1. 4.2 Establishing and managing the ISMS
1.1. 4.2.1 Establish the ISMS
1.1.1. a) Define the scope and boundaries of the ISMS
1.1.2. b) Define an ISMS policy
1.1.2.1. 1) includes a framework for setting objectives, direction and principles
1.1.2.2. 2) takes into account business and legal or regulatory requirements, and contractual security obligations
1.1.2.3. 3) aligns with the organization
1.1.2.4. 4) establishes criteria against which risk will be evaluated
1.1.2.5. 5) has been approved by management
1.1.3. c) Define the risk assessment approach of the organization
1.1.3.1. 1) Identify a risk assessment methodology
1.1.3.2. 2) Develop criteria for accepting risks and identify the acceptable levels of risk.
1.1.4. d) Identify the risks
1.1.4.1. 1) Identify the assets and owners
1.1.4.2. 2) Identify the threats to those assets
1.1.4.3. 3) Identify the vulnerabilities that might be exploited by the threats.
1.1.4.4. 4) Identify the impacts that losses of confidentiality, integrity and availability may have on the assets.
1.1.5. e) Analyze and evaluate the risks.
1.1.5.1. 1) Assess the potential business impacts
1.1.5.2. 2) Assess the realistic likelihood of security failures occurring
1.1.5.3. 3) Estimate the levels of risks
1.1.5.4. 4) Determine whether the risks are acceptable or require treatment
1.1.6. f) Identify and evaluate options for the treatment of risks.
1.1.6.1. 1) applying appropriate controls
1.1.6.2. 2) knowingly and objectively accepting risks
1.1.6.3. 3) avoiding risks
1.1.6.4. 4) transferring the associated business risks to other parties
1.1.7. g) Select control objectives and controls for the treatment of risks.
1.1.8. h) Obtain management approval of the proposed residual risks.
1.1.9. i) Obtain management authorization to implement and operate the ISMS
1.1.10. j) Prepare a Statement of Applicability. Includes:
1.1.10.1. 1) the control objectives and controls
1.1.10.2. 2) the control objectives and controls currently implemented
1.1.10.3. 3) the exclusion of any control objectives and controls in Annex A
1.2. 4.2.2 Implement and operate the ISMS
1.2.1. a) Formulate a risk treatment plan
1.2.2. b) Implement the risk treatment plan
1.2.3. c) Implement controls to meet the control objectives
1.2.4. d) Define how to measure the effectiveness
1.2.5. e) Implement training and awareness programs
1.2.6. f) Manage operation of the ISMS
1.2.7. g) Manage resources for the ISMS
1.2.8. h) Implement procedures and other controls
1.3. 4.2.3 Monitor and review the ISMS
1.3.1. a) Execute monitoring and reviewing procedures and other controls to:
1.3.1.1. 1) promptly detect errors in the results of processing
1.3.1.2. 2) promptly identify attempted and successful security breaches and incidents
1.3.1.3. 3) enable management to determine whether the security activities are performing as expected
1.3.1.4. 4) help detect security events
1.3.1.5. 5) determine whether the actions taken to resolve a breach of security were effective
1.3.2. b) Undertake regular reviews of the effectiveness of the ISMS
1.3.3. c) Measure the effectiveness of controls to verify that security requirements have been met.
1.3.4. d) Review risk assessments at planned intervals and review the residual risks and the identified acceptable levels of risks, taking into account changes to:
1.3.4.1. 1) the organization
1.3.4.2. 2) technology
1.3.4.3. 3) business objectives and processes
1.3.4.4. 4) identified threats
1.3.4.5. 5) effectiveness of the implemented controls
1.3.4.6. 6) external events, such as changes to the legal or regulatory environment, changed contractual obligations, and changes in social climate.
1.3.5. e) Conduct internal ISMS audits at planned intervals.
1.3.6. f) Undertake a management review of the ISMS
1.3.7. g) Update security plans to take into account the findings of monitoring and reviewing activities.
1.3.8. h) Record actions and events that could have an impact on the effectiveness or performance of the ISMS
1.4. 4.2.4 Maintain and improve the ISMS
1.4.1. a) Implement the identified improvements in the ISMS.
1.4.2. b) Take appropriate corrective and preventive actions in accordance with 8.2 and 8.3. Apply the lessons learnt from the security experiences of other organizations and those of the organization itself.
1.4.3. c) Communicate the actions and improvements to all interested parties with a level of detail appropriate to the circumstances and, as relevant, agree on how to proceed.
1.4.4. d) Ensure that the improvements achieve their intended objectives.
