ISO/IEC 27001:2022 Implementation & Certification Readiness SOW

Statement of Work (SOW) Overview

Engagement Objective:
 To support the client in achieving ISO/IEC 27001:2022 certification readiness through structured preparedness, documentation review, scope definition, and ISMS implementation advisory.

Scope Summary


Engagement Duration and Audit Scope


Duration: The engagement will span 12 months from the date of commencement and will include:


Audit Planning & Kick-off


Execution of Internal Audit


Coverage of Locations


Information Security Services Scope

         Cover all applicable security domains including but not limited to:

        Asset Management

        Access Control

        Physical and Environmental Security

        Operations Security

        Communications Security

        Supplier Relationships

        Incident Management

        Business Continuity

        Compliance

Audit Reporting

        Provide a detailed Internal Audit Report identifying nonconformities, observations,  and opportunities for improvement.

        Submit a Corrective Action Plan (CAP) with specific actions, timelines, and responsible stakeholders.

        Highlight potential vulnerabilities and provide recommendations for remediation.


Support for Initiral Certification Readiness

Surveillance Audit Preparation  (TBD)

Support Client with planning and documentation for Surveillance Audit I & II post-certification.

 

Compliance Mapping

Align internal processes with ISO 27001:2022 controls and provide mapping with existing policies.

Deliverables:


Service Description Summary

You being a consultant for  ISO/IEC 27001:2022 Implementation and Certification Readiness, your role involves conducting comprehensive information security assessments. These assessments evaluate the organization's technologies, processes, people, and controls. Using proprietary checklists and a hands-on approach, the goal is to identify and address security weaknesses across the enterprise.

Organizational Security Domains to be Covered

 

Policy Review and Redrafting Support

As part of the ISO/IEC 27001:2022 implementation engagement, the following baseline policies must be reviewed and validated. If any of these policies are not currently available within the client’s documentation, they will be drafted and provided to ensure alignment with ISO 27001 requirements. These policies will serve as foundational documents for the client to adopt, publish, and maintain as part of their ISMS framework.

        Internet policy

        Acceptable use of assets policy

        Access control policy

        Data backup and restoration policy

        Incident management policy

        Information classification and handling policy

        Business continuity and recovery policy

        Network Security Policy / Configuration Management

        Password Policy

        Physical Security Policy.

        Capacity monitoring policy.

        Information retention and disposal policy.

        Supplier security policy.

        Use of personal device policy.

        Malware control & AV policy.

        Email security policy.

        Secure software development policy.

        Document Control Policy.

        Clear desk and clear screen policy.

        Mobile device and tele working policy.

        Change management policy.

        Communication Policy.

        Risk assessment and risk treatment policy.

        Asset Management Policy

        Internal Assessment policy

        Management review policy

        Corrective action & continuous improvement policy

        Cryptographic policy

        Software Licensing policy

        Patch Management Policy

        Log review & retention policy

        Technical Vulnerability Assessment Policy(VAPT)

        Social media policy

 

ISMS Scope  

We deliver comprehensive support for the implementation of the ISO/IEC 27001:2022 framework, including certification readiness assistance. The scope of this engagement is defined as follows:

 

Alignment to ISO/IEC 27001:2022

Identification and establishment of context of the organization (Internal context, external context, and risk management context)

1.     Identification all interested parties and their requirements (e.g., clients, partners, suppliers, regulators and shareholders, but also could be employees’ families, government agencies, local community, media, etc.)

2.     Defining interfaces in the ISMS scope (identification and documentation of the interfaces between the activities made by the organization and the activities that are performed by third parties)

3.     Aligning ISMS objectives with company strategy (Determining the information security objectives compatible with the strategic direction of the company).

