ISO 27001 Implementation Project

This template provides guidance on how to implement an ISMS according to ISO/IEC 27001.

By purchasing this file, you agree to keep its contents confidential and not to share, distribute, or disclose it to any third parties
permission of Aron Lange. Any unauthorized distribution or disclosure of this file may lead to legal action against you.

The information contained in this file is for general information purposes only. The information is provided by Aron Lange and w
information up to date and correct, we make no representations or warranties of any kind, express or implied, about the comple
suitability or availability with respect to the file or the information, products, services, or related graphics contained in the file for
place on such information is therefore strictly at your own risk. In no event will we be liable for any loss or damage including wit
consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connec

Publisher: Aron Lange

© 2023 Aron Lange, Germany
www.aronlange.com
Normative references
Clause
4 Context of the organization

5 Leadership

6 Planning

7 Support

8 Operations

9 Performance evaluation

10 Improvement

Annex A

Total Result
Subclause Description Count of Reference
10
4.1 Understanding the organization and its 1
Due to copyright prote 1
4.2 Understanding the needs and expectation 3
4.3 Determining the scope of the informat 5
4.4 Information security management syste 1
18
5.1 Leadership and commitment 8
5.2 Policy 7
5.3 Organizational roles, responsibilities and 3
39
6.1 Actions to address risks and opportuniti 24
6.2 Information security objectives and pla 14
6.3 Planning of changes 1
24
7.1 Resources 1
7.2 Competence 4
7.3 Awareness 3
7.4 Communication 4
7.5 Documented information 12
8
8.1 Operational planning and control 4
8.2 Information security risk assessment 2
8.3 Information security risk treatment 2
30
9.1 Monitoring, measurement, analysis and 8
9.2 Internal audit 9
9.3 Management review 13
12
10.1 Continual improvement 1
10.2 Nonconformity and corrective action 11
93
5 Organizational controls 37
6 People controls 8
7 Physical controls 14
8 Technological controls 34
234
Reference Type Clause

