Skip to content
English
Contact
  • There are no suggestions because the search field is empty.

How to draft a Management System Guide (MSG)

A Management System Guide (MSG) is a critical document that outlines the structure and governance of an organisation's information security. Crafting a comprehensive MSG is essential for demonstrating compliance with ISO 27001 and for establishing a robust framework to manage information security risks. Here’s a step-by-step guide to help you write an effective MSG.

Step 1: Understand the Requirements of ISO 27001

Before beginning to write the MSG, it is crucial to fully understand the requirements set by ISO 27001. Familiarise yourself with the standard’s control clauses, the requirements for documentation, and the compliance obligations relevant to your organisation.

Step 2: Define the Scope of the MSG

The scope is the foundation of your MSG. Clearly define what will be included in the MSG. Specify which departments, processes, and data will be covered and explain why certain areas may be excluded. Ensuring the scope is accurately defined helps target your information security efforts effectively.

Step 3: Document Information Security Policies and Objectives

Detail the core information security policies that govern your organisation. These should align with your business objectives and address the specific risks identified during your risk assessment. Additionally, articulate clear information security objectives; these should be measurable and aligned with the overall goals of your organisation.

Step 4: Describe Risk Assessment and Risk Treatment Processes

Provide a detailed description of the risk assessment methodology used by your organisation to identify, analyse, and evaluate risks. Follow this by explaining the risk treatment process, detailing how identified risks are mitigated, accepted, transferred, or avoided.

Step 5: Outline the Security Control Framework

Based on the risk assessment outcomes, describe the security controls that have been selected and implemented. Link these controls back to the risk they are intended to mitigate. This section should be aligned with the Statement of Applicability that lists all the controls chosen and reasons for their selection.

Step 6: Assign Roles and Responsibilities

Clearly define the roles and responsibilities related to the MSG. This includes specifying who is responsible for the MSG's implementation, maintenance, and review. Ensuring clear accountability is crucial for effective information security governance.

Step 7: Establish Procedures for Monitoring and Review

Explain how the effectiveness of the MSG will be monitored and reviewed. Include details on how and when audits will be conducted, who will perform them, and how results will be reported and addressed.

Step 8: Develop Maintenance and Improvement Processes

Your MSG should not only detail current practices but also outline processes for updating the MSG as necessary. Describe how the MSG will be kept up to date with organisational changes, technological advancements, and evolving external threats.

Step 9: Review and Approve the Guide

Once drafted, the MSG should be reviewed by key stakeholders for accuracy and completeness. After review, it should be formally approved by top management to demonstrate their commitment to information security.

Writing a MSG is a rigorous process that requires detailed knowledge of your organisation’s risk environment and security practices. By following these steps, you can ensure that your MSG is not only compliant with ISO 27001 but also effectively supports your organisation’s information security strategy.