Chapter: 3 RISK assessment and ISMS implementation Methodology

Project Initiation
This is the project preparation phase. To make the implementation a success you must have:

Senior Management Commitment

To ensure that the implementation of an information security management framework

functions properly, the approval and commitment of senior management must be obtained.
Without management's commitment, the project's implementation could run into some
difficulties. In order to reduce the number of lengthy moratoriums, senior management
commitment must be present at all levels: operational, technical, and budgetary, as well as in
terms of the timeline.

A project management committee

A project management committee must be formed. It is usually comprised of a senior

executive, the implementation project manager and representatives from the various
administrative units.

The project manager usually directs operations and sets priorities. He must be familiar with
the implementation process, and be constantly available. In some of the larger organizations,
the Chief Information Security Officer (CISO) performs the aforementioned tasks.

The various committees and teams associated with the project are presented in the following
proposed structure:

Get every department in the project

Copy # 81 copyright @ PUNYAM Tele: 91-079-2656 5405, 91-079-2656 1104. Page 1 of 18

Chapter: 3 RISK assessment and ISMS implementation Methodology
In most cases, the implementation of the ISO 27001 standard in an organization requires the
involvement of all the administrative units of that organization. The following is a summary
chart, i.e. non-comprehensive, of the potential implications for all ten ISO domains:

ISMS Definition
Once a Management Committee has been created (see previous phase), it must define the
scope of the information security management framework so as to focus on the essential. The
security perimeter can cover either selected sections of an organization or the entire
organization. Keep in mind that the ISMS must be under organizational control. If the
organization does not control the ISMS, it will be unable to manage it efficiently.

In order to accurately define your ISMS, you must clearly identify:

In light of the initial intent, a clear decision must be made to

Goal / Objective either adopt the standard for compliance or obtain BS77799-2
certification.
What administrative units and activities will be covered by the
information security management framework? The answer to
Scope
this question offers a fair representation of the organization’s
most important activities.
The limits of the ISMS’ scope are defined in accordance to:
• The specific characteristics of the organization (size, field of
endeavor, etc.);
Boundaries / Limits
• Location of the organization;
• Assets (inventory of all critical data);
• Technology.
The organization has to take into account interfaces with
other systems, other organizations and outside suppliers.
Note: All interfaces with services or activities not entirely
included within the limits of ISMS definition should be
Interfaces
considered in the ISMS certification submission and be part of
the organization’s information security risk assessment; for
example, sharing equipment such as computers, telecom
systems, etc.
The ISMS has to respect certain security requirements.
These requirements can be of a legal or commercial nature.
Dependencies For example, an organization in the health sector may be
subject to the Health Insurance Portability and Accountability
Act (HIPAA).
Exclusions and Any element or domain (part of a network or of an
Justification administrative unit) defined by the SGSI, yet not covered by a
security policy or security measures must be identified and its
exclusion explained.
Strategic Context Planned security measures must take into
account the actual or imminent position of the organization in
order to reach mission-compatible goals set by senior

Copy # 81 copyright @ PUNYAM Tele: 91-079-2656 5405, 91-079-2656 1104. Page 2 of 18

Chapter: 3 RISK assessment and ISMS implementation Methodology
management. The acquisition of a new company, the merging
of existing infrastructures, downsizing and the decision to
outsource information systems are examples of such goals.
The organizational environment enhances the measures
implemented to meet specific objectives as set by
Organizational
management. For example, outside access to company
Context
servers for teleworking purposes would require specific
security measures.

Gathering Existing Documentation

A review of the existing documentation is necessary in order to evaluate the scope of existing
security measures, such as the ISO 9000 Quality Management manual, the ISO 14001
Environmental Management manual and the Security Policies manual. Managers of every
department involved in ISMS definition should draw up an inventory of all documents relating
to data security within their department. The following is a list of possible documents:

1. Security policy documents;

2. Standards and procedures for policies (administrative or technical);
3. Risk assessment reports;
4. Risk treatment plans;
5. Documents indicating the existence of information security control and management in the
ISMS; for example, audit journals, audit trail, computer incident reports, etc.

Risk Assessment
Why a risk assessment?

Whatever the type or size of a business (multinational or SME), all organizations are
vulnerable to threats that jeopardize the confidentiality, integrity and availability of important
data. The sooner protective action is taken, the more inexpensive and effective the security. In
order to more easily identify and select the controls that will allow for better management of
human and financial resources, the whereabouts and nature of the threats must be known.

