Define ISMS scope – what businesses, business units, departments and/or systems are going to be covered by your Information Security Management System?
• Inventory your information assets – the inventory of information systems, networks, databases, data items, documents etc. will be used in various ways e.g. to confirm that the ISMS scope is appropriate, identify business-critical and other especially valuable or vulnerable assets etc. (more below) • Conduct an information security risk assessment – ideally using a recognized formal method but a custom process may be acceptable if applied methodically. There’s more advice below. • (a) Prepare a Statement of Applicability – according to ISO/IEC 27000 [currently pending final release], the SoA is a “documented statement describing the control objectives and controls that are relevant and applicable to the organization’s ISMS”. Which of the control objectives from ISO/IEC 27002 are applicable to your ISMS, and which are irrelevant, not appropriate or otherwise not required? Document these management decisions in your SOA; and in parallel … (b) Prepare Risk Treatment Plan – ISO/IEC 2700
• Inventory your information assets – the inventory of information systems, networks, databases, data items, documents etc. will be used in various ways e.g. to confirm that the ISMS scope is appropriate, identify business-critical and other especially valuable or vulnerable assets etc. (more below). • Conduct an information security risk assessment – ideally using a recognized formal method but a custom process may be acceptable if applied methodically. There’s more advice below. • (a) Prepare a Statement of Applicability – according to ISO/IEC 27000, the SoA is a “documented statement describing the control objectives and controls that are relevant and applicable to the organization’s ISMS”. Which of the control objectives from ISO/IEC 27002 are applicable to your ISMS, and which are irrelevant, not appropriate or otherwise not required? Document these management decisions in your SOA; and in parallel … (b) Prepare Risk Treatment Plan – ISO/IEC 27000 describes the information secur
Related Questions
- Define ISMS scope - what businesses, business units, departments and/or systems are going to be covered by your Information Security Management System?
- Is it possible to restrict the scope of the ISMS to just one department or business unit, at least initially?
- Do you think the oil companies are going to try to crush the electric car again?
