Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Responsibilities
This is the "who" component of the security system.
-day to day accountability, assigned owners (position not people)
-detailed processes
-detailed actions
-designed to ensure ISMS is on-going
47. Responsibilities Example
Requirement
1. context of the organisation
1.1 objectives
1.1 XXX shall confirm the objectives of this ISMS and identify and issues that m
ight affect its effectiveness at least annually
1.2 3rd parties
1.2(a) XXX shall confirm the 3rd parties subject to this ISMS including applicab
le laws, regulations, contracts ets at least annually
1.2(b) XXX shall confirm the information security-relevant requirements and obli
gations required of their 3rd parties at least annually
1.3 Scope
1.3 XXX shall confirm the scope of the ISMS at least annually
1.4 Improvement
1.4 XXX shall maintain and continually improve the ISMS according to the ISO-270
01
Action Requirement(berdasarkan point di atas)
1.1 XXX must implement a process to review and confirm the objectives of the ISM
S annually
1.2(a) XXX must implement a process to review and confirm the 3rd parties subjec
t to the ISMS and applicable governance at least annually
1.2(b) XXX must implement a process to review and confirm the security requireme
nts applicable to their 3rd parties at least annually
1.3 XXX must implement a processes to confirm the scope of the ISMS annually wit
h consideration to
a. the external and internal issues referred to in 4.1
b. the requirements referred to in 4.2
c. interfaces and dependencies between activities performed by the organisation
and those that are performed by other organisation
1.4 XXX must establish a procedures to maintain and continually improve an ISMS
according to the standard
48. Step 3 | Risk Treatment Plan
- the risk treatment plan is your method (the how)
- represents the execution plan, directly derived from your risk strategy
- list on one board the risks, their occurence probability , their potential imp
acts and their criticity
- risk calculation formula based on information asset value and risk tolerance &
resilience
- keep in mind: risk criticity = Threat x probability x impact
- check it always answer well:
+ what are we protecting?
+ why are you protecting
49. Step 4 | Risk management
5 fundamental steps:
1. identify your assets
2. identify the potential vulnerabilities and threats to these assets
3. for each threat, quantify the probability of occurence
4. calculate the impact of the incident on your business
5. implement cost-effective controls