Conformity to ISO 27001 Controls: Preliminary Survey

An initial evaluation of the security status of the management framework in terms of the
controls, processes and procedures required by ISO 27001 should be done. In addition to
raising awareness of the standard and its code of practice, much is learned through the
analysis of each question. The survey can be conducted before implementation, or after, if the
intended aim of the exercise is to review the original gaps and measure the level of
improvement. An ISO 27001 compliance Web report can also be generated.

Asset Identification and Evaluation

The first stage of the information security risk assessment process is the identification of
critical and/or sensitive data. The organization must create an inventory of all information
needed to conduct good business operations, whether financial or relating to the marketing

Copy # 81 copyright @ PUNYAM Tele: 91-079-2656 5405, 91-079-2656 1104. Page 3 of 18

Chapter: 3 RISK assessment and ISMS implementation Methodology
strategy, etc. Elements of information are of varying degrees of importance and must be dealt
with in accordance to their relevant importance (confidential, internal use only, public, etc.).

Identification and Evaluation of Supporting and Environmental Assets

Because data is an intangible asset, it must be handled, processed, stored, printed, disposed
of and communicated through tangible means. Therefore, the intangible assets of an
organization must be identified and their value determined as a function of CIAL criteria
(confidentiality, integrity, availability, legality). For example, financial data stored on a hard
drive may have high confidentiality value, medium integrity value and medium availability
value.
Classify them under the following categories:

Building and Equipment;

Documents;
Software;
Computer Equipment;
Human Resources;
Services.

Identification and Assessment of Threats and Vulnerabilities

It is important to identify the weaknesses of any asset that supports the organization’s critical
data. Such weaknesses are vulnerable to threats and can therefore have a negative impact
on data (disclosure, corruption, destruction, legal prejudice).

The business constraints of organizations, the legal constraints of specific fields of endeavor
and the constraints deriving from geographical locations must all be identified. For example, a
company conducting business within the banking industry in the USA is subject to the
provisions of the Gramm-Leach-Bliley Act (GLBA).

Risk Treatment
Once risks have been identified and calculated, a decision must be made as to the
management of these risks. How they are to be managed is usually a function of:

Initial security policy;

Level of assurance required;
Risk assessment results;
Existing business, legislative and regulatory constraints.

There are generally four risk treatment options:

1 The organization implements measures or adopts the means that will reduce
Risk risk to an acceptable level.

Copy # 81 copyright @ PUNYAM Tele: 91-079-2656 5405, 91-079-2656 1104. Page 4 of 18

Chapter: 3 RISK assessment and ISMS implementation Methodology
Reduction
2
The organization takes a calculated risk and knowingly assumes
Risk
responsibility for the consequences.
Acceptance
3 Ignoring the risk is never the right solution. However, risks can be avoided by
Risk moving potentially targeted assets out of the risk area or by completely
Avoidance abandoning the business activities that generate security weaknesses.
4 The organization transfers the risk through the purchase of insurance or
Risk Transfer through outsourcing.

Selecting Controls

In most cases, Risk Reduction is the option selected. Consequently, objectives must be set,
and controls implemented.

Upon completion of the risk assessment, you must select the implementation of various
controls, consistent with the ISO 27001 standard, in each targeted information environment.
The afforded protection is adapted to the perceived threat. The client retains or rejects the
proposed solution before proceeding with the development of the Risk Treatment plan.

Risk Treatment Plan

The plan for Risk Treatment contains all the information pertinent to implementation:
management tasks and responsibilities, the names of those in charge, the risk management
priorities, etc.

Additional controls, not included in the standard, may be required. A quality risk assessment,
as well as the assistance of an outside consultant, may be helpful.

Implementation of Controls

The implementation of the Risk Treatment plan can now be initiated. The client
will assume responsibility for the follow-up activities. The client implements the
administrative, technical, logical, physical and environmental controls in
accordance to their capacities for dissuasion, prevention, detection, correction,
recovery and compensation.

