The ISO 27000 is a generic way to call a set of ISO standards about a security. In this article, I am going to describe how we did in one of my jobs to get the Certification for the Information Security Management System specified in the ISO 27001 (and it is closely linked with ISO 27002).
First, we need to describe and make clear what is a Management System. According to ISO, a Management System is a set of procedures an organization needs to follow in order to meet its objectives. The use of a well deployed Management Systems warrants that every request, incident, issue (or any name you want to put) will be processed always the same way with the same established quality. A Management System uses what it is called the Deming Cycle which it states a continuous improvement of all processes involved.
Another concept we need to establish before starting to tell this tale is what is a process. For me, a process is a sequence of interdependent and linked procedures which, at every stage, consume one or more resources (employee, time, energy, machines, money, etc) to convert inputs (data, material, parts, etc) into outputs. These outputs then serve as inputs for the next stage until a known goal or end result is reached. I won't cover in this article how to document a process, but don't lose the idea that you will need to document. The ISMS is all about documenting and keeping records, and not only the ISMS, any management system in general.
So, when you start defining your ISMS take in mind that you will need to back up all your statements. You will need the use of Security & Vulnerability Assessments or in the worst case a letter from the CEO accepting involved risks. The CEO is the ultimate responsible of the ISMS. We will talk about that later.
The asset is just another concept it comes to my mind. For me, an asset is anything that has a value to the business. An asset has a value property that will play a crucial role in this process. I will talk about that later.
Ah! before I forget. If you are pursuing the ISO 27001 certification, you must know that certification is given to an organization with a specific business process.
With this concepts, I will start telling what happened those glory days.