Purpose:

Define, operate and monitor a system for information security management.

Objective:

Keep the impact and occurrence of information security incidents within the enterprise’s risk appetite levels.

Description:

<?>

Inputs:

• Gaps and changes required to realize target capability
• Baseline domain descriptions and architecture definition
• Project proposals for reducing risk
• Classified and prioritized incidents and service requests

Outputs:

• ISMS policy
• ISMS scope statement
• Information security risk treatment plan
• Information security business cases
• ISMS audit reports
• Recommendations for improving the ISMS

Controls:

• Enterprise security approach

Task Instructions:

Establish and Maintain an Information Security Management System

1. 1. Define the scope and boundaries of the ISMS in terms of the characteristics of the enterprise, the organization, its location, assets, and technology. Include details of and justification for any exclusions from the scope.
   2. Define an ISMS in accordance with enterprise policy and aligned with the enterprise, the organization, its location, assets, and technology.
   3. Align the ISMS with the overall enterprise approach to the management of security.
   4. Obtain management authorization to implement and operate or change the ISMS.
   5. Prepare and maintain a statement of applicability that describes the scope of the ISMS.
   6. Define and communicate Information security management roles and responsibilities.
   7. Communicate the ISMS approach.

Define and Manage an Information Security Risk Treatment Plan

1. 1. Formulate and maintain an information security risk treatment plan aligned with strategic objectives and enterprise architecture. Ensure that the plan identifies the appropriate and optimal management practices and security solutions, with associated resources, responsibilities, and priorities for managing identified information security risk.
   2. Maintain as part of the enterprise architecture and inventory of solution components that are in place to manage security-related risk.
   3. Develop proposals to implement the information security risk treatment plan, supported by suitable business cases, which include consideration of funding and allocation of roles and responsibilities.
   4. Provide input to the design and development of management practices and solutions selected from the information security risk treatment plan.
   5. Define how to measure the effectiveness of the selected management practices and specify how these measurements are to be used to assess effectiveness to produce comparable and reproducible results.
   6. Recommend information security training and awareness programs.
   7. Integrate the planning, design, implementation, and monitoring of information security procedures and other controls capable of enabling prompt prevention, detection of security events, and response to security incidents.

Monitor and Review the Information Security Management System

1. 1. Undertake regular reviews of the effectiveness of the ISMS, including meeting ISMS policy and objectives, and review of security practices. Take into account the results of security audits, incidents, results from effectiveness measurements, suggestions, and feedback from all interested parties.
   2. Conduct internal ISMS audits at planned intervals.
   3. Undertake a management review of the ISMS on a regular basis to ensure that the scope remains adequate, and improvements in the ISMS process are identified.
   4. Provide input to the maintenance of the security plans to take into account the findings of monitoring and reviewing activities.
   5. Record actions and events that could have an impact on the effectiveness or performance of the ISMS.