In establishing an ISMS, the scope of the ISMS is determined (STEP 1), and an information security policy is defined (STEP 2). On the basis of this security policy, a systematic approach to risk assessment is defined (STEP 3), and risks to the information assets that must be protected are identified (STEP 4). Risk assessment is then carried out (STEP 5). If, as a result of the risk assessment, unacceptable risks are found, possible ways to treat the risks should be identified and examined (STEP 6). Based on the risk treatment, controls to be implemented are selected (STEP 7).
Detailed Controls |
1. Information Security policy 2. Organizational security 3. Assets classification and control 4. Personnel security 5. Physical and environmental security 6. Communications and operations management 7. Access control 8. Systems development and maintenance 9. Business continuity management 10. Compliance |
Not all controls described in "detailed controls" shall be enforced, but an organization may select the controls to be implemented from the "detailed controls" on the basis of the risk assessment. In addition to the controls mentioned above, the organization shall add more effective controls that appear to be necessary as a result of risk assessment or risk management. What kind of and how many residual risks the organization has shall be identified. Through the risk management, these residual risks shall be approved by the Management (STEP 8), and also the introduction of the ISMS shall be permitted by the Management (STEP 9). It is particularly important to specify the selection of controls in the statement of applicability (STEP 10).