Controls Components Measures*

Policies and procedures; Policies, standards, procedures,
Supervision of personnel; guidelines, staff selection procedures,
Administrative Surveillance structure; termination of employment procedures,
Awareness training; asset classification and labeling, security
Testing. awareness program.
Technical or Systems access; Logical access controls, encryption, anti-
Logical Network access; virus software, smart cards, call back
Encryption and protocols; procedures, limited user interface, liquid
Control area; crystal display (LCD), firewalls, routers,
Audit and verification. intrusion detection system (IDS), shutoff
Copy # 81 copyright @ PUNYAM Tele: 91-079-2656 5405, 91-079-2656 1104. Page 5 of 18
Chapter: 3 RISK assessment and ISMS implementation Methodology
level.
Network segregation;
Security perimeter; Gates, security guards, locks, surveillance
Computer control; systems, environmental controls, intrusion
Physical
Work area isolation; and motion detection, alarms, mantraps,
Computer backup; ID, swipe cards, biometrics.
Cabling.

* Roles of the measures and their definitions

DissuasionReduce threat probability.

PreventionProtect or reduce asset vulnerability.
CorrectionReduce risk or impact of loss.
Detect attacks or security weaknesses, and launch preventive and
Detection
corrective measures following an attack.
Recovery Restore resources and capabilities.
Compensation Provide alternate solutions to other controls.

The client-organization should seek advice from information security specialists and legal
advisers to confirm the appropriateness of its choice of controls and to ensure that these
controls are properly implemented.

Training & Awareness

The organization has to make sure that all staff members in charge of a defined ISMS
responsibility are qualified and able to perform their tasks. In that sense, the organization has
to:

Determine what skills personnel working on information security must have;

Give an appropriate training and, if necessary, hire experienced staff for that specific task;
Evaluate efficiency of training and actions undertaken;
Maintain a register of education and training programs followed by each employee as well as
their abilities, experiences and qualifications.

The organization also has to make sure the necessary personnel is aware of the importance
of their information security activities and the way they participate in meeting the ISMS
objectives.

It is important to develop a training and awareness program in order to educate all employees
in the organization. Employees have to make sure they understand and respect good
practices in terms of information security.

Employees represent the cheapest countermeasure against security violations. Usually, they
are the first to be affected by security incidents. Employees aware of the implications of
security problems can prevent and lower the impacts of incidents when they occur. Given the
importance of all personnel in terms of security control, staff awareness is extremely important
Copy # 81 copyright @ PUNYAM Tele: 91-079-2656 5405, 91-079-2656 1104. Page 6 of 18
Chapter: 3 RISK assessment and ISMS implementation Methodology
in any security program. Recognition and report of any event that could represent a security
incident should become instinctive. This is the actual goal of the information security
awareness program. Employees concerned with information security greatly helps when it
comes to protecting the business’ assets.

Before Starting the Awareness Program:

You must first understand the differences between awareness, training and
education;

Awareness Training Education

Attribute «What» «How» «Why»
Level Information Knowledge Perspicacity
Identify and Develop abilities to
Understand why security is
Objective recognize security solve security
important
faults problem
Media:
- Bulletin
- Video
- Posters
Verification - Comprehension
- Literature
- Interview
- Courses Instructions:
- Case Study - Problem
- Seminaries - Discussion
resolution (apply what was
Teaching Instructions practices: - Seminar
learned)
Method - Literature - General literature on
- Empowerment Written
- Case Method and the subject
examination, essay, paper
Workshop - Courses
(interpretation of what was
- Practice based on
learned)
experience
- Advices and
Assistance
Theoretical
Timestamp Short Term Medium Term Long Term

Here are a few critical success factors to consider in order to implement an information
security awareness program:

Immerse oneself in the environment and culture of the organization;

Ensure senior management commitment;
Understand the importance of employees in terms of security;

Find internal communication medias and associated resource personnel: -Traditional-Web

Explore what is already there;
Built politics, procedures, forms and relating check sheets;

Copy # 81 copyright @ PUNYAM Tele: 91-079-2656 5405, 91-079-2656 1104. Page 7 of 18

Chapter: 3 RISK assessment and ISMS implementation Methodology
Identify final result of the program:
-Paper
-Manual
-E-mail
-Web
-Intranet
Ensure take over (what new employees must follow).

During the Awareness Program:

Politics must have been approved before proceeding to this phase.

Planning:
Definition of program objectives:
Identify general objectives of the program; align objectives with strategy.
Example: Make employees aware of security threats; develop motivation and abilities to help
them protect information systems.

Identification of target groups (primary and secondary)

Example: Employees, technicians, management

Identification of information to diffuse (by group)

Actual state of organizational efforts

Elaboration of the plan of action

Distribute documentation
Politics, standards and procedures should be electronically available
If possible, create a Logo for the information security department (this helps to quickly
identify the department and it gives a certain notoriety)
General content of the training:

Risks

Basic Principles (Intro, CIA, good habits, etc.)