4.1 ¶1 Core Topic 4 Context of the organization

4.2 a) Core Topic 4 Context of the organization

4.2 b) Core Topic 4 Context of the organization
4.2 c) Core Topic 4 Context of the organization
4.3 ¶1 Core Topic 4 Context of the organization
4.3 a) Core Topic 4 Context of the organization
4.3 b) Core Topic 4 Context of the organization
4.3 c) Core Topic 4 Context of the organization
4.3 ¶2 Core Topic 4 Context of the organization
4.4 ¶1 Core Topic 4 Context of the organization
5.1 a) Core Topic 5 Leadership
5.1 b) Core Topic 5 Leadership
5.1 c) Core Topic 5 Leadership
5.1 d) Core Topic 5 Leadership
5.1 e) Core Topic 5 Leadership
5.1 f) Core Topic 5 Leadership
5.1 g) Core Topic 5 Leadership
5.1 h) Core Topic 5 Leadership
5.2 a) Core Topic 5 Leadership
5.2 b) Core Topic 5 Leadership
5.2 c) Core Topic 5 Leadership
5.2 d) Core Topic 5 Leadership
5.2 e) Core Topic 5 Leadership
5.2 f) Core Topic 5 Leadership
5.2 g) Core Topic 5 Leadership
5.3 ¶1 Core Topic 5 Leadership
5.3 a) Core Topic 5 Leadership
5.3 b) Core Topic 5 Leadership
6.1.1 a) Core Topic 6 Planning
6.1.1 b) Core Topic 6 Planning
6.1.1 c) Core Topic 6 Planning
6.1.1 d) Core Topic 6 Planning
6.1.1 e) 1) Core Topic 6 Planning
6.1.1 e) 2) Core Topic 6 Planning
6.1.2 a) 1) Core Topic 6 Planning
6.1.2 a) 2) Core Topic 6 Planning
6.1.2 b) Core Topic 6 Planning
6.1.2 c) 1) Core Topic 6 Planning
6.1.2 c) 2) Core Topic 6 Planning
6.1.2 d) 1) Core Topic 6 Planning
6.1.2 d) 2) Core Topic 6 Planning
6.1.2 d) 3) Core Topic 6 Planning
6.1.2 e) 1) Core Topic 6 Planning
6.1.2 e) 2) Core Topic 6 Planning
6.1.2 ¶1 Core Topic 6 Planning
6.1.3 a) Core Topic 6 Planning
6.1.3 b) Core Topic 6 Planning
6.1.3 c) Core Topic 6 Planning
6.1.3 d) Core Topic 6 Planning
6.1.3 e) Core Topic 6 Planning
6.1.3 f) Core Topic 6 Planning
6.1.3 ¶1 Core Topic 6 Planning
6.2 ¶1 Core Topic 6 Planning
6.2 a) Core Topic 6 Planning
6.2 b) Core Topic 6 Planning
6.2 c) Core Topic 6 Planning
6.2 d) Core Topic 6 Planning
6.2 e) Core Topic 6 Planning
6.2 f) Core Topic 6 Planning
6.2 g) Core Topic 6 Planning
6.2 ¶2 Core Topic 6 Planning
6.2 h) Core Topic 6 Planning
6.2 i) Core Topic 6 Planning
6.2 j) Core Topic 6 Planning
6.2 k) Core Topic 6 Planning
6.2 l) Core Topic 6 Planning
6.3 ¶1 Core Topic 6 Planning
7.1 ¶1 Core Topic 7 Support
7.2 a) Core Topic 7 Support
7.2 b) Core Topic 7 Support
7.2 c) Core Topic 7 Support
7.2 d) Core Topic 7 Support
7.3 a) Core Topic 7 Support
7.3 b) Core Topic 7 Support
7.3 c) Core Topic 7 Support
7.4 a) Core Topic 7 Support
7.4 b) Core Topic 7 Support
7.4 c) Core Topic 7 Support
7.4 d) Core Topic 7 Support
7.5.1 a) Core Topic 7 Support
7.5.1 b) Core Topic 7 Support
7.5.2 a) Core Topic 7 Support
7.5.2 b) Core Topic 7 Support
7.5.2 c) Core Topic 7 Support
7.5.3 a) Core Topic 7 Support
7.5.3 b) Core Topic 7 Support
7.5.3 c) Core Topic 7 Support
7.5.3 d) Core Topic 7 Support
7.5.3 e) Core Topic 7 Support
7.5.3 f) Core Topic 7 Support
7.5.3 ¶1 Core Topic 7 Support
8.1 ¶1 Core Topic 8 Operations
8.1 ¶2 Core Topic 8 Operations
8.1 ¶3 Core Topic 8 Operations
8.1 ¶4 Core Topic 8 Operations
8.2 ¶1 Core Topic 8 Operations
8.2 ¶2 Core Topic 8 Operations
8.3 ¶1 Core Topic 8 Operations
8.3 ¶2 Core Topic 8 Operations
9.1 a) Core Topic 9 Performance evaluation
9.1 b) Core Topic 9 Performance evaluation
9.1 c) Core Topic 9 Performance evaluation
9.1 d) Core Topic 9 Performance evaluation
9.1 e) Core Topic 9 Performance evaluation
9.1 f) Core Topic 9 Performance evaluation
9.1 ¶1 Core Topic 9 Performance evaluation
9.1 ¶2 Core Topic 9 Performance evaluation
