PLAN—This phase will analyze the company’s activity environment. The information processed by it, the established corporate policies and the legal requirements applicable to each company. During this stage the company will have to design a formal procedure for the continuous identification and assessment of risks and the selection of control objectives, as well as the controls that allow it to manage these risks. IMPLEMENT (Do): At this stage, the focus will need to be on the development and implementation of an effective medium- and long-term plan that avoids or attenuates potential information security risks. In this phase, the training and information of the company’s staff will also be initiated, so as to ensure the correct implementation of the SGSI. REVIEW:The implementation of the SGSI requires monitoring and review of the controls and measures implemented. It is therefore essential to carry out both internal and external audits that review the effectiveness and efficiency of the SGSI, and identify the possible threats, vulnerabilities and risks of the system. ACT—The implementation of an SGSI requires the constant action, maintain and improvement of the SGSI. When the SGSI check detects threats, vulnerabilities and risks, appropriate corrective and preventive measures are necessary to ensure the security and protection of company information at all times. The phases of the project for the implementation and subsequent certification of its SGSI are: Scope Delimitation. Analysis and Risk Management. Declaration of Applicability. Policies and Procedures. Security Director Plan. Business Continuity Plan. Training Plan. Incident Management. Development of the SGSI. Internal Audit. Certification by accredited entity (if applicable). Our function is to prepare your company to implement the system. Once the system is achieved in your company it is your decision whether it is certified or not. This work requires specialists with extensive organizational knowledge, information systems management and current information security technology. Without a doubt, to obtain the certification, the most economical, practical and fast option is to hire a specialized consultancy to carry out this preparation.