Development:
Specific Information
Demonstration
Solutions to threats, risks and vulnerabilities

Responsibilities
Have employees sign a form stating that they agree with the content (security agreement)
and, preferably, have them sign on a regular basis
Example: every year

Copy # 81 copyright @ PUNYAM Tele: 91-079-2656 5405, 91-079-2656 1104. Page 8 of 18

Chapter: 3 RISK assessment and ISMS implementation Methodology
How to react and people to contact (who, what, how, when)
Procedures, forms, roles and responsibilities

Consequences of failure to respect standards, politics and agreements

A test to check knowledge is recommended

Original, surprising and amusing ways for transmitting the message have to be found. Each
vehicle has its own advantages and drawbacks; all you have to do is to find one that goes well
with your message.

Medias for Message Transmission:

Periodical Internal Publication (weekly, monthly, occasional, etc.)

Video: Traditional, Digital or On-line
Traditional In-class Training
Posters
Literature
Internet and Intranet
E-mail
Voice Mail
Program Startup, Screen Saver, Log-on Banner, etc.
Promotional Goods
Recognition and Incentive Awards
Inspection and Verification (ex. Random password verification)
External Supplier
Keep all details of training followed in employees’ files or databases.

After the Program:

Evaluate satisfaction towards training
Evaluate contribution of training (evolution)
Ensure knowledge transfer
Update whenever there are changes and new elements

Audit Preparation
ISMS Compliance Diagnostic

BS7799/ISO:27001-2 certification requires the validation of compliance with implementation

specifications of the management framework. Completing the questionnaire will help ascertain
whether the approach used by management allows for the development, control, review,
maintenance and improvement of the management framework in place. It also verifies the
capacity to manage the documentation needed for certification and to fulfill the security
requirements inherent to this process.

Copy # 81 copyright @ PUNYAM Tele: 91-079-2656 5405, 91-079-2656 1104. Page 9 of 18

Chapter: 3 RISK assessment and ISMS implementation Methodology
Applicability Statement

The Applicability Statement must be produced before the audit. This document provides
justification for the applicability or non-applicability of each ISO 17999 control to the ISMS in
question. It also includes, where applicable, each control’s current implementation status.

In short, the objectives, selected controls and grounds for selection are therein explained, as
are the grounds for the exclusion of any measure listed in the ISO 27001 standard.

Audit - ISO:27001 Certification

The ISO 27001-2 certification process is entirely voluntary. Organizations having successfully
completed the ISO 27001 certification process can have greater confidence in their ability to
manage information security. Furthermore, these organizations have an easier time finding
partners, clients and shareholders. Accredited ISO 27001-2 certification is a public statement
regarding the fact that an organization's ISMS can keep secret and confidential the details of
its information security controls.

The guidelines require that the certification body proceed to an on site ISMS audit in no less
than two stages, unless an alternate approach can be justified (for example, adapting the
certification process to the needs of a very small organization). The audit is two-part:

1) Documentation Audit;
2) Implementation Audit.

Documentation Audit

One of the goals of the documentation audit is to allow the certification body to gain an
understanding of the ISMS in the context of the organization’s security policy, objectives and
approach to risk management. It can also serve as a useful reference point when preparing
for the second audit and offers an opportunity to evaluate how prepared the organization is for
the audit.

The Documentation Audit includes a document review, which needs to be completed before
the Implementation Audit can begin. The certification body is expected to review all
documents relating to the design and implementation of the ISMS, including:

The security policy statement;

The ISMS' scope definition;
All procedures and controls supporting the ISMS;
The risk assessment report;
The risk treatment plan;
All procedures regarding planning, operations and effective control of information security
processes;
All records confirming conformity and effectiveness of ISMS operations;

Copy # 81 copyright @ PUNYAM Tele: 91-079-2656 5405, 91-079-2656 1104. Page 10 of 18

Chapter: 3 RISK assessment and ISMS implementation Methodology
Statement of Applicability.

The results of the documentation audit are contained in a report. The findings are used to
decide whether the time is right to proceed with the next phase of the audit. The report will
also be used to select the Phase Two team members who possess the skills required to deal
with the specific nature of the ISMS. In proceeding to the next phase, the certification body will
inform the organization of the additional documentation, information or reports that may be
required for detailed inspection during the implementation audit.