4.     Reviewing and changing the top-level Information security policy as per the standard requirement

5.     Reviewing and updating the risk assessment process as per standard requirement.

6.     Identify status of controls in the Statement of Applicability, Obtain approval from risk owners

7.     Development of external & internal communication processes.

8.     Reviewing and updating management procedures

9.     Guide the respective process owner to write policies and procedures as per standard requirement

10.  Measurement and reporting procedure (ISMS Objectives).

11.  Implementation of ISO/IEC 27001:2022practices.

12.  Conducting internal Assessment

13.  Conducting management review meetin

14.  A corrective action plan, continual improvement plan and Hand holding during the external audit

 

Approach & Implementation Stages

The implementation will follow a structured, phased approach to ensure effective planning, execution, and certification readiness. Below is a summary of the key stages, activities, timelines, and expected outputs:

Stage 1: Planning and Gap Assessment

1. ISMS Kick-Off Meeting      - Duration: 1 day (Onsite)

   - Form the Steering Committee and Review Committee to oversee ISMS implementation. 

2. Context Register Development : Duration: 3 days (Onsite) 

   - Identify internal and external issues, interested parties, dependencies, and propose ISMS scope across functions and locations. 

3. Gap Analysis and Review  : Duration: 3 days (Onsite)

   - Conduct a baseline review for Head Office, IT, Admin, HR, Operations, and Secondary DC (BCP/DRP). 

4. Management Review Meeting #1: - Duration: 1 day (Offsite)

   - Present and finalize the ISMS scope with top management. 

5. Gap Identification and Discussion: Duration: 3 man-days (Offsite)

   - Discuss department-wise gaps, root causes, and corrective actions with top management. 

6. Resource Allocation: Duration: 1 day (Offsite)

   - Assign key personnel for each department. 

7. Defining Roles and Responsibilities: Duration: 1 day (Offsite)

   - Document job descriptions (JD), key result areas (KRA), and key performance indicators (KPI). 

8. Review of Implementation Plan: Duration: 1 day (Offsite)

   - Present the final implementation plan with milestones and deadlines to top management. 

9. Communication to Stakeholders: Duration: 1 day (Offsite)

   - Distribute top management’s ISMS mandate across departments. 

Stage 2: Policy Development and Risk Management

10. Authoring Policies and SOPs     - Duration: 30 days (Offsite)

    - Review and redraft all required policies and standard operating procedures. 

11. Asset Management:  Duration: 2 days (Offsite)

    - Maintain an ISO-compliant inventory of assets. 

12. Risk Assessment and Risk Treatment Process Drafting:  Duration: 2 weeks (Offsite)

    - Define and document the risk management methodology. 

13.Departmental Risk Assessment and Treatment : Duration: 2 weeks (Offsite)

    - Conduct risk identification, assessment, and treatment for each department. 

14. Risk Treatment Plan with Deadlines:  7 days

    - Develop and document a risk treatment plan. 

15.Communication to Risk Owners - (Offsite) – 1  day

    - Share risk responsibilities and treatment plans with designated owners. 

 16. Statement of Applicability (SoA): 2 days

    - Prepare and present the SoA to top management. 

17. Management Review Meeting #2: 1 day

    - Review risk mitigation, acceptance, and treatment plans with top management. 

18. Authoring SOPs for Process Security -  5 days.

    - Draft SOPs for key security processes.   

19. ISMS Awareness Training – 4 days.

    - Develop a training calendar and conduct cybersecurity awareness sessions. 

20. Post-Training Evaluation (Offsite)

    - Evaluate the effectiveness of the training sessions. 

21. Implementation of Controls (4 days)

    - Implement policies and SOPs across the organization. 

Stage 3: Internal Audit and Final Review

22. Communication to External Parties – 1 day (offsite)

    - Engage vendors and suppliers to align their controls with ISMS requirements. 

23. Internal Audit Execution  (7 days onsite)

    - Develop an audit plan and conduct internal audits. 

24. Audit Reporting: Duration: 1 day (Onsite)

    - Prepare and submit audit reports. 

25. Corrective Action Plan (CAP) : 1 day, onsite.

    - Document and assign corrective actions with deadlines. 

    - Duration: 1 man-day (Onsite)

26.Management Review Meeting #3: Duration: 1 day (Onsite)

    - Present audit findings and CAP to top management for final review. 

27. Performance Evaluation and Continuous Improvement - 5 days (remote)

    - Evaluate ISMS performance and define a continuous improvement plan.

Stage 4: External Certification Support

28. External Audit Handholding 5 days (onsite)

    - Provide support during the external certification audit conducted by the certification body.