Sample Implementation Process for BS-7799 / ISO-17799

ISO Security Solutions - Project Management

Organization	Division	Administrator
ABC Industries	Mid-west	Jeff Williams

Project Number	Start Date	Due Date	% Project Complete	Updated on
1702	11/12	03/12	91 %	2/17

Implementation task management

	Task Title	Assigned to	Date Started	Due Date	Task Status	Training	Tasks	Policy	Audit
	OPENING MEETING	Roy Johnstone	11/12	11/13
	Introduction to ISO Security Solutions	Jeff Williams	11/12	11/13
	Overview of training program	Susan Bristol	11/12	11/13
	Implementation tools	Jeff Williams	11/14	11/14
	Selection of implementation teams	Jeff Williams	11/14	11/15
	Selection of Internal Auditors	Robert Sythe	11/15	11/18
	Overview of ISO-17799 / BS-7799	Susan Bristol	11/18	11/18
	Overview of auditing	Robert Sythe	11/18	11/18
	Implementation Tasks and Training	Susan Bristol	11/19	11/22
	Task Title	Assigned to	Date Started	Date Due	Task Status	Training	Tasks	Policy	Audit
	INFORMATION SECURITY POLICY
1	Information security policy document	Jeff Williams	11/19	12/16
2	Review and evaluation	Jeff Williams	11/19	12/16
	Task Title	Assigned to	Date Started	Date Due	Task Status	Training	Tasks	Policy	Audit
	*ORGANIZATION SECURITY*
3	Management information security forum	Jeff Williams	11/15	11/22
4	Information security co-ordination	Jeff Williams	11/15	11/22
5	Allocation of information security responsibilities	Jeff Williams	11/18	12/16
6	Authorization process for information processing facilities	Julia Anderson	11/15	01/23
7	Specialist information security advice	Julia Anderson	11/18	12/13
8	Co-operation between organizations	Julia Anderson	11/18	12/13
9	Independent review of information security	Jeff Williams	01/10	02/24
10	Identification of risks from third party access	Marci Bishop	11/22	01/06
11	Security requirements in third party contracts	Marci Bishop	11/22	01/06
12	Security requirements in outsourcing contracts	Marci Bishop	11/22	01/06
	Task Title	Assigned to	Date Started	Date Due	Task Status	Training	Tasks	Policy	Audit
	*ASSET CLASSIFICATION AND CONTROL*
13	Inventory of assets	Cindy Watson	11/22	01/15
14	Classification guidelines	Cindy Watson	11/22	12/06
15	Information labeling and handling	Cindy Watson	11/22	12/06
	Task Title	Assigned to	Date Started	Date Due	Task Status	Training	Tasks	Policy	Audit
	*PERSONNEL SECURITY*
16	Including security in job responsibilities	Susan Bristol	11/22	12/20
17	Personnel screening and policy	Susan Bristol	11/22	12/20
18	Confidentiality agreements	Susan Bristol	11/22	12/13
19	Terms and conditions of employment	Susan Bristol	11/22	12/13
	Task Title	Assigned to	Date Started	Date Due	Task Status	Training	Tasks	Policy	Audit
	*USER TRAINING*
20	Information security education and training	Susan Bristol	12/09	01/10
21	Reporting security incidents	Andrew Marcus	12/02	01/06
22	Reporting security weaknesses	Andrew Marcus	12/02	01/06
23	Reporting software malfunctions	Andrew Marcus	12/02	01/06
24	Learning from incidents	Andrew Marcus	01/06	01/23
25	Disciplinary process	Susan Bristol	12/16	01/20
	Task Title	Assigned to	Date Started	Date Due	Task Status	Training	Tasks	Policy	Audit
	*PHYSICAL AND ENVIRONMENTAL SECURITY*
26	Physical security perimeter	Bob Taylor	11/20	12/13
27	Physical entry controls	Bob Taylor	11/20	12/16
28	Securing offices, rooms and facilities	Bob Taylor	11/20	12/16
29	Working in secure areas	Bob Taylor	11/20	12/16
30	Isolated delivery and loading areas	Bob Taylor	11/20	12/10
31	Equipment sitting and protection	Bob Taylor	12/10	01/10
32	Power supplies	Bob Taylor	12/10	01/10
33	Cabling security	Bob Taylor	12/10	01/10
34	Equipment maintenance	Bob Taylor	12/17	01/17
35	Security of equipment off-premises	John Peters	12/02	01/06
36	Secure disposal or re-use of equipment	John Peters	12/02	01/06
37	Clear desk and clear screen policy	John Peters	12/02	01/06
38	Removal of property	John Peters	12/02	01/06
	Task Title	Assigned to	Date Started	Date Due	Task Status	Training	Tasks	Policy	Audit
	*COMMUNICATIONS & OPERATIONS*
