ISMS implementation expert guide

This article is a step-by-step guide on how to complete an ISMS Implementation in 6clicks

Topics covered in this article:

  1. Establish Scope and Context
  2. Identify Information Assets
  3. Identify and Assess Your Risks
  4. Establish Policies and Controls
  5. Manage Tasks and Evidence
  6. Prove Your Compliance

Establish scope and context

In order to effectively manage your information security, it is crucial to identify and understand your information assets. These assets can include data, systems, hardware, software, and any other resources that hold valuable information for your organization. The first step to establish the scope and context of your Information Security Management System (ISMS) is to grab the ISMS Context and Scope Assessment template. This template can be found in the content library provided in the 6clicks platform, or you can choose to bring your own assessment template

  1. Navigate to the 6clicks Content Library or create your own template
  2. Through the Content Library search for the ISMS Context and Scope Assessment
  3. Select Details and Add Content
  4. After you have added the ISMS Context and Scope Assessment template, follow the steps to create and complete the ISMS Context and Scope question-based assessment here

Identify Information Assets 

In order to effectively manage your information security, it is crucial to identify and understand your information assets. These assets can include data, systems, hardware, software, and any other resources that hold valuable information for your organization.

To begin this process, you can add or import your information assets into the 6clicks Registers module. This will allow you to have a centralized repository where you can keep track of all your assets, and establish owners for each asset, ensuring that there is clear accountability and responsibility for their security.

  1. Navigate to the Register Module
  2. Select Create Register on the top right or use the 6clicks Asset Register
  3. Name the register, such as 'Systems'
  4. Populate this register by selecting import or create item
  5. When creating a new item, you can add a variety of details such as description, owner, documents, and associated risks
    You can also create custom data fields that can be added to custom register items

Identify and assess your risks 

When it comes to managing information security, it is crucial to identify and assess the risks that your organization may face. Organizations can if they choose to use a risk library to conduct a risk review with key stakeholders to systematically identify and document potential risks, or they can add them directly to the risk register. By maintaining a comprehensive record and prioritizing risks based on likelihood and impact, organizations can develop strategies to mitigate threats and protect their objectives.

There are several key risk management configurations you can explore in the 6clicks platform:

To get started with risk identification, add a Risk inside 6clicks by following the steps below or begin a risk review on a risk library in 6clicks:

  1. Navigate to the Risk Register Module
  2. Import existing risks using the More dropdown menu or add new risks by clicking on Create Risk
  3. Review the overview tab content. This includes Risk Owners, Access Members, Risk Domain, Description, Common Cause, and Potential Impact

Establish policies and controls 

To establish effective policies and controls for your Information Security Management System (ISMS), the 6clicks platform offers control sets that can be easily accessed from the 6clicks Content Library. You have the option to choose from a range of predefined control sets or even bring your own control sets.

By using 6clicks control sets, you can save time and effort by adopting recommended controls that align with industry standards. These controls cover various areas of information security, such as access control, incident response, and encryption. You can customize and tailor these controls to meet your organization's specific requirements, ensuring a strong foundation for your information security policies. This not only helps mitigate risks but also demonstrates your commitment to maintaining a secure environment for your information assets.

Leverage Hailey AI, to map internal policies and control sets to authority documents automatically and action on any gaps within the platform found here.

  1. Navigate to the Content Library
  2. Select the content type Control Sets
  3. Select the '6clicks Acceptable Use' and review the content details
  4. After reviewing content select Add content on the top right. The newly added control set will appear shortly in your Controls module.

Manage tasks and evidence

To ensure compliance with information security standards, complete tasks and collect evidence that demonstrates your organization's commitment. This includes creating a Statement of Applicability to outline the scope of your ISMS and identify applicable controls. Conduct regular management reviews to assess effectiveness, identify gaps, and make necessary improvements. Internal audits are also important for monitoring and evaluating ISMS performance. Along with effectively managing tasks and collecting evidence, you provide tangible proof of compliance and demonstrate a robust ISMS to stakeholders, customers, and auditors. 

Note that your tasks can be updated directly from the My Tasks module, as required. The My Tasks module will show each user in the platform all of the tasks assigned to them throughout the 6clicks system.

You can also manage internal Control Sets as internal reference documents (think company policy) that are made up of Controls, which represent individual statements. Control sets act as internal guidelines and are based directly on a single Authority or multiple Authorities that apply to an organization.

Not only can you create individual Controls, but you can create Responsibilities and assign them to team members to ensure they are addressed. Control Responsibilities are actionable items linked to Control Sets. Responsibilities are created in the Control Set Builder and managed via the Tasks Module. 

To review the status of tasks assigned to you, follow the steps below.

  1. Navigate to the My Tasks module
  2. Select the status tab to toggle between New and In-progress statuses
  3. Toggle the date ranges to select a specific date range for the tasks

Prove your compliance 

Proving compliance with information security standards is a crucial step in establishing trust and credibility for your organization. The 6clicks platform offers a comprehensive solution to help you achieve this goal.

With the Trust Portal feature, you can add your organization's policies and controls directly to the platform. This allows you to document and centralize all your security measures in one place, making it easier to manage and demonstrate compliance. By adding your policies and controls, you can provide a clear framework for your information security practices and ensure that all necessary measures are in place.

  1. Navigate to the Trust Portal module
  2. Select Trust Portal from the left navigation panel, then click + to Create New Profile 
  3. A Create New Profile box will appear - here you can provide the Profile Name, provide a brief Overview (optional), and add any Contact Details (optional)
  4. Click the Edit icon within the Overview section to add or modify the Contact Details
  5. Once you have selected the profile you wish to amend, you can add Assessments, Control Sets, or Documents by clicking the appropriate Add button
  6. Your Trust Portal profile is now ready to be shared with external parties, such as your external auditor or a customer to demonstrate trust
  7. The Trust Portal also gives you the ability to manage the terms and conditions found here
  8. Users can now make their profiles public and generate a link to share with external users found here 

The 6clicks platform offers a comprehensive solution to help you prove your compliance with information security standards. By adding policies and controls, inputting assessment results, sharing with stakeholders, completing audits, and obtaining certification, you can establish trust, mitigate risks, and demonstrate your commitment to maintaining a secure environment for your information assets.