by The Open University
Available in 39 free installments
Owner:
ISMS documentation is carried out at organisation level. Its purpose is to define the scope and context of the proposed system, and the approach to information security management that it will embody. It has five stages: three that initiate the planning process (Stages 1 to 3) and two that complete it (Stages 8 and 9).
Stage 1: define the scope of the ISMS The context and scope of the ISMS are defined by considering the nature of the organisation, the business (or service) area in which it operates, and its location, assets and technology. The scope of the ISMS is a statement of which information assets are to be protected. (Clause 4.2.1(a))
Stage 2: define an ISMS policy An ISMS policy, often referred to simply as an information security policy, is drawn up. This important document underpins the ISMS and contributes to the traceability and repeatability of its processes. It should, among other things, set up criteria against which security risks to information assets can be evaluated. (Clause 4.2.1(b))
Stage 3: define a systematic approach to risk assessment A document specifying a systematic approach to risk assessment is written. This must include a process for evaluating the likelihood of a risk to an information asset's security requirements, and the impact of a breach of them, along with a definition of what constitutes acceptable risk. (Clause 4.2.1(c))
Stage 8: prepare a Statement of Applicability The Statement of Applicability of the ISMS is completed, based on information gathered at Stage 7 (during risk treatment). (An explanation of what is meant by a Statement of Applicability is given in Subsection 5.4.) (Clause 4.2.1(h))
Stage 9: obtain management approval The complete ISMS documentation, consisting of the papers drawn up in Stages 1, 2, 3 and 8, is submitted to senior management for approval. (Clause 4.2.1(i))
Original Copyright © 2007 The Open University. Now made available within the Creative Commons framework under the CC Attribution – Non-commercial licence (see http://creativecommons.org/by-nc-sa/2.0/uk/).
