1/5/24, 11:55 AM Description of ISMS implementation steps Technology and information documentation reference

Description of ISMS implementation steps

Explaining the stages of ISMS implementation in organizations:

Phase Zero: Cultivating and holding required training

One of the most important things that plays an effective role both in creating information security and in its

continuation, proper and effective training and awareness in order to familiarize the personnel, contractors
and third parties of the organization with the rights Their duties, responsibilities and accountability are in the
organization's information security program. A significant part of the successful and optimal implementation
of the organization's information security policies depends on the correct and optimal implementation of the
organization's training and cultural development program.
The purpose of this stage is to improve the level of knowledge and skills required by the organization's
employees in the field of ISMS. In conducting trainings, in addition to observing the standard topics, the
researches and issues and problems of the organization should also be analyzed.
One of the benefits of these trainings is that the personnel of the organization and the network and
information security team will be able to perform all the activities related to the management of the network
and information security system.

First phase: Identifying the existing situation and analyzing the shortcomings
,Also, at this stage, by using checklists, information is obtained at general levels about the state of
information technology in the organization and also the state of the current network. In general, in the
different stages of this phase, the current situation of the organization in the field of information technology
and its activities is described. Revision of the initial assessment of the level of network security and current
information of the organization, which includes the following:
Revision of the overall structure of the network

Revision of the structure of the central site

Revision of internal network connection with external networks

Revision of user grouping

Revision of the IP structure in the network

Reviewing the status of servers and their tasks in the network and other equipment in the network

www.itref.ir/post-30 1/7
1/5/24, 11:55 AM Description of ISMS implementation steps Technology and information documentation reference

In general, it can be said that this review takes place in the following areas:
network level

System level

Application level

Communication platform level

Connections level

Encryption level

In the following, a ten-step and separated chart of the phases and processes required to achieve and
implement ISMS is presented.

www.itref.ir/post-30 2/7
1/5/24, 11:55 AM Description of ISMS implementation steps Technology and information documentation reference

www.itref.ir/post-30 3/7
1/5/24, 11:55 AM Description of ISMS implementation steps Technology and information documentation reference

1. Revision of the network structure: In this step, the structure of the organization's network is reviewed

according to the network schematic map and according to the information available in the following fields:

network equipment, their type and model

IP address

The connection of the company's network with other intra-organizational and extra-organizational networks

Network servers

Access data flow of internal and external users

The company's network security hardware and software

Network addressing and routing structure

2. Revision of physical access to the network: In this step, in order to review the status of physical access to
the organization's network, important issues will be reviewed, including the following:

review and review of the physical protection of equipment and servers located on the network site or

located in different levels of the company or in different offices (including checking access control for the

physical access of authorized persons, availability of equipment ports and service providers,...) checking
and reviewing the physical protection of network communication lines (checking how to use secure channel

in communication between buildings, investigating how to use appropriate communication lines such as

optical fiber, etc.)

3. Investigating and reviewing the method of logical access to the network: at this stage, in order to examine

the status of logical access to the organization's network, important matters will be examined, including the

following:
Examination of the possibility of unauthorized access to the network by regular and managerial users (can

www.itref.ir/post-30 4/7
1/5/24, 11:55 AM Description of ISMS implementation steps Technology and information documentation reference

be in the form of presence at the organization's location and having a port from the network or being present

at the company's location and having a valid account or ...

The possibility of having access through the Internet network and having/not having an account in the

organization's Internet access network

Having authorized access to the government network and not being authorized to access the
organization's network

Investigating the possibility of unauthorized access to the network through remote access at the

normal/administrative level

Investigating the possibility of virus, worm, or other malicious information being transmitted into the
network

4. Investigating the existence of unnecessary connections of the company's network to other networks

5. Examining the mechanisms of identity detection, access control, event registration, intrusion detection and

virus detection at the connection point to internal users, Internet network users, and remote users.

