The latest version of Information Security Management System is a risk-based system which takes into account the context of the organisation with respect to ISMS. It requires the organisation to identify their internal issues, external issues and the interested parties' requirements. These three items mentioned above lead to the risks (uncertainties) and opportunities (desirable twist of uncertainties into a favourable situation) in the ISMS of the organisation.
Those risks need to be assessed based on a pre-defined criterion (eg. low risk, medium risk, high risk) and plan for actions on the risks and opportunities based on the criterion through appropriate controls. There are pre-defined controls in Annex-A after the ten clauses of the standard, which cover almost all types of InfoSec uncertainties. The organisation can also choose to define and exercise additional controls (though this would rarely be required). Like any other management system, this standard also stresses upon a Plan-Do-Check-Act approach.
From India, Chennai
Those risks need to be assessed based on a pre-defined criterion (eg. low risk, medium risk, high risk) and plan for actions on the risks and opportunities based on the criterion through appropriate controls. There are pre-defined controls in Annex-A after the ten clauses of the standard, which cover almost all types of InfoSec uncertainties. The organisation can also choose to define and exercise additional controls (though this would rarely be required). Like any other management system, this standard also stresses upon a Plan-Do-Check-Act approach.
From India, Chennai
Find answers from people who have previously dealt with business and work issues similar to yours - Please Register and Log In to CiteHR and post your query.
ISO 9001-2000 Quality Management System Design.zip
Security management.doc
ISO 9001-2000 Quality Management System Design.pdf