Processes read more

The process of managing the interface between information security governance and management should ensure alignment with the objectives and needs of the overall organization and its stakeholders. The process for managing security policies involves the development, maintenance, and retention of information security policies, standards, procedures, and guidelines collectively referred to as "IS policies."

An up-to-date understanding of the needs and expectations of interested parties relevant to information security and the ISMS is crucial for satisfying ISMS objectives. This understanding is realized within the requirements management process, which identifies legal, statutory, regulatory, and contractual requirements for the risk assessment process, internal audit process, and the process to control outsourced processes.

In the risk assessment process, risks are identified, analyzed, and evaluated. The results are documented, and the evaluated risks are captured in a list of prioritized risks with risk owners. This list serves as input for the communication process and the information security risk treatment process.

The information security risk treatment process identifies and selects risk treatment options and determines control objectives necessary for the chosen risk treatment options. The results include lists of determined controls and control objectives, a risk treatment plan, acceptance of residual risks, a control implementation plan, and requests for changes for the information security change management process.

The security implementation management process initiates and verifies the implementation of the risk treatment plan and necessary changes. As services are outsourced, the process to control outsourced services determines and controls these services.

The information security awareness process develops and implements an awareness, training, and education program to ensure all personnel receive necessary security training and education. The information security incident management process is for detecting, reporting, assessing, responding to, dealing with, and learning from information security incidents.

Changes resulting from the implementation of controls are managed within the information security change management process. The performance evaluation process includes monitoring, measurement, analysis, and evaluation of the performance of security controls and ISMS processes.

Results from the performance evaluation process, internal audit process, and service provider audits from the process to control outsourced services are used to improve the effectiveness, efficiency, suitability, and adequacy of the ISMS and controls within the information security improvement process.

The records control process identifies, creates, updates, and controls information necessary for the effectiveness and demonstration of documented evidence of the ISMS. The resource management process identifies, allocates, and monitors resources needed to implement controls and run ISMS processes.

Results of the resource management process include planned and documented resources for controls, categorization of controls based on funding sources, planned and documented resources for running ISMS core processes, and reports on resource usage for ISMS core processes, as well as reports on resource usage for the information security customer relationship management process.

Nearly all ISMS processes' results are centrally communicated within the communication process to interested parties outside the ISMS. The information security governance/management interface process forms the interface between the ISMS and its interested parties.

This process also oversees operational management of customer satisfaction levels and the continuous demonstration of the added value of investments in information security, realized within the information security customer relationship management process.

All processes have the potential to be designed and implemented as integrated processes within an IMS. Synergy effects resulting from process integration into an IMS should be identified and realized wherever possible and suitable.

ISMS Core Processes 

• Information Security Governance/Management Interface Process:

  • Ensure alignment of ISMS with organization objectives and stakeholder needs.

  • Interface with interested parties, manage customer satisfaction, and demonstrate added value.

• Security Policy Management Process:

  • Development, maintenance, and retention of information security policies (referred to as "IS policies").

• Requirements Management Process:

  • Identify legal, statutory, regulatory, and contractual requirements for risk assessment, internal audit, and process to control outsourced processes.

• Risk Assessment Process:

  • Identify, analyze, and evaluate risks.

  • Document results and prioritize risks with owners for communication and risk treatment.

• Risk Treatment Process:

  • Identify and select risk treatment options.

  • Determine control objectives and controls.

  • Develop risk treatment plan, control implementation plan, and requests for changes.

• Security Implementation Management Process:

  • Initiate and verify implementation of the risk treatment plan and necessary changes.

• Process to Control Outsourced Services:

  • Determine and control outsourced services.

• Awareness Process:

  • Develop and implement awareness, training, and education program.

• Incident Management Process:

  • Detect, report, assess, respond to, deal with, and learn from incidents.

• Change Management Process:

  • Control changes of ISMS elements and review consequences.

Internal Audit

• Performance Evaluation Process:

  • Monitor, measure, analyze, and evaluate performance of controls and ISMS processes.

• Improvement Process:

  • Use results from performance evaluation, internal audit, and service provider audits to improve effectiveness, efficiency, suitability, and adequacy.

ISMS Support Processes 

• • Records Control Process:

    • Identify, create, update, and control information necessary for the effectiveness and demonstration of documented evidence of the ISMS.

  • Resource Management Process:

    • Identify, allocate, and monitor resources to implement and run controls.

    • Categorize controls regarding funding.

    • Plan and document resources to run ISMS core processes.

  • Communication Process:

    • Centrally communicate results of ISMS processes to interested parties.

    • Include communication of risks and information security management reports.

  • Customer Relationship Management Process:

    • Operational management of customer satisfaction level.

    • Continuous demonstration of added value of investments in information security.