Implementation Audit

The implementation audit is guided by the conclusions of the documentation audit report. The
certification body draws up the audit plan based on those conclusions, which then allows the
implementation audit to begin. The audit takes place at the site of the organization where the
ISMS are located.

The audit covers:

a) Confirmation of the organization's compliance with its own policies, objectives and
procedures;
b) Confirmation of the ISMS' compliance with all ISO 27001 2 requirements and of its
attainment of the organization’s policy objectives (includes checking that the organization
has a system of processes in place to cover the requirements given in Clauses 4 to 7
inclusively of the ISO 27001-2 standard). The ISMS compliance diagnostic found in Callio
Secura 27001 can help an organization prepare for this phase.
The implementation audit should focus on the way the company deals with:
c) Assessment of information security related risks and the resulting design of its ISMS;

The approach to risk assessment;

Risk identification;
Risk assessment;
Risk treatment;
The choice of control objectives and controls for risk treatment;
Preparation of a Statement of Applicability.
d) Checking objectives and targets resulting from this process;
e) Performance monitoring, measuring, reporting and reviewing against the objectives and
targets. This should include checking that processes are in place and being used for at
least the following:

f) Management and security reviews. This should include checking that processes are in
place and are being used for at least the following
g) Management responsibility for the information security policy. This should include
checking that processes are in place and are being used for at least the following:

h) Links among policies, information security risk assessment results, aims and objectives,

Copy # 81 copyright @ PUNYAM Tele: 91-079-2656 5405, 91-079-2656 1104. Page 11 of 18

Chapter: 3 RISK assessment and ISMS implementation Methodology
responsibilities, programs, procedures, performance data and security reviews (these links
should demonstrate the relationships among the various activities, processes and results
specified in ISO 27001–2; Clauses 4 to 7, inclusively).

Auditor’s Report

The certification body is expected to adopt a variety of reporting methods and procedures to
convey the audit results. These include written and oral reports provided during audit
meetings held on the premises, as well as formal reports at the end of the audit. These
reports specify whether the organization’s ISMS are compliant with ISO 27001–2
requirements.

Reports produced during the audit provide the organization with an opportunity to question the
auditors about their findings and the basis for their findings. Reports are to be produced and
remitted to management in a timely manner, so as to allow the correction of identified sub-
standard elements, and so comply with all certification requirements.

The organization is invited to comment on the audit reports and to describe the corrective
actions it has taken or plans to take in order to rectify the sub-standard elements identified
during the audit. The certification body will inform the organization if a complete or partial
reassessment is required or if a simple written statement confirming the completion of the
required correctives measures will suffice.

Certification Decision

The decision to grant or withhold certification is to be taken by the certification body. This
decision is based on the information and evidence gathered during the audit process, and any
other relevant information. Those who make the certification decision are not those who have
participated in the audit.

A certified organization receives a ISO 27001–2 certificates from the certification body. The
certificate contains information regarding the scope of the certification, the effective date of
certification and reference to the specific version of the statement of applicability, and
applicable certification body and accreditation body logos or marks.

Reassessment and Monitoring Procedures

The certification body should perform periodic monitoring audits on the certified organization’s
ISMS. The frequency of these follow-up audits is the responsibility of the certification body but
typically an organization might be visited for such an audit every six months. The purpose of
these monitoring audits is to verify the certified organization’s continued compliance with
certification requirements and the ISO 27001–2 standard.

The ISMS reassessment is usually performed every three years. Thus, the maximum lifespan
of a ISO 27001 certificate is generally three years, after which the ISMS must be
certified anew. The purpose of the reassessment is:

Copy # 81 copyright @ PUNYAM Tele: 91-079-2656 5405, 91-079-2656 1104. Page 12 of 18

Chapter: 3 RISK assessment and ISMS implementation Methodology
To verify ongoing compliance of the ISMS with ISO 27001–2 requirements;

To review past implementation and the system's ongoing maintenance during the
certification period, including:

-Verifying that the ISMS has been properly implemented, maintained and improved in
accordance with ISO 27001–2 requirements

-Reviewing ISMS documents and ISMS audit results (including internal audits and
monitoring audits);

-Verifying the effective interaction among all ISMS elements;

-Verifying the overall effectiveness of the ISMS in its entirety, while taking into account
changes in the organization’s business and operations;

-Verifying a demonstrated commitment to maintaining the ISMS' effectiveness.

