Information Security Management System
(ISMS) Manual
ISO 27001: 2022
VERSION 1.0
RELEASE DATE: 06 March 2025
Document Number:
INFOCUS- IT CONSULTING PVT. LTD
1|Page
INTERNAL
�DOCUMENTS DETAILS
Signature
with date
Title ISMS Manual
Version 1.0
Classificatio Internal
n
Release date 06 March 2025
Description
Review date
Author Jagbir Singh
Reviwer/
Custodian
Chechked
and
Approved by
Owner
TABLE OF CONTENTS
2|Page
INTERNAL
�Contents
INTRODUCTION...........................................................................................................................................5
1. SCOPE..................................................................................................................................................5
2. NORMATIVE REFERENCES...................................................................................................................5
3. DEFINITIONS AND TERMS...................................................................................................................5
4. CONTEXT OF THE ORGANISATION......................................................................................................5
1. Understanding the organization and its context..............................................................................5
2. Understanding the need and expectations of the interested parties.................................................5
3. Determining the scope of the information security management system........................................6
4. Information Security Management System.....................................................................................6
5. LEADERSHIP.........................................................................................................................................6
a) Leadership and Commitment..........................................................................................................6
b) Policy..............................................................................................................................................6
c) Organizational roles, responsibilities and authorities......................................................................6
6. PLANNING........................................................................................................................................7
1. Actions to address risk and opportunities.......................................................................................7
(a) General.......................................................................................................................................7
(b) Information Security Risk Assessment.......................................................................................7
(c) Information Security Risk Treatment.........................................................................................7
2. Information security objectives and planning to achieve them.......................................................7
7. SUPPORT.............................................................................................................................................7
1. Resources.......................................................................................................................................8
2. Competence....................................................................................................................................8
3. Awareness.......................................................................................................................................8
4. Communication..............................................................................................................................8
5. Documented information................................................................................................................8
a) General.......................................................................................................................................8
b) Creating and updating................................................................................................................8
c) Control of documented Information...........................................................................................8
8. OPERATION.........................................................................................................................................8
1. Operational Planning and Control..................................................................................................9
3|Page
INTERNAL
� 2. Information Security Risk Assessment...........................................................................................9
3. Information Security Risk Treatment..............................................................................................9
9. PERFORMANCE EVALUATION..............................................................................................................9
1. Monitoring, Measurement, Analysis and Evaluation......................................................................9
2. Internal audit................................................................................................................................10
a) General.....................................................................................................................................10
b) Internal Audit Programme........................................................................................................10
3. Management Review....................................................................................................................10
a) General.....................................................................................................................................10
b) Management review inputs.......................................................................................................10
c) Management review results......................................................................................................10
10. IMPROVEMENT............................................................................................................................10
1. Continual improvement................................................................................................................10
2. Non conformity and corrective actions.........................................................................................10
4|Page
INTERNAL
�INTRODUCTION
This manual details INFOCUS-IT Consulting PVT. LTD. Information Security Management
System (ISMS). This guide explains how we protect our digital data and keep our systems safe.
We follow the ISO 27001 standard to ensure our security measures meet global best practices.
1. SCOPE
This manual covers all parts of INFOCUS- IT Consulting Pvt. Ltd. It applies to every
department—such as IT support, software development, and customer service—and includes all
systems, data, and processes that support our IT consulting work.
2. NORMATIVE REFERENCES
Normative References:
We follow standards like ISO 27001 and other related security guidelines.
3. DEFINITIONS AND TERMS
Asset: Any data, hardware, or software that is valuable to the company.
Risk: The chance of harm or loss to our assets.
Threat: Anything that might harm our information or systems.
Control: A measure we take to reduce a risk.
4. CONTEXT OF THE ORGANISATION
INFOCUS- IT Consulting Pvt. Ltd operates in a fast-changing IT environment. We serve many
clients with our consulting and support services. We understand our business needs and those of
our clients, partners, and regulators. Our ISMS covers all essential services and information
systems we use.
1. Understanding the organization and its context
The org must identify internal and external issues that are relevant to its ISMS.
External Issues: Legal requirements, industry standards, customer expectations, and
evolving threats.
Internal Issues: Organisations mission & vision, Organizational culture, existing security
policies, IT infrastructure, and resource availability.
2. Understanding the need and expectations of the interested parties
The organization shall determine the interested parties relevant to ISMS, their relevant
requirements and which of these requirements will be addressed through the ISMS.
5|Page
INTERNAL
� Identify the Parties like (customers, employees, regulators, suppliers, vendors, employee
family, emergency services, competitors).
Understand their need and expectations (e.g., compliance with GDPR, secure handling of
customer data, privacy and protection of PII).
3. Determining the scope of the information security management system
The organization shall determine the boundaries and applicability of the ISMS to
establish its scope
Clearly define which systems, processes, locations, and business will be covered under
the ISMS.
4. Information Security Management System
The organization has established, implemented, maintained, and continually improved an
ISMS in requirement of this International Standard.
5. LEADERSHIP
Our top management is dedicated to keeping our data secure. They:
Approve and support the Information Security Policy.
Ensure that every team member understands their role.
