Preparing the first cycle

The following are determined with management:

• The goals of the ISMS

• The qualification of risk impact (high/medium/low) in terms of finances, reputational damage, and/or continuity

• The qualification of risk probability (high/medium/low) in terms of time/frequency

• The risk acceptance level

• The Teams (i.e., participants in the workshops) and Team Captains

• The length of a cycle/iteration (typically between 3 months and a year)

• Setting up incident registration (necessary for discussing incidents in the 3rd workshop)

The Workshop Facilitator gathers information about the organization’s context and the different teams, ensuring they have sufficient knowledge to achieve good results from the workshops.

Relevant topics may include:

• Applicable laws and regulations

• Implemented quality standards and compliance frameworks

• Organizational structure

• Primary processes

• Management processes

• Software and service providers in use

• Ongoing and planned changes and projects

• Existing security and privacy measures