Security Mgt, ISO 27001, PDCA


IYM001 Mind Map on Security Mgt, ISO 27001, PDCA, created by jjanesko on 02/05/2013.
Mind Map by jjanesko, updated more than 1 year ago
Created by jjanesko about 11 years ago

Resource summary

Security Mgt, ISO 27001, PDCA
  1. plan
    1. establish ISMS
      1. define policy
        1. includes framework for setting objectives
          1. takes into account requirements
            1. business
              1. regulatory
                1. contractual
                  1. legal
                  2. aligns with strategic risk mgt context
                    1. establishes risk evaluation criteria
                      1. approved by management
                      2. define scope and boundaries based on
                        1. business characteristics
                          1. location
                            1. assets and technology
                            2. define risk assessment approach
                              1. define suitable methodology
                                1. define criteria for accepting risks
                                  1. define acceptable risk levels
                                  2. identify risks
                                    1. 1. identify assets & owners
                                      1. 2. identify threats
                                        1. 3. identify vulnerabilities
                                          1. 4. identify impacts of loss of confidentiality, integrity, availability on asses
                                          2. analyze & evaluate risks
                                            1. asess business impacts on organization from security failures
                                              1. assess likelihood with respect to currently implemented controls
                                                1. estimate the levels of risks
                                                  1. determine if risks are acceptable using criteria for accepting risk
                                                  2. identify options for risk treatment
                                                    1. controls
                                                      1. accept
                                                        1. avoid
                                                          1. transfer
                                                          2. select controls
                                                            1. obtain management approval of residual risk
                                                              1. prepare statement of applicability
                                                                1. documents control objectives, selected controls and reasoning
                                                                  1. currently implemented control objectives and controls
                                                                    1. any excluded ccontrol objectives and justification
                                                                2. do
                                                                  1. implement and operate the ISMS
                                                                    1. implement
                                                                      1. policy
                                                                        1. controls
                                                                          1. processes
                                                                            1. procedures
                                                                            2. formulate risk treatment plan which identifies for risk management
                                                                              1. management action
                                                                                1. resources
                                                                                  1. responsibilities
                                                                                    1. priorities
                                                                                    2. implement selected controls
                                                                                      1. define how to measure and assess effectiveness
                                                                                        1. implement training and awareness programmes
                                                                                          1. manage ISMS operation
                                                                                            1. manage ISMS resources
                                                                                              1. implment procedures and controls capable of prompt detection of & response to security events
                                                                                            2. check
                                                                                              1. monitor and review the ISMS
                                                                                                1. execute monitoring & reviewing procedures to
                                                                                                  1. detect erros in processing results
                                                                                                    1. promptly identify security breaches
                                                                                                      1. enable management security activites are performing as expected
                                                                                                        1. activities assigned to people
                                                                                                          1. activities implemented in IT
                                                                                                          2. help detect and prevent security incidents by use of indicators
                                                                                                            1. determine whether actions to resolve a breach were effective
                                                                                                            2. undertake regular reviews of effectiveness
                                                                                                              1. see results of security audits
                                                                                                                1. incident logs
                                                                                                                  1. results from effectiveness measurements
                                                                                                                    1. suggestions and feedback from stakeholders
                                                                                                                    2. measure effectivness of controls that verify security requirements have been met
                                                                                                                      1. Review risk assessment at regular intervals, taking in account changes to
                                                                                                                        1. the organization
                                                                                                                          1. technology
                                                                                                                            1. business objectives and processes
                                                                                                                              1. identified threats
                                                                                                                                1. effectiveness of implemented controls
                                                                                                                                  1. external evants such as regulatory changes
                                                                                                                                  2. conduct internal audit
                                                                                                                                    1. undertake regular management review of ISMS
                                                                                                                                      1. update security plans based on monitoring and review
                                                                                                                                        1. record actions and events that could have an impact on the effectiveness of the ISMS
                                                                                                                                      2. act
                                                                                                                                        1. maintain and improve the ISMS
                                                                                                                                          1. implement identified improvements
                                                                                                                                            1. take appropriate corrective and preventative actions
                                                                                                                                              1. apply lessons learned from internal and external organizations
                                                                                                                                                1. communicate actions and improvements to all interested parties
                                                                                                                                                  1. ensure improvements achieve their intended objectives
                                                                                                                                                Show full summary Hide full summary


                                                                                                                                                Exemplary Assignment Answers
                                                                                                                                                Security Mgt, Flashcards for ISO 27000 series
                                                                                                                                                Security Mgt U5, risk analysis and mgt (part 1)
                                                                                                                                                Security Mgt U8, Information Assurance
                                                                                                                                                Security Mgt U3, BS7799 (Part 2)
                                                                                                                                                Security Mgt U5, quantitative risk assessment forumula (image)
                                                                                                                                                Security Mgt U8, Incident Recovery Image
                                                                                                                                                Security Mgt U3, BS7799 (Part 1)
                                                                                                                                                Security Mgt U5, Risk Analysis Methods and Tools (image)
                                                                                                                                                Security Mgt U5, risk analysis & mgt (part 2)
                                                                                                                                                Security Mgt U10, Scope of Incident Response (chart)