...
When looking at security management the ISO 27001 comes in view. This standard describes all the aspects of security management that need to be in place when an organization wants to be certified for information security management. Though this standard covers all aspects of security management and therefore provides a good guidance, it is not a comfortable standard for implementing quality management processes. You would prefer to integrate quality management closely into your working processen, both operational and managerial. The schematic below illustrates how this can be done in a way that is both complete in terms of the ISO standard and recognizable for day-to-day operations. The upper part of the schematic (blue blobs) specifies the company wide processes. in some organizations the responsibility for information security for products and services is distributed in the organization to products teams, departments or business line. That is illustrated in the lower part (light yellow blobs) of the schematic. If you use a centralised approach for information security you only have to look at the upper part of the schematic. Teh The chapters of ISO27001 are can be mapped on this schematics with the dark yellow/orange blobs.
| View file | ||||||
|---|---|---|---|---|---|---|
|
(note: this schematic will be changed to a more generic one)
All items in this schematic are detailed out in separate pages. Details of the mapping on ISO 27001 can also be added on these pages.
- Information security Policy
- Risk Analysis
- Controls
- Organization wide controls
- Baseline
- Annual Planning
- Operate: Implementation of controls
- Performance evaluation: audits and benchmarks
Meeting notes
The minutes of the SIG-ISM WG2 meetings are confidential - the viewing is restricted to the SIG-ISM mailing list members only.
...