Control and Continual Improvement

Whether you are BS7799/ISO:27001-2 certified or not, it is important to regularly verify and
improve your management framework after its implementation. Inspections and updates
should be performed regularly, as security is a field that is ever changing. For example,
outdated anti-virus software is of very little use.

The PDCA Management Model

The recent 2002 edition of the ISO 27001-2 standard adopted the Plan-Do-Check-Act model
in order to be consistent with other ISO standards that already use it, such as ISO 9001 and
ISO 14001.

Once applied to the ISMS management framework, this model emphasizes the necessarily
cyclical nature of the risk management process, vital to the achievement of continual
improvement.

Copy # 81 copyright @ PUNYAM Tele: 91-079-2656 5405, 91-079-2656 1104. Page 13 of 18

Chapter: 3 RISK assessment and ISMS implementation Methodology

The following is an overview of the four phases:

PDCA Action Explanation

During the planning phase it is important to consider the business
context of the company implementing the ISMS (Information Security
Management System). For example, applicable corporate governance
and legal requirements must be identified. Furthermore, the company's
business context should be reflected in its security policies and
Implement objectives and should be considered when defining the scope of the
Plan
the ISMS ISMS.
During the planning phase the company also outlines a formal
procedure for the ongoing identification and assessment of risks, and it
selects control objectives and controls that will allow it to manage these
risks. At the end of this process the company prepares a Statement of
Applicability.
When implementing the ISMS, it is important to focus primarily on
Implement developing and implementing an effective, long-term plan for risk
and mitigation. During this phase the controls selected at the planning stage
Do
operate are implemented in order to meet control objectives. In addition, a
the ISMS training program is initiated to raise staff awareness and ensure the
correct implementation of controls.
During this phase, the company periodically performs internal ISMS
audits and regularly monitors the effectiveness of the ISMS. The
Monitor
company also reviews the level of acceptable and residual risk. This
and
Check phase includes, furthermore, a third party security audit for ISO 27001
review the
certification. This audit, which is performed by a qualified external audit
ISMS
team, is often preceded by a pre assessment audit. Qualified ISO
27001 consultants can prove particularly helpful during this phase.
Copy # 81 copyright @ PUNYAM Tele: 91-079-2656 5405, 91-079-2656 1104. Page 14 of 18
Chapter: 3 RISK assessment and ISMS implementation Methodology
When flaws and weaknesses have been identified, appropriate
Maintain corrective measures and preventive actions must be taken to improve
and the ISMS. Timelines for implementing these improvements should be
Act
Improve set. Finally, it is important to maintain communication with all
ISMS stakeholders during this phase and to continue providing training for
staff and partners.

Continual Monitoring and Improvement

At this point, the two remaining steps of the cycle must be initiated: monitoring and improving
the ISMS.

Monitoring and Reviewing the ISMS

In practical terms, to monitor and review the ISMS a firm must perform the
following tasks:

a) Implement monitoring procedures and other controls allowing for:

Quick detection of errors in processing results;

Quick identification of non-compliance with security rules, and the immediate reporting of
incidents;

Confirmation that all security tasks that have been delegated to individuals or implemented by
the information technologies department are carried out as planned;

Identification of the actions to be taken to remedy non-compliance with security rules

according to the organization's priorities.
b) Conduct periodical reviews of the ISMS' effectiveness (including the objectives, security
policy and security measures) based on audit results, incidents, and suggestions and
comments received from concerned parties.
c) Review the levels of residual risk and acceptable risk, while taking into consideration
changes to:
The organization;
Technology;
Business objectives and processes;
Business objectives and processes;
External events, such as changes in legislation, regulations or public opinion.
d) External events, such as changes in legislation, regulations or public opinion.
e) Examine ISMS management regularly (at least yearly) to ensure the scope remains
appropriate and that improvements are identified. Further information on the management
review of the ISMS.
f) Take note of actions and events that might impact ISMS effectiveness or performance.

Maintaining and Improving the ISMS

Copy # 81 copyright @ PUNYAM Tele: 91-079-2656 5405, 91-079-2656 1104. Page 15 of 18

Chapter: 3 RISK assessment and ISMS implementation Methodology
To ensure the continuous operation of the ISMS, the organization must:

a) Implement identified improvements;

b) Take the necessary corrective and preventive measures. Learn from past organizational
security experiences, or from the experiences of others. More information on ISMS
Improvement;
c) Share results and communicate the actions in agreement with concerned parties;
d) Ensure improvements are in line with objectives.

