Sunday, January 6, 2013

Information Security Management System

The ISMS concept is linked to ISO 27001 specification. It involves the following steps. First 3D;
  • Define scope and boundaries 
  • Define ISMS policy
  • Define the risk assessment approach

Then RMICAAP stuff;
  • Identify the risks
  • Analyse and evaluate the risks
  • Risk Treatment
  • Select control objectives and activities

And finally some disclosure type stuff
  • Gain management approval for residual risks
  • Obtain management approval for the ISMS
  • Prepare a statement of applicability

In the statement of applicability justifications must be provided for not selecting particular controls. Certification of the above must take place annually.