1 - Define the ISMS scope
a) Delimitation of the ISMS scope using a documented procedure;
b) Identification of legal and business requirements and constraints;
c) Identification of the information assets within the ISMS scope.
1.2 Required outputs
a) Scope statement (description of what the scope is);
b) List of legal and business requisites and constraints;
c) List of information assets,
a) definition of objectives of information security;
b) management statement in support;
c) reference to other internal security regulations (e.g. procedures);
d) identification of legal requirements;
e) responsibilities for management;
f) references to other documents.
a) Information security policy document;
b) Specific policies (if applicable);
c) Standards, procedures, guidelines (if applicable).
3 - Define a risk assessment approach
b) suitable to the ISMS and legal requirements.
b) Identify the vulnerabilities that might be exploited by those threats;
c) Identify the impacts that losses of CIA dimensions on assets.
A list of risks.
b) Likelihood of it.
5.2 Required outputs
6 - Identify and evaluate options for the treatment of risks
b) avoid it;
c) transfer it to insurers or suppliers;
d) reduce it.
Risk treatment decision (in terms of the 4 strategies defined above).
a) Mandatory measures from BSI´s chapters 4, 5, 6 and 7.
b) Selective measures from Annex A that may be chosen or excluded.
c) Measures derived from other sources, as long as they provide more assurance than the BSI`s controls.
Risk treatment plan (defines for each risk, its strategy, and if this decision is to reduce, includes appropriate controls).
8 - Prepare a Statement of Applicability
8.1 Major requirements
Produce a Statement of Applicability (with the reasons for the choice of controls or its exclusion).
Statement of Applicability (SoA).
9 - Obtain management approval
9.1 Major requirements
b) Authorization to operate the ISMS.
b) ISMS operation authorization.
Labels: Segurança da Informação