9.2.1 a) 1) Core Topic 9 Performance evaluation
9.2.1 a) 2) Core Topic 9 Performance evaluation
9.2.1 b) Core Topic 9 Performance evaluation
9.2.2 ¶1 Core Topic 9 Performance evaluation
9.2.2 ¶2 Core Topic 9 Performance evaluation
9.2.2 a) Core Topic 9 Performance evaluation
9.2.2 b) Core Topic 9 Performance evaluation
9.2.2 c) Core Topic 9 Performance evaluation
9.2.2 ¶3 Core Topic 9 Performance evaluation
9.3.1 ¶1 Core Topic 9 Performance evaluation
9.3.2 a) Core Topic 9 Performance evaluation
9.3.2 b) Core Topic 9 Performance evaluation
9.3.2 c) Core Topic 9 Performance evaluation
9.3.2 d) 1) Core Topic 9 Performance evaluation
9.3.2 d) 2) Core Topic 9 Performance evaluation
9.3.2 d) 3) Core Topic 9 Performance evaluation
9.3.2 d) 4) Core Topic 9 Performance evaluation
9.3.2 e) Core Topic 9 Performance evaluation
9.3.2 f) Core Topic 9 Performance evaluation
9.3.2 g) Core Topic 9 Performance evaluation
9.3.3 ¶1 Core Topic 9 Performance evaluation
9.3.3 ¶2 Core Topic 9 Performance evaluation
10.1 ¶1 Core Topic 10 Improvement
10.2 a) 1) Core Topic 10 Improvement
10.2 a) 2) Core Topic 10 Improvement
10.2 b) 1) Core Topic 10 Improvement
10.2 b) 2) Core Topic 10 Improvement
10.2 b) 3) Core Topic 10 Improvement
10.2 c) Core Topic 10 Improvement
10.2 d) Core Topic 10 Improvement
10.2 e) Core Topic 10 Improvement
10.2 ¶1 Core Topic 10 Improvement
10.2 f) Core Topic 10 Improvement
10.2 g) Core Topic 10 Improvement
A.5.1 Control Annex A
A.5.2 Control Annex A
A.5.3 Control Annex A
A.5.4 Control Annex A
A.5.5 Control Annex A
A.5.6 Control Annex A
A.5.7 Control Annex A
A.5.8 Control Annex A
A.5.9 Control Annex A
A.5.10 Control Annex A
A.5.11 Control Annex A
A.5.12 Control Annex A
A.5.13 Control Annex A
A.5.14 Control Annex A
A.5.15 Control Annex A
A.5.16 Control Annex A
A.5.17 Control Annex A
A.5.18 Control Annex A
A.5.19 Control Annex A
A.5.20 Control Annex A
A.5.21 Control Annex A
A.5.22 Control Annex A
A.5.23 Control Annex A
A.5.24 Control Annex A
A.5.25 Control Annex A
A.5.26 Control Annex A
A.5.27 Control Annex A
A.5.28 Control Annex A
A.5.29 Control Annex A
A.5.30 Control Annex A
A.5.31 Control Annex A
A.5.32 Control Annex A
A.5.33 Control Annex A
A.5.34 Control Annex A
A.5.35 Control Annex A
A.5.36 Control Annex A
A.5.37 Control Annex A
A.6.1 Control Annex A
A.6.2 Control Annex A
A.6.3 Control Annex A
A.6.4 Control Annex A
A.6.5 Control Annex A
A.6.6 Control Annex A
A.6.7 Control Annex A
A.6.8 Control Annex A
A.7.1 Control Annex A
A.7.2 Control Annex A
A.7.3 Control Annex A
A.7.4 Control Annex A
A.7.5 Control Annex A
A.7.6 Control Annex A
A.7.7 Control Annex A
A.7.8 Control Annex A
A.7.9 Control Annex A
A.7.10 Control Annex A
A.7.11 Control Annex A
A.7.12 Control Annex A
A.7.13 Control Annex A
A.7.14 Control Annex A
A.8.1 Control Annex A
A.8.2 Control Annex A
A.8.3 Control Annex A
A.8.4 Control Annex A
A.8.5 Control Annex A
A.8.6 Control Annex A
A.8.7 Control Annex A
A.8.8 Control Annex A
A.8.9 Control Annex A
A.8.10 Control Annex A
A.8.11 Control Annex A
A.8.12 Control Annex A
A.8.13 Control Annex A
A.8.14 Control Annex A
A.8.15 Control Annex A
A.8.16 Control Annex A
A.8.17 Control Annex A
A.8.18 Control Annex A
A.8.19 Control Annex A
A.8.20 Control Annex A
A.8.21 Control Annex A
A.8.22 Control Annex A
A.8.23 Control Annex A
A.8.24 Control Annex A
A.8.25 Control Annex A
A.8.26 Control Annex A
A.8.27 Control Annex A
A.8.28 Control Annex A
A.8.29 Control Annex A
A.8.30 Control Annex A
A.8.31 Control Annex A
A.8.32 Control Annex A
A.8.33 Control Annex A
A.8.34 Control Annex A
Subclause

