|
4.1 STUDY GENERAL ISMS
REQUIREMENTS |
-
Develop your information security
management system.
-
Implement your
information security management system.
-
Monitor your information security
management system.
-
Maintain your information security
management system.
|
4.2 DEVELOP YOUR
ORGANIZATION’S ISMS |
4.2.1 DEFINE AND PLAN YOUR SYSTEM |
-
Define the scope and
boundaries of your ISMS.
-
Define your
organization’s ISMS policy.
-
Define your approach to
risk assessment.
-
Identify your
organization’s
security risks.
-
Analyze and evaluate your
organization’s security risks.
-
Identify and evaluate
risk treatment options and actions.
-
Select control objectives
and
controls to treat risks.
-
Make sure that management approves residual risks
(those that are left over after you’ve
implemented all of your risk treatment decisions).
-
Get authorization from
management before you
implement and operate your organization’s ISMS.
-
Prepare a
Statement of Applicability
that lists your
organization’s specific control objectives and controls.
|
4.2.2 IMPLEMENT AND OPERATE
YOUR
ISMS |
-
Develop a
risk treatment
plan to manage your
organization’s information security risks.
-
Implement your
organization’s risk treatment plan.
-
Implement your
organization’s
security controls.
-
Implement your
organization’s educational programs.
-
Manage and operate your
organization’s ISMS.
-
Manage your
organization’s ISMS resources.
-
Implement your
organization’s security
procedures.
|
4.2.3 MONITOR AND REVIEW YOUR
ISMS |
-
Use
procedures and
controls to monitor your ISMS.
-
Use procedures and
controls to review your ISMS.
-
Perform regular
reviews
of your ISMS.
-
Verify that your security
requirements are being met.
-
Review your
risk
assessments on a regular basis.
-
Review your
residual
risks on a regular basis.
-
Review acceptable levels
of risk on a regular basis.
-
Perform regular internal
audits of your ISMS.
-
Perform regular
management reviews of your ISMS.
-
Update your information
security plans.
-
Maintain a record of ISMS
events and actions.
|
4.2.4 MAINTAIN AND IMPROVE
YOUR ISMS |
-
Implement your ISMS
improvements.
-
Take appropriate
corrective actions.
-
Take appropriate
preventive actions.
-
Apply the security
lessons that you have learned.
-
Communicate ISMS changes
to all interested parties.
-
Make sure that your
organization’s ISMS changes
achieve the intended objectives.
|
4.3 DOCUMENT YOUR
ORGANIZATION’S
ISMS |
4.3.1 DEVELOP ISMS
DOCUMENTS
AND
RECORDS |
|
4.3.2 CONTROL YOUR ISMS
DOCUMENTS |
|
4.3.3 CONTROL YOUR ISMS
RECORDS |
|
|
5.1 SHOW THAT YOU SUPPORT YOUR
ISMS |
-
Demonstrate that your
management
supports the establishment of an ISMS.
-
Demonstrate that your
management
supports the implementation of an ISMS.
-
Demonstrate that your
management
supports the operation of your ISMS.
-
Demonstrate that your
management
supports the monitoring of your ISMS.
-
Demonstrate that your
management
supports the review of your ISMS.
-
Demonstrate that your
management
supports the maintenance of your ISMS.
-
Demonstrate that your
management
supports the improvement of your ISMS.
|
5.2 MANAGE YOUR ISMS RESOURCES |
5.2.1 PROVIDE RESOURCES FOR
YOUR ISMS |
-
Identify your
organization’s ISMS resource needs.
-
Provide the resources
that your ISMS needs.
-
Identify the resources
that will be needed in order to ensure that your organization’s information
security procedures support its business requirements.
-
Identify the resources
needed to meet your
organization’s legal security requirements.
-
Identify the resources
needed to meet your
organization’s regulatory security requirements.
-
Identify the resources
needed to meet your
organization’s contractual security obligations.
-
Identify the resources
needed to ensure that all
implemented security controls are correctly applied.
-
Identify the resources
needed to ensure that ISMS
management reviews are routinely carried out.
-
Identify the resources
needed to ensure that
you will be able to react appropriately to the
results of your ISMS management reviews.
-
Identify the resources
needed to ensure that
you will be able to improve the effectiveness
of your ISMS when required to do so.
|
5.2.2 ENSURE THAT ISMS
PERSONNEL ARE COMPETENT |
-
Ensure that all ISMS
personnel are competent and
can perform the tasks that are assigned to them.
