Connect with Us

ISMS Program Development

An Information Security Management System (ISMS) is a set of policies concerned with information security management of IT related risks, a concept that arose out of British Standard 7799. The governing principle behind an ISMS is that an organization should design, implement and maintain a coherent set of policies, processes, and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk.

We work with clients to ensure, as with all management processes, that an ISMS is developed that remains effective and efficient in the long term, adapting to changes in the internal organization and external environment. The ISMS designed, built, and operationalized for the client is built according to the ISO/IEC 27001 standard using a Plan, Do, Check, Act (PDCA) model or the Six Sigma DMAIC (Define, Measure, Analyze, Improve, and Control).


Deconstructing the different risk assessment models that can be used in performing IT risk assessments.


Understanding how to create and manage an ISO 27001 Asset Register, what goes in it, and why.


The fact is, information security is a management issue, not purely technical. Our clients should expect to devote approximately 1/3 of their time addressing technical aspects of the ISMS and the remaining 2/3 spent developing policies and procedures, performing security reviews and analyzing risk, addressing contingency planning and promoting security awareness.

In summary:

  • Security depends on people more than technology;
  • Employees are a far greater threat to information security than external threat sources;
  • Security is like a chain, it is only as strong as the weakest link;
  • The degree of security depends on three factors: the risk you are willing to take, the functionality of the system, and the costs you are prepared to pay; and
  • Security is not a status or snapshot in time, it’s a continuous process.

ISO/IEC 27001 is an internationally recognized best practice framework for an information security management system. It helps our clients identify the risks to their important information and puts in place the appropriate controls to help reduce the risk to an acceptable level to the business.

The benefits of an ISMS in place in our clients organization’s include:

  • Identification of risks that put controls in place to manage or reduce them;
  • Flexibility to adapt controls to all or selected areas of their business;
  • Gain stakeholder and customer trust that their data is protected;
  • Comply with relevant laws and regulations, such as PCI and HIPAA;
  • Demonstrate compliance and gain status as a preferred supplier;
  • Protects an organization’s reputation;
  • Cost savings in reduction in IT related incidents;
  • Demonstrates credibility and trust; and
  • Improved information security awareness at all levels of the organization.



Our certified ISO 27001 Lead Auditors design, build, test, and implement ISO 27001 compliant ISMS programs for our clients that results in:

  • Creation of all required policies and documentation of the organization’s ISMS;
  • Creation of the Statement of Applicability (SOA);
  • Creation of internal audit and risk assessment procedures;
  • Execution of an Internal Audit of the organization’s ISMS and documentation of Corrective Action Reports;
  • Execution of a formal risk assessment of the organization’s ISMS and documentation of Corrective Action Reports and Risk Treatment Plans; and
  • Creation of the management summary of internal audits.

Brier & Thorn’s Risk, Audit, and Compliance (RAC) practice are BSI Certified ISO 27001 Lead Auditors who have developed and operationalized a fast-track method for building, implementing, and operating an Information Security Management System (ISMS) for its clients. The ISMS Program Development service is managed by our Program Management Office who will assign a PMO to our client for the duration of the project. The project will be divided into phases according to best practices for project management combining the PMBOK (Project Management Body of Knowledge), Six Sigma, and PRINCE 2 methodologies defined below in the following stages:


Brier & Thorn’s advisors will work with our client and ISMS stakeholders who have already been identified to establish and start the project. In this phase, we will develop a project plan, work breakdown structure (WBS), project schedule, project initiation documents, and put actions in place to secure key resources. The outputs to this phase include a list of ISMS parties and legal, regulatory, and contractual requirements of our client.


In this phase, we start the work involved with creating the ISMS deliverables, which includes using the project strategy, business case, and initiation documentation as the start point. The team will then work with stakeholders to develop the designs of the project deliverables. Templates are designed of the ISMS framework, ISMS policy, and ISMS procedure documents.

Development and Testing

With all of the planning and designing complete, our advisors will then begin to develop the actual ISMS framework and ancillary documents. In this phase, the asset register will be developed along with the risk assessment, risk treatment, and internal audit activities. The deliverables in this phase include the policies, procedures, risk acceptance, and risk treatment plans and reports, as well as an acceptance of all residual risks to the business.

Client Results

We share our clients’ ambitions working to understand their reality and deliver true results – focusing on strategic decisions and practical actions. We align our incentives with our clients’ objectives so they know we’re in this together as a closely-held partnership.

Badger Meter secures smart meter SaaS platform with help from Brier & Thorn in development of new ISMS, ISO 27001 certification, and SOC 2 Type 1 attestation

Badger Meter strengthens IT security by retaining Brier & Thorn to build new ISMS, later receiving ISO 27001 certification and SOC 2 attestation.

Nationwide debt collection and cashflow management company meets PCI compliance and builds consumer confidence through new ISMS

In its recent divestiture from Expert Global Systems, Transworld Systems Inc retains Brier & Thorn to build new ISMS, create new cardholder data environment, and perform threat management services to help the company demonstrate PCI-DSS 3.1 compliance as well as move towards ISO 27001 certification and SOC 2 compliance.