The latest version of Information Security Management System is a risk-based system which takes into account the context of the organisation with respect to ISMS. It requires the organisation to identify their internal issues, external issues and the interested parties' requirements. These three items mentioned above lead to the risks (uncertainties) and opportunities (desirable twist of uncertainties into a favourable situation) in the ISMS of the organisation.
Those risks need to be assessed based on a pre-defined criterion (eg. low risk, medium risk, high risk) and plan for actions on the risks and opportunities based on the criterion through appropriate controls. There are pre-defined controls in Annex-A after the ten clauses of the standard, which cover almost all types of InfoSec uncertainties. The organisation can also choose to define and exercise additional controls (though this would rarely be required). Like any other management system, this standard also stresses upon a Plan-Do-Check-Act approach.
From India, Chennai
Those risks need to be assessed based on a pre-defined criterion (eg. low risk, medium risk, high risk) and plan for actions on the risks and opportunities based on the criterion through appropriate controls. There are pre-defined controls in Annex-A after the ten clauses of the standard, which cover almost all types of InfoSec uncertainties. The organisation can also choose to define and exercise additional controls (though this would rarely be required). Like any other management system, this standard also stresses upon a Plan-Do-Check-Act approach.
From India, Chennai
Community Support and Knowledge-base on business, career and organisational prospects and issues - Register and Log In to CiteHR and post your query, download formats and be part of a fostered community of professionals.
ISO 9001-2000 Quality Management System Design.pdf
ISO 9001-2000 Quality Management System Design.zip
Security management.doc