by The Open University
Available in 39 free installments
Owner:
Many of the approaches to planning an ISMS to be found in the literature follow a three-phase, rather than a four-task, approach. For instance, Moses (1994) stipulates seven steps in three phases:
initiation: the identification of information assets and their security requirements;
analysis: the identification of possible risks to the security requirements of information assets, of the vulnerabilities to those risks, and of the impact on the organisation of breaches of the security requirements;
management: the identification and justification of countermeasures where needed.
Moses's initiation phase corresponds to our asset identification and his analysis and management phases together correspond to our risk assessment and treatment.
Alberts and Dorofee (2003) specify another three-phase process. Again, the task of the first phase is to identify the organisation's information assets and their security requirements, but it also includes a threat analysis. In Alberts and Dorofee's second phase, the technology systems with which each information asset is associated are determined, so that vulnerabilities to the threats uncovered in the previous phase can be listed and assessed. Each system is then evaluated for the probability and impact of an attack, so that threats and risks can be prioritised. In the third and final phase, the plan comes together with the choice and tailoring of controls.
You will notice that the three-phase approaches of Moses and of Alberts and Dorofee omit the ISMS documentation task. Moreover, neither of these approaches covers the preparation of a Statement of Applicability or the submission of the final set of documents to senior managers for approval. The difference is that, in both cases, the authors focus only on risk analysis and management, and so miss the Standard's requirement for certification of the ISMS. The documents generated in the ISMS documentation task are a major component of what would be delivered to a certifying authority, and provide much of the basis for traceability and for the management of change.
Original Copyright © 2007 The Open University. Now made available within the Creative Commons framework under the CC Attribution – Non-commercial licence (see http://creativecommons.org/by-nc-sa/2.0/uk/).
