It was advised that we need to implement QMS, as identifying and documenting all the process as this is the best approach. I actually did not quite comfortable, since it will increase the workload (thus require additional resource).
I am still thinking of implementing the ISMS without QMS is possible (and it is a better approach) and it does not require additional workload. Beside many organization has done ISMS without QMS.
Note: The end goal is to have the system (operations & maintenance) to have its ISMS certified after 2 years in operations.
There is no rush to have it ISMS certified during the development stage.
Question – Thus, I am thinking of doing these steps first even before doing the rest of ISMS activities
1 - I am want to focus to the system requirements – security requirements to design the system to be delivered to the customers. The main input of security requirements will be from risk assessment.
2 - Establishing the context of risk assessment
3 - Conduct the risk assessments, risk evaluation & risk analy sis – thus the risk treatments.
4 - Identifying the all the relevant controls based on ISO 27001 Annex A/ISO 27002
5 - Implement all the security measures and controls in the system design.
6 - Write all the necessary security policies, procedures and guidelines in relations the systems.
7 - Built the system (based on the security requirements), Test and UAT, FAT and deliver.
While doing all the activities above, other ISMS compliance requirements will gradually implemented and done, as we have enough time to get it certified after its being delivered.