An introduction to information security

5.2 The Standard's approach to planning an ISMS

The Standard describes the planning of an ISMS, which it refers to as the ‘Plan activity?, as follows.

The Plan activity … is designed to ensure that the context and scope for the ISMS have been correctly established, that all information security risks are identified and assessed, and that a plan for the appropriate treatment of these risks is developed. It is important that all stages of the Plan activity are documented for traceability and for the management of change.

(Part 2 of the Standard, Annex B.2.1, p. 22)

This description suggests an approach to the planning and documentation of an ISMS that comprises four tasks. These four tasks are not identified explicitly in the Standard. The documentation task, which takes place throughout the process, can be summarised as follows.

• ISMS documentation, in which the context and scope of the ISMS, and its rules for assessing risk, are determined and in which the documentation that makes progress through the stages of the process traceable and the management of change possible is generated.

This task begins at the same time as, runs in parallel with, and records the decisions of the three other tasks, which take place sequentially and concern the planning of the ISMS.

• Asset identification, in which the information assets that are to be handled by the ISMS are identified, and their security requirements are established.

• Risk assessment, in which the risks of breaches of the security requirements of information assets are assessed.

• Risk treatment, in which a plan for the management of the risks is developed.

The planning tasks complement and drive the documentation task, by providing the operational details of what the ISMS will do.

The relationships between the four tasks are illustrated in Figure 2.

The four tasks are subdivided into stages, each of which is described in Clause 4.2.1 of Part 2 of the Standard.

Original Copyright © 2007 The Open University. Now made available within the Creative Commons framework under the CC Attribution – Non-commercial licence (see http://creativecommons.org/by-nc-sa/2.0/uk/).