Part 4 Context asks you to understand your organization and its context before
you establish its information security management system (ISMS). It asks you
to identify the issues that are relevant to your organization's purpose and to
consider the influence these issues could have on its ability to achieve the
outcomes and objectives that its ISMS needs to achieve.

This means that you need to understand your organization's approach
to governance, its capabilities, its culture, its contracts, its stakeholders, its
interested parties, its environmental conditions, and its legal obligations before
you develop its ISMS. Why? Because your ISMS will need to be able to cope with
all of these influences. Once you’ve considered all of this, you're ready to define
the scope of your ISMS and to begin its development.

Part 5 Leadership expects your organization's top management to provide
leadership for the ISMS by showing they support it, by making sure that people
understand how important information security actually is, by assigning
responsibility for it, and by establishing an information security policy.

Part 6 Planning asks you to identify the risks and opportunities that could
influence the effectiveness of your organization's ISMS or disrupt its operation
and then to figure out what you need to do to address these risks and opportunities.

It also asks you to assess your organization’s information security risks, to select
risk treatment options, to choose the information security controls that are needed
to implement these options, and to formulate a risk treatment plan.

Finally, it asks you to establish information security objectives at all relevant
levels and for all relevant functions within your organization and to develop
plans to achieve these objectives.

Part 8 Operation asks you to establish the processes that your organization
needs in order to meet its information security requirements, to carry out
the actions needed to address its information security risks and opportunities,
and to implement the plans needed to achieve its information security objectives.

Part 8 also asks you to perform regular information security risk assessments,
to prioritize your risks, and to maintain a record of risk assessment results. And,
finally, it asks you to implement your information security risk treatment plans
and to maintain a record of your risk treatment results.

Part 10 Improvement asks you to identify nonconformities, to take appropriate
corrective actions, and to enhance the suitability, adequacy, and effectiveness
of your organization's ISMS.