39	Documented operating procedures	Kim Wu	12/17	01/20
40	Operational change control	Kim Wu	12/17	01/20
41	Incident management procedures	Andrew Marcus	12/10	01/10
42	Segregation of duties	Jeff Williams	11/27	12/20
43	Separation of development and operational facilities	Jeff Williams	11/27	12/20
44	External facilities management	Bob Taylor	12/02	01/15
45	Capacity planning	Kim Wu	12/02	01/10
46	System acceptance	Kim Wu	12/02	01/10
47	Controls against malicious software	Bob Taylor	11/18	12/03
48	Information back-up	Kim Wu	11/19	12/05
49	Operator logs	Kim Wu	11/25	12/10
50	Fault logging	Kim Wu	11/25	12/10
51	Network controls	Kim Wu	12/10	01/10
52	Management of removable computer media	Bob Taylor	11/25	12/06
53	Disposal of media	Bob Taylor	11/25	12/06
54	Information handling procedures	Kim Wu	11/25	12/10
55	Security of system documentation	Kim Wu	11/18	12/03
56	Information and software exchange agreements	Bob Taylor	11/22	12/16
57	Security of media in transit	Bob Taylor	11/22	12/16
58	Electronic commerce security	Bob Taylor	11/26	01/23
59	Security of electronic mail	Bob Taylor	11/26	01/10
60	Security of electronic office systems	Bob Taylor	11/26	01/10
61	Publicly available systems	Kim Wu	11/22	12/20
62	Other forms of information exchange	Kim Wu	11/22	12/20
	Task Title	Assigned to	Date Started	Date Due	Task Status	Training	Tasks	Policy	Audit
	*ACCESS CONTROL*
63	Access control policy	Lisa Steinberg	12/02	01/15
64	User registration	Lisa Steinberg	12/02	01/15
65	Privilege management	Lisa Steinberg	12/02	01/15
66	User password management	Lisa Steinberg	12/02	01/15
67	Review of user access rights	Lisa Steinberg	12/02	01/15
68	Password use	Lisa Steinberg	12/02	01/15
69	Unattended user equipment	George Paterson	12/09	01/23
70	Policy of use of network services	George Paterson	12/09	01/23
71	Enforced path	George Paterson	12/09	01/23
72	User authentication for external connections	George Paterson	12/09	01/23
73	Node authentication	George Paterson	12/09	01/23
74	Remote diagnostic port protection	George Paterson	12/17	02/03
75	Segregation in networks	George Paterson	12/17	02/03
76	Network connection control	George Paterson	12/17	02/03
77	Network routing control	George Paterson	12/17	02/03
78	Security of network services	George Paterson	12/17	02/03
79	Automatic terminal identification	George Paterson	12/26	02/10
80	Terminal log-on procedures	George Paterson	12/26	02/10
81	User identification and authentication	Lisa Steinberg	12/14	01/17
82	Password management system	Lisa Steinberg	12/14	01/17
83	Use of system utilities	George Paterson	01/15	02/10
84	Duress alarm to safeguard users	George Paterson	01/15	02/10
85	Terminal time-out	George Paterson	01/15	02/10
86	Limitation of connection time	George Paterson	01/15	02/10
87	Information access restriction	Lisa Steinberg	01/03	01/20
88	Sensitive system isolation	Lisa Steinberg	01/03	01/20
89	Event logging	Lisa Steinberg	01/03	01/20
90	Monitoring system use	Lisa Steinberg	01/03	01/20
91	Clock synchronization	Lisa Steinberg	01/03	01/20
92	Mobile computing	Roy Johnstone	12/02	01/07
93	Teleworking	Roy Johnstone	12/02	01/07
	Task Title	Assigned to	Date Started	Date Due	Task Status	Training	Tasks	Policy	Audit
	*SYSTEMS DEVELOPMENT AND MAINTENANCE*
94	Security requirements analysis and specification	George Paterson	12/09	02/24
95	Input data validation	John Peters	12/16	01/10
96	Control of internal processing	George Paterson	12/02	01/06
97	Message authentication	John Peters	12/16	01/10
98	Output data validation	John Peters	12/16	01/10
99	Policy on the use of cryptographic controls	Roy Johnstone	12/02	01/23
*100*	Encryption	Roy Johnstone	12/02	01/23
*101*	Digital signatures	Andrew Marcus	12/02	01/23
*102*	Non-repudiation services	Andrew Marcus	12/02	01/23
*103*	Key management	George Paterson	12/16	02/10
*104*	Control of operational software	George Paterson	12/16	02/07
*105*	Protection of system test data	George Paterson	12/16	01/06
*106*	Access control to program source library	George Paterson	12/20	01/06
*107*	Change control procedures	George Paterson