4.1 Understanding the organization and its context

4.2 Understanding the needs and expectations of interested parties

4.2 Understanding the needs and expectations of interested parties
4.2 Understanding the needs and expectations of interested parties
4.3 Determining the scope of the information security management system
4.3 Determining the scope of the information security management system
4.3 Determining the scope of the information security management system
4.3 Determining the scope of the information security management system
4.3 Determining the scope of the information security management system
4.4 Information security management system
5.1 Leadership and commitment
5.1 Leadership and commitment
5.1 Leadership and commitment
5.1 Leadership and commitment
5.1 Leadership and commitment
5.1 Leadership and commitment
5.1 Leadership and commitment
5.1 Leadership and commitment
5.2 Policy
5.2 Policy
5.2 Policy
5.2 Policy
5.2 Policy
5.2 Policy
5.2 Policy
5.3 Organizational roles, responsibilities and authorities
5.3 Organizational roles, responsibilities and authorities
5.3 Organizational roles, responsibilities and authorities
6.1 Actions to address risks and opportunities
6.1 Actions to address risks and opportunities
6.1 Actions to address risks and opportunities
6.1 Actions to address risks and opportunities
6.1 Actions to address risks and opportunities
6.1 Actions to address risks and opportunities
6.1 Actions to address risks and opportunities
6.1 Actions to address risks and opportunities
6.1 Actions to address risks and opportunities
6.1 Actions to address risks and opportunities
6.1 Actions to address risks and opportunities
6.1 Actions to address risks and opportunities
6.1 Actions to address risks and opportunities
6.1 Actions to address risks and opportunities
6.1 Actions to address risks and opportunities
6.1 Actions to address risks and opportunities
6.1 Actions to address risks and opportunities
6.1 Actions to address risks and opportunities
6.1 Actions to address risks and opportunities
6.1 Actions to address risks and opportunities
6.1 Actions to address risks and opportunities
6.1 Actions to address risks and opportunities
6.1 Actions to address risks and opportunities
6.1 Actions to address risks and opportunities
6.2 Information security objectives and planning to achieve them
6.2 Information security objectives and planning to achieve them
6.2 Information security objectives and planning to achieve them
6.2 Information security objectives and planning to achieve them
6.2 Information security objectives and planning to achieve them
6.2 Information security objectives and planning to achieve them
6.2 Information security objectives and planning to achieve them
6.2 Information security objectives and planning to achieve them
6.2 Information security objectives and planning to achieve them
6.2 Information security objectives and planning to achieve them
6.2 Information security objectives and planning to achieve them
6.2 Information security objectives and planning to achieve them
6.2 Information security objectives and planning to achieve them
6.2 Information security objectives and planning to achieve them
6.3 Planning of changes
7.1 Resources
7.2 Competence
7.2 Competence
7.2 Competence
7.2 Competence
7.3 Awareness
7.3 Awareness
7.3 Awareness
7.4 Communication
7.4 Communication
7.4 Communication
7.4 Communication
7.5 Documented information
7.5 Documented information
7.5 Documented information
7.5 Documented information
7.5 Documented information
7.5 Documented information
7.5 Documented information
7.5 Documented information
7.5 Documented information
7.5 Documented information
7.5 Documented information
7.5 Documented information
8.1 Operational planning and control
8.1 Operational planning and control
8.1 Operational planning and control
8.1 Operational planning and control
8.2 Information security risk assessment
8.2 Information security risk assessment
8.3 Information security risk treatment
8.3 Information security risk treatment
9.1 Monitoring, measurement, analysis and evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal audit
9.2 Internal audit
9.2 Internal audit
9.2 Internal audit
9.2 Internal audit
9.2 Internal audit
9.2 Internal audit
9.2 Internal audit
9.2 Internal audit
9.3 Management review
9.3 Management review
9.3 Management review
9.3 Management review
9.3 Management review
9.3 Management review
9.3 Management review
9.3 Management review
9.3 Management review
9.3 Management review
9.3 Management review
9.3 Management review
9.3 Management review
10.1 Continual improvement
10.2 Nonconformity and corrective action
10.2 Nonconformity and corrective action
10.2 Nonconformity and corrective action
10.2 Nonconformity and corrective action
10.2 Nonconformity and corrective action
10.2 Nonconformity and corrective action
10.2 Nonconformity and corrective action
10.2 Nonconformity and corrective action
10.2 Nonconformity and corrective action
10.2 Nonconformity and corrective action
10.2 Nonconformity and corrective action
5 Organizational controls
5 Organizational controls
5 Organizational controls
5 Organizational controls
5 Organizational controls
5 Organizational controls
5 Organizational controls
5 Organizational controls
5 Organizational controls
5 Organizational controls
5 Organizational controls
5 Organizational controls
5 Organizational controls
5 Organizational controls
5 Organizational controls
5 Organizational controls
5 Organizational controls
5 Organizational controls
5 Organizational controls
5 Organizational controls
5 Organizational controls
5 Organizational controls
5 Organizational controls
5 Organizational controls
5 Organizational controls
5 Organizational controls
5 Organizational controls
5 Organizational controls
5 Organizational controls
5 Organizational controls
5 Organizational controls
5 Organizational controls
5 Organizational controls
5 Organizational controls
5 Organizational controls
5 Organizational controls
5 Organizational controls
6 People controls
6 People controls
6 People controls
6 People controls
6 People controls
6 People controls
6 People controls
6 People controls
7 Physical controls
7 Physical controls
7 Physical controls
7 Physical controls
7 Physical controls
7 Physical controls
7 Physical controls
7 Physical controls
7 Physical controls
7 Physical controls
7 Physical controls
7 Physical controls
7 Physical controls
7 Physical controls
8 Technological controls
8 Technological controls
8 Technological controls
8 Technological controls
8 Technological controls
8 Technological controls
8 Technological controls
8 Technological controls
8 Technological controls
8 Technological controls
8 Technological controls
8 Technological controls
8 Technological controls
8 Technological controls
8 Technological controls
8 Technological controls
8 Technological controls
8 Technological controls
8 Technological controls
8 Technological controls
8 Technological controls
8 Technological controls
8 Technological controls
8 Technological controls
8 Technological controls
8 Technological controls
8 Technological controls
8 Technological controls
8 Technological controls
8 Technological controls
8 Technological controls
8 Technological controls
8 Technological controls
8 Technological controls
Description

