67766
Security Mgt, ISO
27001, PDCA
- plan
- establish ISMS
- define policy
- includes framework for setting objectives
- takes into account requirements
- business
- regulatory
- contractual
- legal
- business
- aligns with strategic risk mgt context
- establishes risk evaluation criteria
- approved by management
- includes framework for setting objectives
- define scope
and boundaries
based on
- business characteristics
- location
- assets and technology
- business characteristics
- define risk assessment approach
- define suitable methodology
- define criteria for accepting risks
- define acceptable risk levels
- define suitable methodology
- identify risks
- 1. identify assets & owners
- 2. identify threats
- 3. identify vulnerabilities
- 4. identify impacts of loss
of confidentiality, integrity,
availability on asses
- 1. identify assets & owners
- analyze & evaluate risks
- asess business impacts on
organization from security failures
- assess likelihood with respect to
currently implemented controls
- estimate the levels of risks
- determine if risks are acceptable
using criteria for accepting risk
- asess business impacts on
organization from security failures
- identify options for risk treatment
- controls
- accept
- avoid
- transfer
- controls
- select controls
- obtain management approval of residual risk
- prepare statement
of applicability
- documents control objectives, selected controls and reasoning
- currently implemented control objectives and controls
- any excluded ccontrol objectives and justification
- documents control objectives, selected controls and reasoning
- define policy
- establish ISMS
- do
- implement and operate the ISMS
- implement
- policy
- controls
- processes
- procedures
- policy
- formulate risk treatment plan which
identifies for risk management
- management action
- resources
- responsibilities
- priorities
- management action
- implement selected controls
- define how to measure and assess effectiveness
- implement training and awareness programmes
- manage ISMS operation
- manage ISMS resources
- implment procedures and controls capable of prompt
detection of & response to security events
- implement
- implement and operate the ISMS
- check
- monitor and review the ISMS
- execute monitoring &
reviewing procedures to
- detect erros in processing results
- promptly identify security breaches
- enable management security activites
are performing as expected
- activities
assigned to people
- activities
implemented in IT
- activities
assigned to people
- help detect and prevent security incidents by use of indicators
- determine whether actions to resolve a breach were effective
- detect erros in processing results
- undertake regular reviews
of effectiveness
- see results of
security audits
- incident logs
- results from effectiveness
measurements
- suggestions and feedback
from stakeholders
- see results of
security audits
- measure
effectivness of
controls that
verify security
requirements
have been met
- Review risk
assessment at
regular
intervals, taking
in account
changes to
- the organization
- technology
- business objectives and processes
- identified threats
- effectiveness of implemented controls
- external evants such as regulatory changes
- the organization
- conduct internal audit
- undertake regular management review of ISMS
- update security plans based on monitoring and review
- record actions and events that could have an
impact on the effectiveness of the ISMS
- execute monitoring &
reviewing procedures to
- monitor and review the ISMS
- act
- maintain and improve the ISMS
- implement identified improvements
- take appropriate corrective and preventative actions
- apply lessons learned from internal and external organizations
- communicate actions and improvements to all interested parties
- ensure improvements achieve their intended objectives
- implement identified improvements
- maintain and improve the ISMS
Want to create your own Mind Maps for free with GoConqr? Learn more.