Governance & InfoSec at 6.Three is about building practical management systems for information security, risk, assurance, and change.
The focus is usually ISO 27001, sometimes with SOC2 readiness alongside it where that is already part of the requirement set. The point is not to create a paper system or force an organisation into somebody else’s template. It is to design and implement an information security management system that fits the organisation, satisfies audit and assurance requirements, and can keep operating as the organisation changes.
ISO 27001 is a management standard, not a technical checklist. Auditors want to see evidence that the organisation has a working ISMS. That means governance, risk assessment, policies and procedures, technical controls, evidence, monitoring, internal audit, external audit coordination, and the practical work of operating and improving the system over time.
ISMS Design & Implementation
ISMS design means understanding an organisation’s context and strategic goals to ensure that the system part of information security will properly embed into the organisation.
That typically includes:
- scope definition
- risk assessment
- policy and procedure design
- review of legal, contractual, and governance requirements
- process design across product, delivery, operations, people, and suppliers
- technical control planning and implementation
- evidence and monitoring design
- internal audit preparation
- external audit coordination
The aim is to meet the letter of the standard without bending the organisation out of shape.
Process
Understand
The first step is understanding the organisation, its services, its obligations, and its risks. That includes customers, contracts, systems, operating practices, people, and the strategic reasons the work matters.
Design
The ISMS is then designed to fit the organisation. Scope, risk model, roles, policies, procedures, governance, and control expectations all need to make sense together.
Implement
Implementation turns the design into working practice. That includes policies, procedures, technical controls, evidence capture, training, and the operational changes needed across teams.
Operate
A useful ISMS has to work in the day-to-day life of the organisation. It needs to be used, monitored, maintained, and understood by the people who rely on it.
Audit
Internal audit and external audit are part of the operating model, not an afterthought. Auditors want evidence that the organisation has a functioning management system and that people are using it in practice.
Improve
The ISMS should keep improving as the organisation changes. Findings, incidents, monitoring, and management review should all feed back into the next round of changes.