Due to copyright protection, this resource can not provide

you with the actual citations of ISO/IEC 27001:2022. However
you can add the text from your personal licensed copy.
Project information
Project name: ISO 27001 Implementation Project

Project lead:

Start date: 1-Jan-23

Finish date 23-Apr-24

ISO 27001 for Beginners

ISO 27001 Implementation Project

Input column
Calculated column 52 1 2 3 4 5 6 7

26-Dec-22
27-Dec-22
28-Dec-22
29-Dec-22
30-Dec-22
31-Dec-22

10-Feb-23
11-Feb-23
12-Feb-23
13-Feb-23
14-Feb-23
15-Feb-23
16-Feb-23
17-Feb-23
18-Feb-23
19-Feb-23
10-Jan-23
11-Jan-23
12-Jan-23
13-Jan-23
14-Jan-23
15-Jan-23
16-Jan-23
17-Jan-23
18-Jan-23
19-Jan-23
20-Jan-23
21-Jan-23
22-Jan-23
23-Jan-23
24-Jan-23
25-Jan-23
26-Jan-23
27-Jan-23
28-Jan-23
29-Jan-23
30-Jan-23
31-Jan-23
1-Feb-23
2-Feb-23
3-Feb-23
4-Feb-23
5-Feb-23
6-Feb-23
7-Feb-23
8-Feb-23
9-Feb-23
1-Jan-23
2-Jan-23
3-Jan-23
4-Jan-23
5-Jan-23
6-Jan-23
7-Jan-23
8-Jan-23
9-Jan-23
0

ID Type Task Name Assignee Duration Start Finish % Reference Deliverable M T W T F S S M T W T F S S M T W T F S S M T W T F S S M T W T F S S M T W T F S S M T W T F S S M T W T F S S

