Chat with Experta

Can an information system be composed of: information security management system procedures and policies, hardware, software, networks, data, documents and facilities and people?
ISO 27001 clause 4.4 called "Information Security Management System" is basically implemented by complying with all other clauses in the standard. To see the steps in the implementation, you can ask "What are ISO 27001 implementation steps?"

Among other things, clause 4.4 requires to define processes that are needed and their interactions - you can implement this using the following steps:
1. Once you complete the Statement of Applicability, define which security processes are needed, and which of them you want to document.
2. Define each process - what are the inputs, activities, and outputs.
3. Once you have an overall picture of all processes and their inputs and outputs, you can understand how they interact - in most cases, outputs from one process will be inputs to another process.
4. Documenting those interactions is not mandatory - if you decide to document them, you can do it in two ways: (a) to draw up a process map, or (b) to write a procedure for a process, and include the definition of inputs and outputs in this procedure.