Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This section will discuss what need to be in place before starting an implementation of a ISMS.

4. Context of the context of the organisation

4.1 Understanding the organization and its context

Determine external and internal issues that are relevant to the intended outcome of its ISMS.

4.2 Understanding the needs and expectations of interested parties

What interested parties are relevant to the ISMS and what are their requirements.

4.3 Determining the scope of the ISMS

The boundaries and applicability of the ISMS will determine the scope of the ISMS. The scope shall be available as documented information.

4.4 ISMS - Information Security Management System

The organization shall establish, implement, maintain and continually improve an information security management system, in accordance

with the requirements of this International Standard.

5. Leadership

5.1 Leadership and commitment

The top management shall committ to the ISMS by;

a) ensuring the information security policy;
b) ensuring the integration of the ISMS requirements into the organization’s processes;
c) ensuring that the resources needed for the information security management system are available;
d) communicating the importance of effective information security management and of conforming to
the ISMS requirements;
e) ensuring that the ISMS achieves its goals;
f) directing and supporting persons to contribute to the effectiveness of ISMS;
g) promoting continual improvement; and
h) supporting other relevant management roles to demonstrate their leadership as it applies to their
areas of responsibility.

5.2 Policy

...

When looking at security management the ISO 27001 comes in view. This standard describes all the aspects of security management that need to be in place when an organization wants to be certified for information security management. Though this standard covers all aspects of security management and therefore provides a good guidance, it is not a comfortable standard for implementing quality management processes. You would prefer to integrate quality management closely into your working processen, both operational and managerial. The schematic below illustrates how this can be done in a way that is both complete in terms of the ISO standard and recognizable for day-to-day operations. The upper part of the schematic (blue blobs) specifies the company wide processes. in some organizations the responsibility for information security  for products and services is distributed in the organization to products teams, departments or business line. That is illustrated in the lower part (light yellow blobs) of the schematic. If you use a centralised approach for information security you only have to look at the upper part of the schematic. Teh chapters of ISO27001 are mapped on this schematics with teh yellow/orange blobs.

View file
nameISMSM model mapping ISO.tiff
height400

The information security policy shall:

e) be available as documented information;
f) be communicated within the organization; and
g) be available to interested parties, as appropriate.

5.3 Organisational roles, responsibilities and authorities

Top management shall ensure rolebased and communicated roles and authorities to information
security.
Top management shall assign the responsibility and authority for:
a) ensuring that the information security management system conforms to the requirements of this
International Standard; and
b) reporting on the performance of the information security management system to top management.

6. Planning

6.1 Actions to address risks and opportunities

6.2 Information security objectives and planning to achieve them

7. Support

7.1 Rescources

7.2 Competence

7.3 Awareness

7.4 Communication

7.5 Documented information

8. Operation

8.1 Operational planning and control

8.2 Information security risk assessment

8.3 Information security risk treatment

The last two chapters, 9, performance evaluation and 10, Improvement will be discussed in the group later.






Meeting notes

The minutes of the SIG-ISM WG2 meetings are confidential - the viewing is restricted to the SIG-ISM mailing list members only.

...