ISMS Management Review (precisions)

General
Management must review the ISMS regularly to ensure its capacity, adequacy and efficiency.
The review will create opportunities for evaluating improvements and for assessing the need
for change in security policy or objectives. Results of the review must be documented, and
records, kept (see record control).

Input Review

The management Input Review should contain information pertaining to:

a) ISMS audit and review results;
b) The sharing of information with concerned parties;
c) Technologies, products and procedures that could improve ISMS performance and
efficiency;
d) The status of preventive and corrective measures;
e) The vulnerabilities and threats not addressed in preceding risk assessments;
f) Follow-up actions of preceding management reviews;
g) Modifications that could affect the ISMS;
h) Recommended improvements.

Output Review

The management Output Review should contain information about decisions or actions
pertaining to:

a) ISMS efficiency improvement;

b) Procedural modifications affecting information security, in response to internal or external
events that could impact the ISMS, such as changes in:

-business requirements;
-security requirements;
-business processes affecting the existing business requirements;
-legal or regulatory environments;
-levels of risk and/or levels of risk acceptance.
c) The need for resources.

Copy # 81 copyright @ PUNYAM Tele: 91-079-2656 5405, 91-079-2656 1104. Page 16 of 18

Chapter: 3 RISK assessment and ISMS implementation Methodology
I

Internal ISMS Audits

The organization must conduct ISMS internal audits on a regular and scheduled basis in order
to define control objectives, controls, processes and procedures:

a) To comply with the requirements of the standard and with relevant legislation or
regulations;
b) To comply with identified information security requirements;
c) To ensure correct implementation and maintenance;
d) To ensure operations run as planned.

An audit program must be developed that will take into account the status and importance of
processes and of the locations to be audited, as well as the results of prior audits. Audit
criteria, scope, frequency and methods will be defined. The process must be objective and
impartial. This, in turn, will influence the choice of auditors. Auditors will not perform the audit
of their own work.

Responsibilities and requirements for planning and initiation, reports and records (see 4.3.3)
will be defined in written procedures.

Management of the audited location will ensure steps are taken for the immediate elimination
of any non-compliance and its cause(s). The actions taken and the results obtained are
included in the Improvements section. (See clause 7).

Improvements (details)

Continual Improvement

The organization must continually improve the efficiency of its ISMS by making use of the
information security policy, security objectives, audit results, analyses of monitored events,
preventive and corrective actions as well as the management review.

Corrective Action

The organization must take action in order to eliminate the causes of non-compliance
resulting from the implementation and operations, and so prevent re-occurrence. Procedures
for corrective action should include the following information:

a) Identification of non-compliance in implementation or operations;

b) Identification of the causes for non-compliance;
c) Determination of the actions required to eliminate re-occurrence;
d) Definition and implementation of the required corrective action;
e) Results obtained by the corrective action (see record control);
f) Review of the corrective action.

Preventive Action
The organization must take action to protect against future non-compliance and its

Copy # 81 copyright @ PUNYAM Tele: 91-079-2656 5405, 91-079-2656 1104. Page 17 of 18

Chapter: 3 RISK assessment and ISMS implementation Methodology
re-occurrence. The preventive actions' scope will be proportionate to the potential impact of
the non-compliance. Procedures for preventive action should include the following
information:

a) Identification of potential non-compliance and its cause(s);

b) Definition and implementation of the required preventive action;
c) Results obtained by the corrective action;
d) Review of preventive action;
e) Identification of evolving risks and a description of the steps to be taken to counter them.
The priority level of preventive actions is set in accordance to the results of the risk
assessment.
NOTE: Preventive action is preferable to corrective action.

Record Control
Records are created and kept to provide evidence of compliance to ISMS requirements and
efficient operation. Controls are instigated. Relevant legal requirements are taken into
consideration. Records must be legible, identifiably filed and accessible. Controls require
identification, storage, protection, access; time holding and record layout would be
documented. Management determines the need and scope of records.

Records of the process' performance and of related security incidents would be

kept, such as: Visitor Sign-in Record, Audit Reports, Request for Access
Authorization, etc.

Terms Found
Backup file
Risk analysis
Firewall
Industrial spy
Wiretapping
Domain
Trademark
Log
Private key cryptography
Freeware

Copy # 81 copyright @ PUNYAM Tele: 91-079-2656 5405, 91-079-2656 1104. Page 18 of 18