2. 5 Management responsibility
2.1. 5.1 Management commitment
2.1.1. a) establishing an ISMS policy
2.1.2. b) ensuring that ISMS objectives and plans are established
2.1.3. c) establishing roles and responsibilities for information security
2.1.4. d) communicating to the organization
2.1.5. e) providing sufficient resources
2.1.6. f) deciding the criteria for accepting risks and the acceptable levels of risk
2.1.7. g) ensuring that internal ISMS audits are conducted; and
2.1.8. h) conducting management reviews of the ISMS.
3. 6 Internal ISMS audits
3.1. a) conform to the requirements of this International Standard and relevant legislation or regulations
3.2. b) conform to the identified information security requirements
3.3. c) are effectively implemented and maintained; and
3.4. d) perform as expected.
4. 4.3 Documentation requirements
4.1. 4.3.1 General
4.1.1. a) documented statements of the ISMS policy and objectives
4.1.2. b) the scope of the ISMS
4.1.3. c) procedures and controls in support of the ISMS
4.1.4. d) description of the risk assessment methodology
4.1.5. e) the risk assessment report
4.1.6. f) the risk treatment plan
4.1.7. g) documented procedures
4.1.8. h) records required by this International Standard
4.1.9. i) the Statement of Applicability.
4.2. 4.3.2 Control of documents
4.2.1. a) approve documents for adequacy prior to issue
4.2.2. b) review and update documents as necessary and re-approve documents
4.2.3. c) ensure that changes and the current revision status of documents are identified
4.2.4. d) ensure that relevant versions of applicable documents are available at points of use
4.2.5. e) ensure that documents remain legible and readily identifiable
4.2.6. f) ensure that documents are available to those who need them, and are transferred, stored and ultimately disposed of in accordance with the procedures applicable to their classification
4.2.7. g) ensure that documents of external origin are identified
4.2.8. h) ensure that the distribution of documents is controlled
4.2.9. i) prevent the unintended use of obsolete documents; and
4.2.10. j) apply suitable identification to them if they are retained for any purpose
4.3. 4.3.3 Control of records
5. 5.2 Resource management
5.1. 5.2.1 Provision of resources
5.1.1. a) establish, implement, operate, monitor, review, maintain and improve an ISMS
5.1.2. b) ensure that information security procedures support the business requirements
5.1.3. c) identify and address legal and regulatory requirements and contractual security obligations
5.1.4. d) maintain adequate security by correct application of all implemented controls
5.1.5. e) carry out reviews when necessary, and to react appropriately to the results of these reviews
5.1.6. f) where required, improve the effectiveness of the ISMS.
5.2. 5.2.2 Training, awareness and competence
5.2.1. a) determining the necessary competencies for personnel
5.2.2. b) providing training or taking other actions
5.2.3. c) evaluating the effectiveness of the actions taken
5.2.4. d) maintaining records of education, training, skills, experience and qualifications.
6. 7 Management review of the ISMS
6.1. 7.1 General
6.2. 7.2 Review input
6.2.1. a) results of ISMS audits and reviews
6.2.2. b) feedback from interested parties
6.2.3. c) techniques, products or procedures
6.2.4. d) status of preventive and corrective actions
6.2.5. e) vulnerabilities or threats not adequately addressed in the previous risk assessment
6.2.6. f) results from effectiveness measurements
6.2.7. g) follow-up actions from previous management reviews
6.2.8. h) any changes that could affect the ISMS; and
6.2.9. i) recommendations for improvement.
6.3. 7.3 Review output
6.3.1. a) Improvement of the effectiveness of the ISMS.
6.3.2. b) Update of the risk assessment and risk treatment plan.
6.3.3. c) Modification of procedures and controls, including:
6.3.3.1. 1) business requirements
6.3.3.2. 2) security requirements
6.3.3.3. 3) business processes effecting the existing business requirements
6.3.3.4. 4) regulatory or legal requirements
6.3.3.5. 5) contractual obligations
6.3.3.6. 6) levels of risk and/or criteria for accepting risks.
6.3.4. d) Resource needs.
6.3.5. e) Improvement to how the effectiveness of controls is being measured.
6.4. 8 ISMS improvement
6.4.1. 8.1 Continual improvement
6.4.2. 8.2 Corrective action
6.4.2.1. a) identifying nonconformities
6.4.2.2. b) determining the causes of nonconformities
6.4.2.3. c) evaluating the need for actions to ensure that nonconformities do not recur
6.4.2.4. d) determining and implementing the corrective action needed
6.4.2.5. e) recording results of action taken; and
6.4.2.6. f) reviewing of corrective action taken.