1 S 1. Management Support 22 1-Jan-23 30-Jan-23 100%

2 T Outline business case 9 1-Jan-23 11-Jan-23 100%
3 T Present business case 1 12-Jan-23 12-Jan-23 100%
4 M Management support is obtained 12-Jan-23 12-Jan-23 100% 5.1, 7.1 ◆
5 T Initiate project 2 13-Jan-23 16-Jan-23 100%
6 T Assign roles, responsibilities and authorities 5 17-Jan-23 23-Jan-23 100% 5.3
7 T Plan project 5 24-Jan-23 30-Jan-23 100% Project Plan
8 S 2. Determine Scope 23 31-Jan-23 2-Mar-23 100%
9 T Determine external issues 5 31-Jan-23 6-Feb-23 100% 4.1
10 T Determine internal issues 5 7-Feb-23 13-Feb-23 100% 4.1
11 T Identify external interested parties 3 14-Feb-23 16-Feb-23 100% 4.2 a)
12 T Identify internal interested parties 3 17-Feb-23 21-Feb-23 100% 4.2 a)
13 T Identify requirements of interested parties 2 22-Feb-23 23-Feb-23 100% 4.2 b)
14 T Determine preliminary scope 1 24-Feb-23 24-Feb-23 100% 4.3
15 T Determine refined scope 1 27-Feb-23 27-Feb-23 100% 4.3
16 T Determine final scope 1 28-Feb-23 28-Feb-23 100% 4.3
17 T Document final scope 1 1-Mar-23 1-Mar-23 100% 4.3
18 T Approve final scope 1 2-Mar-23 2-Mar-23 100% 4.3
19 M Scope is approved 2-Mar-23 2-Mar-23 100% 4.3 Scope of the ISMS (4.3)
20 S 3. Define Information security policy 13 3-Mar-23 21-Mar-23 100%
21 T Determine information security objectives 3 3-Mar-23 7-Mar-23 100% 6.2 Information security objectives (6.2)
22 T Establish information security policy 6 8-Mar-23 15-Mar-23 100% 5.2 Information security policy (5.2)
23 T Develop communication plan 2 16-Mar-23 17-Mar-23 100% 7.4
24 T Publish information security policy 2 20-Mar-23 21-Mar-23 100% 5.2
25 S 4. Inventory of assets 32 22-Mar-23 4-May-23 100%
26 T Identify primary assets 5 22-Mar-23 28-Mar-23 100% A.5.9
27 T Identify supporting assets 5 29-Mar-23 4-Apr-23 100% A.5.9
28 T Map primary and supporting assets 5 5-Apr-23 11-Apr-23 100% A.5.9
29 T Identify asset owners 2 12-Apr-23 13-Apr-23 100% A.5.9
30 T Develop information classification policy 5 14-Apr-23 20-Apr-23 100% A.5.12 Information classification policy (A.5.12)
31 T Classify assets 2 21-Apr-23 24-Apr-23 100% A.5.12
32 T Develop procedures for information labelling 5 25-Apr-23 1-May-23 100% A.5.13
33 T Label assets 1 2-May-23 2-May-23 100% A.5.13
34 T Document asset inventory 2 3-May-23 4-May-23 100% A.5.9 Inventory of assets (A.5.9)
35 S 5. Risk Management Methodology 17 5-May-23 29-May-23 0%
36 T Define information security risk criteria 3 5-May-23 9-May-23 6.1.2 a)
37 T Define information security risk acceptance criteria 3 10-May-23 12-May-23 6.1.2 a)
38 T Approve information security risk acceptance criteria 1 15-May-23 15-May-23 6.1.2 a)
39 T Define information security risk assessment process 5 16-May-23 22-May-23 6.1.2 Information security risk assessment process (6.1.2)
40 T Define information security risk treatment process 5 23-May-23 29-May-23 6.1.3 Information security risk treatment process (6.1.3)
41 S 6. Information security risk assessment 30 30-May-23 10-Jul-23 0%
42 S Risk identification 15 30-May-23 19-Jun-23 0%
43 T Identify threats 2 30-May-23 31-May-23 8.2 List of threats
44 T Identify existing controls 5 1-Jun-23 7-Jun-23 8.2 List of existing controls
45 T Identify vulnerabilities 5 8-Jun-23 14-Jun-23 8.2 List of vulnerabilities in relation to assets, controls and threats
46 T Identify consequences (impact) 3 15-Jun-23 19-Jun-23 8.2 List of incident scenarios
47 S Risk analysis 10 20-Jun-23 3-Jul-23 0%
48 T Assess consequences (impact) 3 20-Jun-23 22-Jun-23 8.2
49 T Assess likelihood 3 23-Jun-23 27-Jun-23 8.2
