by The Open University
Available in 39 free installments
Owner:
The risk treatment task is again carried out at unit level, in light of polices set out in Stages 1 to 3. The risks treated are those chosen for control at Stage 6.
Stage 7: select control objectives and controls For each risk chosen for control at Stage 6, a suitable control (countermeasure) must be selected from those suggested in the Standard or from elsewhere. The risks are treated in order of priority, according to the priority levels assigned at Stage 6. (Clause 4.2.1(g))
Suitable controls are listed in Annexe A to Part 2 of the Standard, though this list is not exhaustive.
Documents drawn up in the risk treatment task should include evidence that each risk has been treated appropriately.
View larger image
Figure 3 The relationship between the stages and the tasks in the ISMS planning and documentation processLong descriptionIn your own words, describe the tasks and stages of the ISMS planning and documentation process. Clearly identify the stages that are carried out at organisation level from those that are carried out at unit level within an organisation. Identify the information that flows between the tasks/stages.
The activities of the ISMS documentation task are to define and record the context, scope and components of the ISMS. It comprises five stages:
define the scope of the ISMS
define an ISMS policy
define a systematic approach to risk assessment
prepare a Statement of Applicability
obtain management approval
These stages are all carried out at the organisation level.
The ISMS documentation task runs in parallel with the asset identification, risk assessment and risk treatment tasks, all of which are carried out at the level of individual organisational units.
In the asset identification task, the organisation's information assets, their owners, their locations, their values and their security requirements are established.
In the risk assessment task, the risks to those assets are determined, along with the potential costs of breaches of their security requirements. It consists of the following stages:
identify the risks
assess the risks
identify and evaluate options for the treatment of risks
In the risk treatment task, suitable controls are selected to protect the information assets against loss or damage. It consists of a single stage:
select control objectives and controls
The following information flows between the tasks/stages:
the scope of the ISMS is used as the foundation for asset identification;
the ISMS policy and a systematic approach to risk assessment form the starting point of risk assessment;
the information required to complete the Statement of Applicability is provided by the risk treatment.
Original Copyright © 2007 The Open University. Now made available within the Creative Commons framework under the CC Attribution – Non-commercial licence (see http://creativecommons.org/by-nc-sa/2.0/uk/).
