standards8 etc,] •
7* "e)i "e)ie ea a%) %)es es D0ring t3e I implementation project8 t3e ollo-ing doc0ments @some o -3ic3 contain appendices t3at are not e.pressly stated 3ere -ill be -ritten: Po&e$e (o "o&ent an$ Re&o$ Conto) 4 proced0re prescribing basic r0les or -riting8 approving8 distrib0ting and 0pdating doc0ments and records Po&e$e (o I$enti4&ation o( Re5ieents Re5ieents 4 proced0re or identifcation o stat0tory8 reg0latory8 contract0al and ot3er obligations S&o'e o( the In(oation Se&it! Manageent S!ste 4 a doc0ment precisely defning assets8 locations8 tec3nology8 etc, t3at are part o t3e scope •
•
•
Project Proposal or I! "#$$%&I! ""'$% Implementation
ver [version] rom [date]
("$%) *PP services +td, ---,iso"#$$%standard,com
Page . o 6
[organization name]
•
•
•
•
•
•
•
•
•
•
[confdentiality level]
In(oation Se&it! Po)i&! 4 t3is is a 5ey doc0ment 0sed by management to control inormation sec0rity management Ris Assessent an$ Ris Teatent Metho$o)og! 4 describes t3e met3odology or managing inormation ris5s Ris Assessent Ta%)e 4 t3e table is t3e res0lt o assessment o asset val0es8 t3reats and v0lnerabilities Ris Teatent Ta%)e 4 a table in -3ic3 appropriate sec0rity controls are selected or eac3 0nacceptable ris5 Ris Assessent an$ Ris Teatent Re'ot 4 a doc0ment containing all 5ey doc0ments made in t3e process o ris5 assessment and ris5 treatment Stateent o( A'')i&a%i)it! 4 a doc0ment t3at determines t3e objectives and applicability o eac3 control according to Anne. A o t3e I! "#$$% standard Po&e$e (o Intena) A$it 4 defnes 3o- a0ditors are selected8 3oa0dit programs are -ritten8 3o- a0dits are cond0cted and 3o- a0dit res0lts are reported Po&e$e (o Coe&tie A&tion 4 describes t3e process o implementation or corrective and preventive actions Fo (o Manageent Reie Mintes 4 a orm 0sed to create min0tes rom t3e management meeting 3eld to revie- I ade=0acy Ris Teatent P)an 4 an implementation doc0ment speciying controls to be implemented8 -3o is responsible or implementation8 deadlines and reso0rces
!t3er doc0ments t3at m0st be -ritten d0ring I implementation -ill be specifed in t3e
•
•
•
•
•
Project Proposal or I! "#$$%&I! ""'$% Implementation
ver [version] rom [date]
("$%) *PP services +td, ---,iso"#$$%standard,com
Page o 6
[organization name]
•
•
[confdentiality level]
-CMS -CMS Maintena Maintenan&e n&e an$ Reie Reie P)an 4 a detailed overvie- o 3oplans and ot3er 1C doc0ments s3o0ld be maintained to ens0re t3eir 0nctioning in t3e case o b0siness disr0ption Post;in&i$ent Reie Fo 4 a orm 0sed or revie-ing e7ectiveness o plans ater an incident
Project Proposal or I! "#$$%&I! ""'$% Implementation
ver [version] rom [date]
("$%) *PP services +td, ---,iso"#$$%standard,com
Page 6 o 6
