Version 2.1

PREPARATIONDIAGNOSIS

IMPLEMENTATIONPERFORMANCE

CERTIFICATION AND MONITORING

1 to 2 months1 to 3 months

1 to 4 months3 to 6 months

1 month + 3 years

Establishing theappropriate

framework forthe business needsand providing theorganizations withthe required skills.

To identify, in thecharacterized

scope, the maturityof the processes,as well as of the

controls applicable,of risks, and

mitigation control.To understand the

business and todetermine the gap

between the standardrequirements andthe organizationpractice so as to

allocate resourcesfor an efficient ISMS

implementation.

To create themandatory

documentationand to start the risktreatment having

the applicablecontrol systemsinto account.

1. ISMS PREPARATION

2. DIAGNOSIS

3. ISMSIMPLEMENTATION AND

DOCUMENTATION

To perform theprocesses and

proceduresdefined, highlighting

the fulfilment ofobjectives, toidentify both

opportunities forimprovement andnon-conformities

and to guaranteethat the ISMS

may be reviewedby the lead

management.

4. ISMS PERFORMANCE

Third-party auditsto show the maturity

of the ISMS andthe reduction of risk

according to thedefined objectives.

ISMS monitoringin the form of

implementationand managementservices (planning,

performanceevaluation and

continuousimprovement).

5. CERTIFICATIONAND MONITORING

Integrity 5-step approach to 27001

ROADMAP ISO 27001

To document the aimsof the information

security of theorganization, as wellas the commitment

of the leadmanagement withrisk reduction andthe implications of

the non-complianceof the defined policy.

DEFINING THEINFORMATION

SECURITY POLICY

To create documentswith the description

of processesand the respective

responsibilities, identifying the

adequate registryand evidence.

DOCUMENTING THE ISMS

PROCESSES

Creation of aregistry containing

the information on theapplicable controlsystems, eventual

exclusions andthe respective justifications.

DECLARATIONOF APPLICABILITY

(SOA)

Approval, by thelead management,of the ISMS scope, the security policy,risk analysis, the risk

treatment planand the SOA.

DOCUMENTATIONAPPROVAL

To understand thebusiness and to

determine the gapbetween the standard

requirements andthe organizationpractice so as to

allocate resourcesfor an effective

and efficientimplementation.

SPECIFICDIAGNOSIS

To present to thetop management

and all theinterested parties

the conclusionsof the analysis

made.

PRESENTATIONOF RESULTS

To create a documentcontaining the

description of theanalysis methodology

and risk treatment,identifying the

responsibilities, themenace sources and

vulnerabilities, theexisting control systemsand their efficacy, aswell as the criteria for

risk acceptance.

DOCUMENTING THEMETHODOLOGY OFRISK MANAGEMENT

Start of the continuedimplementation of therisk analysis activities

anticipated in therisk management

methodology.

RISKEVALUATION

Design of a risktreatment plan

according to themethodology of

risk managementset and adopted.

RISKTREATMENTPLANNING

(1 to 3 months)

2. DIAGNOSIS

(1 to 4 months)

3. ISMSIMPLEMENTATION AND

DOCUMENTATION

Planning andimplementationof training and

awareness-raisingsessions for the

whole organizationin the ISMS scope.

TRAINING ANDAWARENESS-RAISING

Continuousimplementation

of the tasks of theseveral processeswhich had been

previously definedand documented.

PROCESSMANAGEMENT

Monitoring andevaluation of ISMSmetrics and aims.

ISMSMONITORING

Formal revision ofISMS input and output

to be done by thelead managementin accordance with

the standard.

ISMSREVIEW

Implementationof a formal actionof internal audits,

analysing registriesand evidence ofimplementationof the processes

defined.

INTERNAL AUDIT

(3 to 6 months)

4. ISMSPERFORMANCE

MONITORING AUDIT (2nd and 3rd years)CONCESSION AUDIT

(1st year)

Led by the certifying entity.

Audit implementation in the same patterns

as those of the concession audit

so as to prepare the project team for the

effective certification and optimize final

features of the system.

PRE-AUDIT (1 month)

(1 month + 3 years)

5. CERTIFICATION AND MONITORING

Evaluation of ISMS performance

Operational processes and

procedures

Risk treatment

Reviews led by the Lead

Management

Training and Awareness-raising

sessionsInternal Auditing

CONTINUOUS IMPLEMENTATION

To characterizethe functional units,business processes,

geography and assetsto be protected.

SETTINGTHE SCOPE

(1 to 2 months)

To provide the projectteam and all the

interested parties withknowledge in ISMS.

SPECIFIC TRAININGIN ISO 27001

To provide the projectteam with updated

knowledge ininformation security

aligned with thepresent moment.

TRAINING ININFORMATION

SECURITY

1. ISMSPREPARATION