ISMS Planning before Organization Establishment

[sni63]

Hello my friends

I'm beginner in ISMS

We outsource our ISMS planning for some current projects to a team

Suppose our project is Establishing a new Organization with some features Technical and Management features

The team, say we can not provide any comment on security (include policy, BCP, risk assessment and so on) until your organization (our project) establish completely

Is it true? Can we trust them? How we can evaluate them? and ...

They give us just some general document for example: ISO 27002 Policies, a BCP plan (very general) and Penetration Test methodology, and some table for risk assessment. It is interesting they give us a Threat Modeling document. I think this is related to software engineering but they provide it for ISMS plan. Not surprising?


They said: our information about your project is very low and until is ....
What information really are needed for plan an ISMS? What information about out project we should give them exactly?

Help me, it's thousands of dollars

[sni63]

really nobody?
Are there anyone ever?

[atari]

Sorry, I guess everyone is out on vacation. We are implementing ISMS too. To plan ISMS, you do not need much. Basically, there is the stuff that helps you and the remaining stuff that is just to formalize it. Everything starts with risk assesment/analysis - you get external consultants who perform a thorought audit and tell you where your problems are (relative to data and information security). You react upon it by furnishing sort of an action plan which ends up in a Statement of Applicability which is a formal document for your stakeholders/management. From that point forward, you take measures to mitigate those risks, and the special thing about ISMS is that you do it in a PDCA cycle way (you plan your measures, then implement them, check feedback/results, take more measures). Hope that helps.

Before you answer your consultants questions, have them sigh confidentiality agreement. In case you are really really concerned about information loss, give them what they ask for, but tell them they can use it while in your office only, no taking it home, no photocopies, no pictures.

[steven]

What kind of information exactly are you concerned about? As Atari said, it is not unusual that the initial risk analysis is done by external consultants.

[sni63]

hello
Thanks for your replies guys

Clearly I want to know for ISMS planning:
What information we should (or must) give them?
What information they should (or must) give us?

thanks so much

[steven]

I would not give tham passwords and PINs, but other that that it depends on how well done you want the risk analysis. If you want to have a good risk analysis, you need to provide more info. If you just want to get a piece of paper, then you can fight for not providing any info to the external consultant. But then one might ask why you want to impelement ISMS, of course.

[atari]

Agree with Steven. If you want good risk analysis, you will need to open up.