Dear [NAME],

I am an information security specialist working in the Information Security

Department alongside [NAMES]. I am managing the project to establish an
Information Security Management System (ISMS) that will help us identify and
mitigate unacceptable information security risks within [ORGANIZATION]. The
purpose of this email is to tell you a little about the project we�re working on
and to give you an insight into how you might be able to help. I'll keep this as
brief as possible but there is a bit to tell so please do bear with me.

The management of information security within [ORGANIZATION]

------------------------------------------------------------

Information security is a complex area to handle well. The possible risks to our
information assets (including our computer systems and countless filing cabinets
full of valuable proprietary information) are difficult to determine and bring
under control, especially in ways that don't unduly interfere with legitimate use
of information by authorized users.

The most practical and cost-effective way for [ORGANIZATION] to handle its
information security and governance obligations, and to be seen to be doing so, is
to adopt an ISMS that complies with the international standard ISO 27001. An ISO
27001 ISMS is a framework of policies, processes and controls used to manage
information security in a structured, systematic manner.

At a high leve, the ISMS will help minimize the costs of security incidents and
enhance our brand. In more detail, the ISMS will be used to:
- systematically assess the organization's information risks in order to establish
and prioritize its security requirements, primarily in terms of the need to protect
the confidentiality, integrity and availability of information;
- design a suite of security controls, both technical and non-technical in nature,
to address any risks deemed unacceptable by management;
- ensure that our security controls satisfy compliance obligations under applicable
laws, regulations and contracts (such as privacy laws, PCI and HIPAA);
- operate, manage and maintain the security controls;
- monitor and continuously improve the protection of valuable information assets,
for example updating the controls when the risks change (e.g. responding to novel
hacker attacks or frauds, ideally in advance thereby preventing us from suffering
actual incidents!).

ISO 27001, the international information security management standard

---------------------------------------------------------------------

You may have already heard it mentioned but if not you'll soon begin to hear people
talking about "ISO 27001" (or more formally, ISO/IEC 27001 since it was developed
by both ISO and IEC). ISO 27001 is an international standard that embodies a good
practice framework for establishing, implementing, operating, monitoring,
reviewing, maintaining and improving an ISMS. In short, it formally specifies a
management system that will bring information security under explicit management
control. This is a very similar approach to quality management using ISO 9001 and
environmental management using ISO 14001.

The ISMS will provide us with a systematic approach to combating a broad range of
security risks to both our own proprietary information assets and those (such as
customer data and personal information about employees) over which we have a duty
of care. In addition, a formal certificate of compliance with ISO/IEC 27001 will
enable us to demonstrate to customers and other stakeholders that we take our
information security obligations seriously. As well as continued assurance for our
existing customers, the certified ISMS will help us satisfy information security
and governance requirements often included in Requests For Proposals (RFPs) and
similar pre-tender questionnaires and commercial contracts. In today's global
information economy, applying internationally respected good security practices is
arguably even more important than simply demonstrating compliance with local laws
and regulations.

To find out more about ISO 27001, please visit www.ISO27001security.com or contact
me. I'd be happy to explain it in more detail and tell you about the other members
of the family of security standards commonly known as "ISO27k".

The ISMS implementation project, and your role in it

----------------------------------------------------

Senior management has approved the investment necessary to establish an ISMS that
complies with ISO 27001. The ISMS will ensure the selection of adequate and
proportionate security controls, giving confidence to customers and other
interested parties that their information is being protected in accordance with an
internationally-recognised security standard, while at the same time assuring
management that our own proprietary information is being properly protected.

As project manager for the ISMS implementation project, I am working with a team
consisting of:
- [NAME]: [ROLE]
- [NAME]: [ROLE]
- [NAME]: [ROLE]

While we will do most of the implementation work, at various times the project team
will require input from key personnel like you. We are determined to ensure that
both the project and the ISMS are driven by the business, reflecting the
organization's security needs, hence we will need your assistance for example to
determine the possible business impacts of security incidents affecting information
assets that your department depends upon. However I assure you that we will do our
best to fit in with your day to day work.

One of the first steps I have to take is to tap into your knowledge in order to
determine 'where we are now' in terms of information security. This Gap Analysis
involves assessing the gaps between [ORGANIZATION]'s actual information security
controls and related security management practices, and those recommended by ISO
27001. As well as examining the security policies, procedures and systems, we will
be conducting informal interviews with you, [name], and various colleagues over the
next few weeks. We will then produce a report listing the findings plus a list of
security improvement recommendations prioritized according to the relative risks.
The report will also detail the work needed if we are to be certified to ISO 27001,
pointing out priority areas through a heat-map to help managment with the next
stage of planning.

What happens now?

-----------------

Within the next [NUMBER] weeks we will distribute questionnaires to the heads of
departments that have been identified as being in scope of the [ORGANIZATION] ISMS.
These questionnaires have been written to assist the planning team with the Gap
Analysis and are being sent ahead of interviews to give you a feeling for what
we�ll be asking. The planning window to complete your department's Gap Analysis is
from [DATE] to [DATE]. I fully appreciate how precious time and resource are so
your participation in the Gap Analysis will be controlled to ensure that you will
not be inconvenienced any longer than is necessary for me to gather the information
I require; furthermore you won�t need to attend any unnecessary meetings aside from
the interview already mentioned, unless you wish to get more involved in the
process.

Thank you for taking the time to read this introductory email [NAME]. If you have
any questions please don't hesitate to contact me, I'm always more than happy to
help.

Kind regards,