Provide the resources needed to run a strong ISMS.
a) Leadership and Commitment
Top management must take accountability for ISMS effectiveness.
They must ensure the integration of ISMS into every processes.
They must ensure security policies align with business objectives.
They must communicate the importance of ISMS to people.
Adequate resources (people, tools, and budget) should be provided.
b) Policy
Top management shall establish information security policy and it must be approved, and
communicated.
It should define security objectives and compliance requirements.
c) Organizational roles, responsibilities and authorities
Clear security responsibilities must be assigned.
Employees should be aware of their roles in maintaining security (e.g., IT admins manage
access control, HR ensures background checks).
6|Page
INTERNAL
� 6. PLANNING
We plan our security activities by:
Risk Assessment: Regularly checking for threats and vulnerabilities.
Risk Treatment: Deciding how to manage each risk (avoid, reduce, transfer, or accept).
Setting Objectives: Creating clear goals to improve our security and align with our
business needs.
1. Actions to address risk and opportunities
(a) General
(b) Information Security Risk Assessment
(c) Information Security Risk Treatment
Risk Identification:
Regularly identify risks by reviewing our systems and processes.
Evaluating Risks:
Look at how likely a risk is and what the impact might be.
Planning Actions:
Decide whether to avoid, reduce, transfer, or accept each risk.
Opportunities:
Identify improvements that can boost our overall security.
2. Information security objectives and planning to achieve them
Setting Objectives:
Create clear and measurable goals (for example, reducing data breach incidents).
Planning:
Outline steps, set deadlines, and assign responsibilities to meet these goals.
7. SUPPORT
To support our ISMS, INFOCUS provides:
The right tools and technology.
Training and skill development for all staff.
A system to manage and update our security documents.
Clear communication channels to share important security updates.
7|Page
INTERNAL
� 1. Resources
Tools and Technology:
Provide the latest security tools, software, and hardware to protect data.
Personnel:
Ensure enough staff are dedicated to managing security.
2. Competence
Training Programs:
Regular training sessions for all employees to learn about new security threats and proper
practices.
Skill Development:
Encourage certifications and courses in IT security.
3. Awareness
Regular Updates:
Share news and updates on security policies, and why they matter.
Reminders:
Use posters, emails, or short meetings to remind everyone of their role in protecting
information.
4. Communication
Internal Communication: Clear channels like emails, intranet, or meetings to discuss
security matters.
External Communication: Inform clients and partners about our security measures when
needed.
5. Documented information
a) General
b) Creating and updating
c) Control of documented Information
Record Keeping: Maintain logs of incidents, training records, and audit results.
Document Control: Ensure all documents are up-to-date and accessible to the right
people.
8. OPERATION
Every day, we follow set procedures to keep our systems secure. This includes:
Implementing Controls: Using technical and physical measures to protect data.
8|Page
INTERNAL
� Change Management: Making sure any system changes do not harm security.
Incident Management: Reporting and fixing any security issues quickly.
Business Continuity: Ensuring operations continue even during unexpected events.
1. Operational Planning and Control
Process Documentation:
Write down detailed procedures for everyday tasks.
Monitoring:
Regularly check that procedures are followed correctly.
2. Information Security Risk Assessment
Regular Reviews:
Continuously assess risks by reviewing new threats or changes in the business
environment.
Tools and Methods:
Use simple checklists and risk matrices to evaluate the risks.
3. Information Security Risk Treatment
Implementing Controls:
Based on risk assessments, put in place the necessary controls (like firewalls, encryption,
etc.).
Tracking Effectiveness:
Check if these controls work well and adjust them if needed.
9. PERFORMANCE EVALUATION
We check how well our ISMS works by:
Regular internal audits and reviews.
Using simple tools to measure our security performance.
Holding management meetings to discuss improvements.
1. Monitoring, Measurement, Analysis and Evaluation
Key Performance Indicators (KPIs):
Define measures such as the number of incidents or time to resolve issues.
Data Collection:
Regularly gather and review data to see if our security measures are working.
9|Page
INTERNAL
�2. Internal audit
a) General
b) Internal Audit Programme
Audit Program:
Schedule periodic audits to check compliance with the ISMS and ISO 27001 standards.
Audit Reports:
Prepare detailed reports on what is working well and what needs improvement.
3. Management Review
a) General
b) Management review inputs
c) Management review results
Review Meetings:
Hold regular meetings where top management reviews audit results and overall
performance.
Decisions and Actions:
Use these meetings to decide on changes or improvements to the ISMS.
10. IMPROVEMENT
INFOCUS is always looking for ways to do better. When problems occur:
We take corrective actions right away.
We learn from each incident and update our methods.
Our ISMS is regularly reviewed to keep it strong and up to date.
1. Continual improvement
Use audits, incident reports, and employee feedback to identify areas for improvement.
Adjust policies and controls based on new threats, changes in business, or technological
advances.
2. Non conformity and corrective actions
Identifying Issues:
When a problem or gap is found, record it clearly.
Corrective Actions:
Develop and implement steps to fix issues, and follow up to ensure they are resolved.
10 | P a g e
INTERNAL
� Documentation:
Keep records of all actions taken and lessons learned.
11 | P a g e
INTERNAL