50 T Determine risk level 4 28-Jun-23 3-Jul-23 8.2 List of risks with risk levels assigned
51 S Risk evaluation 5 4-Jul-23 10-Jul-23 0%
52 T Evaluate risks 5 4-Jul-23 10-Jul-23 8.2 List of prioritized risks
53 M Risk assessment is completed 10-Jul-23 10-Jul-23 0% 8.2 Results of the information security risk assessments (8.2)
54 S 7. Information security risk treatment 90 11-Jul-23 13-Nov-23 0%
55 T Select risk treatment options 5 11-Jul-23 17-Jul-23 8.3
56 T Determine controls 5 18-Jul-23 24-Jul-23 8.3
57 T Produce Statement of Applicability (SoA) 1 25-Jul-23 25-Jul-23 8.3 Statement of Applicability (SoA) (6.1.3)
58 T Formulate risk treatment plan 10 26-Jul-23 8-Aug-23 8.3
59 T Obtain approval for risk treatment plan 5 9-Aug-23 15-Aug-23 8.3 Risk treatment plan
60 M Risk treatment plan is approved 15-Aug-23 15-Aug-23 0% 8.3
61 T Implement risk treatment plan 63 16-Aug-23 10-Nov-23 8.3
62 T Update Statement of Applicability (SoA) 1 13-Nov-23 13-Nov-23 8.3
63 M Risk treatment plan is implemented 13-Nov-23 13-Nov-23 0% 8.3 Results of the risk treatment process
64 S 8. Performance Evaluation 66 14-Nov-23 13-Feb-24 0%
65 S Monitoring 27 14-Nov-23 20-Dec-23 0%
66 T Identify information needs 5 14-Nov-23 20-Nov-23 9.1
67 T Create and maintain measures 5 21-Nov-23 27-Nov-23 9.1
68 T Establish procedures 10 28-Nov-23 11-Dec-23 9.1
69 T Monitor and measure 2 12-Dec-23 13-Dec-23 9.1
70 T Analyse results 1 14-Dec-23 14-Dec-23 9.1
71 T Evaluate information security performance 1 15-Dec-23 15-Dec-23 9.1
72 T Evaluate ISMS effectiveness 1 18-Dec-23 18-Dec-23 9.1
73 T Document results 2 19-Dec-23 20-Dec-23 9.1 Information security metrics
74 S Internal audit 37 21-Dec-23 9-Feb-24 0%
75 T Establish audit programme objectives 3 21-Dec-23 25-Dec-23 9.2
76 T Determine audit programme risks and opportunities 2 26-Dec-23 27-Dec-23 9.2
77 T Evaluate audit programme risks and opportunities 2 28-Dec-23 29-Dec-23 9.2
78 T Establish audit programme 2 1-Jan-24 2-Jan-24 9.2 Audit programme (9.2)
79 T Implement audit programme 10 3-Jan-24 16-Jan-24 9.2
80 T Conduct internal audits 15 17-Jan-24 6-Feb-24 9.2
81 T Report audit results 3 7-Feb-24 9-Feb-24 9.2 Audit results (9.2)
82 S Management review 2 12-Feb-24 13-Feb-24 0%
83 T Review reporting of the performance of the ISMS 1 12-Feb-24 12-Feb-24 9.3
84 T Provide results of management review 1 13-Feb-24 13-Feb-24 9.3 Results of management reviews (9.3)
85 S 9. Improvement 19 14-Feb-24 11-Mar-24 0%
86 T Identify nonconformities 2 14-Feb-24 15-Feb-24 10.2
87 T Review nonconformities 2 16-Feb-24 19-Feb-24 10.2 Nature of the nonconformities and any subsequent actions taken (10.2 f))
88 T Perform root cause analysis 2 20-Feb-24 21-Feb-24 10.2
89 T Determine corrective actions 3 22-Feb-24 26-Feb-24 10.2
90 T Plan corrective actions 2 27-Feb-24 28-Feb-24 10.2
91 T Inplement corrective actions 5 29-Feb-24 6-Mar-24 10.2
92 T Assess corrective actions 3 7-Mar-24 11-Mar-24 10.2 Results of any corrective action (10.2 g))
93 M ISMS is compliant 11-Mar-24 11-Mar-24 0% 10.2
94 S 10. Certification audit 31 12-Mar-24 23-Apr-24 0%
95 T Contact certfication bodies 1 12-Mar-24 12-Mar-24
96 T Request proposals 5 13-Mar-24 19-Mar-24
97 T Review proposals 1 20-Mar-24 20-Mar-24
98 T Select certification body 1 21-Mar-24 21-Mar-24
99 T Sign engagement letter 1 22-Mar-24 22-Mar-24
100 T Schedule stage 1 audit 1 25-Mar-24 25-Mar-24
101 T Undergo stage 1 audit 10 26-Mar-24 8-Apr-24
102 T Schedule stage 2 audit 1 9-Apr-24 9-Apr-24
103 T Undergo stage 2 audit 10 10-Apr-24 23-Apr-24
104 M ISMS is certified 23-Apr-24 23-Apr-24 0% ISO/IEC 27001 certificate

© 2022 Aron Lange Page 18