-
Evaluate the
effectiveness of your organization’s
ISMS personnel training and employment activities.
-
Maintain records that
document the competence
of personnel performing work that affects your ISMS.
-
Make your personnel aware
of how important
their information security activities are.
|
|
ESTABLISH AN INTERNAL
AUDIT PROCEDURE |
|
PLAN YOUR INTERNAL AUDITS |
|
CONDUCT INTERNAL AUDITS |
|
TAKE REMEDIAL ACTION |
|
|
7.1 PERFORM MANAGEMENT REVIEWS |
-
Carry out
management
reviews of your
ISMS.
-
Examine the performance
of your ISMS.
-
Examine the ongoing
suitability of your ISMS.
-
Examine the ongoing
adequacy of your ISMS.
-
Examine the ongoing
effectiveness of your ISMS.
-
Assess whether or not
your organization’s
ISMS should be changed or improved.
-
Keep a record of your
ISMS management reviews.
|
7.2 EXAMINE MANAGEMENT REVIEW
INPUTS |
|
7.3 GENERATE MANAGEMENT REVIEW
OUTPUTS |
|
|
8.1
CONTINUALLY IMPROVE YOUR
ISMS <<<pdf sample |
|
8.2 CORRECT ACTUAL ISMS
NONCONFORMITIES |
-
Establish a
corrective
action procedure to prevent
the recurrence of actual nonconformities.
-
Make sure that your
corrective action procedure
expects you to identify actual nonconformities.
-
Make sure that your
corrective action procedure expects you to identify causes of nonconformities.
-
Make sure that your
procedure expects you
to evaluate whether you need to take action.
-
Make sure that your
procedure expects you to
develop corrective actions when they are needed.
-
Make sure that your
procedure expects you to
prevent the recurrence of actual nonconformities.
-
Make sure that your
corrective action procedure
expects you to eliminate the causes of your
organization’s nonconformities.
-
Make sure that your
procedure expects you to
record the results of any corrective actions taken.
-
Make sure that your
procedure expects you to
review the results of any corrective actions taken.
-
Document your
corrective
action
procedure.
-
Implement your corrective
action procedure.
-
Use your organization’s
corrective action
procedure to identify nonconformities.
-
Use your organization’s
corrective
action procedure to identify causes.
-
Use your procedure to
evaluate whether
or not you need to take corrective action.
-
Use your procedure to
develop corrective actions
whenever corrective actions are actually
needed.
-
Use your procedure to
take corrective actions.
-
Use your procedure to
prevent the
recurrence of actual nonconformities.
-
Use your procedure to
eliminate the
causes of actual nonconformities.
-
Use your procedure to
record the
results of any corrective actions taken.
-
Use your procedure to
review the
corrective actions that have been taken.
-
Maintain your corrective
action procedure.
|
8.3 PREVENT POTENTIAL ISMS
NONCONFORMITIES |
-
Establish a
preventive
action procedure to prevent
the occurrence of potential nonconformities.
-
Make sure that your
preventive action procedure
expects you to identify potential nonconformities.
-
Make sure that your
procedure expects you to
identify the causes of potential nonconformities.
-
Make sure that your
procedure expects you to
evaluate whether or not your organization needs
to take preventive action.
-
Make sure that your
procedure expects you to
develop preventive actions when they are needed.
-
Make sure that your
procedure expects you to
prevent the occurrence of potential nonconformities.
-
Make sure that your
procedure expects you to
eliminate the causes of potential nonconformities.
-
Make sure that your
procedure expects you to
record the results of any preventive actions taken.
-
Make sure that your
procedure expects you to
review the results of any preventive actions taken.
-
Document your
preventive
action
procedure.
-
Implement your preventive
action procedure.
-
Use your organization’s
preventive action
procedure to identify potential nonconformities.
-
Use your preventive
action procedure to identify
the causes of potential nonconformities.
-
Use your preventive
action procedure to evaluate
whether or not you need to take preventive action.
-
Use your preventive
action procedure to develop
preventive actions whenever they are
needed.
-
Use your procedure to
take preventive actions.
-
Use your preventive
action procedure to prevent
the occurrence of potential nonconformities.
-
Use your preventive
action procedure to eliminate
the causes of potential nonconformities.
-
Use your preventive
action procedure to record
the results of any preventive actions taken.
-
Use your preventive
action procedure to review
the preventive actions that have been taken.
-
Maintain your preventive
action procedure.
|
|