6. Investigating the mechanisms used for identity detection, access control, event recording, intrusion
detection and virus detection and the possibility of deactivating or bypassing the relevant system.

7. Investigating the use of the latest stable version of the software used for network equipment, routers and
network switches.

8. Investigating the possibility of remote management through SNMP, Telnet, HTTP and...

9. Checking the activation of other unnecessary services

10. Investigating the existence of appropriate filters to protect other network resources against attacks

11. Examining the system configuration (including all network equipment, routers and network switches)

using insecure protocols

12. Investigating the activation/absence of detection mechanisms and dealing with denial of service attacks

13. Examining the presence/absence of coherent organizations and teams for network management and

maintenance

www.itref.ir/post-30 5/7
1/5/24, 11:55 AM Description of ISMS implementation steps Technology and information documentation reference

14. Examining the presence/absence of appropriate implementation procedures regarding network

management and maintenance in areas such as:

Purchase, installation, commissioning, testing and delivery of software and hardware

Announcing and implementing changes in the network

Repairing damage

Incident support

How to monitor network status, network traffic, equipment and service provider performance

15. Investigating the adequacy/lack of training of network management and maintenance personnel

16. Examining the use or non-use of support servers for network management servers such as:

DNS server
Domain control server

17. Investigating the use of appropriate security mechanisms for network management

18. Checking the name and version of installed anti-virus software

19. Checking the name and version of the operating systems along with the installed Service Packs and
Patches

20. Examining the running services on the servers

The second phase: designing and implementing ISMS in the system area.

In this phase, after identifying and valuing the assets based on the standard, the gap analysis and moving
towards the desired situation will be explained. Also, at this stage, the processes of the organization will be
designed and implemented to change the direction from the current situation to the desired situation. The

stages of recognizing and valuing assets are as follows:

Determining services, processes and organizational assets (in the field of application - Scope): In this

section, first, the assets of the organization's information exchange space, in the form of services, processes,
hardware, software, information, communications , specific services and users are separated and categorized,
and then organizational processes related to organizational assets are also identified.

Revision of asset risk assessment method: In order to do this, after reviewing the existing risk assessment
methodology, we base the work on the ISO 27005:2011 standard and enter asset information.

www.itref.ir/post-30 6/7
1/5/24, 11:55 AM Description of ISMS implementation steps Technology and information documentation reference

Choosing the appropriate ISO 27001 controls for the organization: In this stage, according to the output of
the risk assessment and preliminary analysis, those controls of the ISO 27001 standard that are suitable for

the company are selected (Control customization). The implementation methods are determined in the
previous stages, which means that the necessary solutions for the implementation of selective controls are
provided.

The third phase: Implementation and implementation of ISMS in the subject area of ​the contract.
In this phase, based on the SOA prepared in the previous phase, instructions, procedures and security projects

are communicated and implemented based on priority. At this stage, if there is a need to purchase any
equipment, including software and hardware, monitoring and monitoring systems, and performing special

configurations on the equipment, it will be done under the supervision of the organization and usually by a
third party.

The fourth phase: audit, monitoring and improvement of ISMS in the territory of the contract
in this phase, which takes place after the implementation of the system, according to the checklists and
documents related to the audit of the ISO 27001:2013 standard, which is available, and also according to the

ability of the organization's security team. All the activities carried out in the project are reviewed and
reviewed so that if there is a deviation from the standard goals, it can be quickly resolved. After the end of
this stage and after removing the existing weaknesses, the organization is ready to receive the ISO 27001

international certificate.

Fifth phase: Audit by CB companies

After the end of the internal audit of the system and after removing the existing weaknesses, the organization
is ready to receive the ISO 27001 international certificate. In this phase, if the management of the
organization wishes, after comparing the valid certification companies (Certification Body-CB), a center is

invited to issue a certificate.

Mohammad Shervin Jafarzadeh

www.itref.ir/post-30 7/7