![INTERNATIONAL ISO/IEC STANDARD 27001 - · PDF file7.1Resources ... ISO (the International Organization for Standardization) and IEC ... considered in Clause 5.3 of ISO 31000:2009[5]](https://static.fdocuments.net/doc/165x107/5ab4414e7f8b9ab7638b82c8/international-isoiec-standard-27001-71resources-iso-the-international.jpg)
Iso 27001 2013 clause 6 - planning - by Software development company in india
11
iFour Consultancy ISMS Framework: Clause 6 - Planning
-
Upload
ifour-consultancy -
Category
Software
-
view
968 -
download
0
Transcript of Iso 27001 2013 clause 6 - planning - by Software development company in india
iFour ConsultancyISMS Framework: Clause 6 - Planning
Web development company India http://www.ifourtechnolab.com1
Planning- ISMS requirementsIt is not enough to do your best; you must know what to do and then do your best. W. Edwards DemingAn organization needs to establish its strategic objectives and should identify risks and opportunities and relate them to the scope of ISMS.Following are the pre-requisites for planning phase which focuses on establishing an effective and sustainable ISMS:Management commitment to securitySecurity policySecurity strategy and planSecurity Measures
Web development company India http://www.ifourtechnolab.com
Web development company India http://www.ifourtechnolab.com
2
Planning ISMS requirements (continued)ISO 27001:2013 classifies planning into:Clause 6.1: Actions to address risks and opportunities.Clause 6.1.1: GeneralClause 6.1.2: Information security risk assessmentClause 6.1.3: Information security risk treatmentClause 6.2: Information security objectives and planning to achieve them.Planning for the ISMS requirements is done keeping these factors in mind:Size of the organizationNature of its businessMaturity of the processes in implementing ISOCommitment of senior management
Web development company India http://www.ifourtechnolab.com
Web development company India http://www.ifourtechnolab.com
3
Planning process
Clause 6.1 Actions to address risk and opportunities
Determine internal issuesDetermine interested parties & requirementsDetermine external issuesMethods, criteria for risks & opportunitiesDetermine risks & opportunitiesIntended outcomes,Prevent or reduce undesired effects,Continual improvementMethods of prevention and reduction of undesired effects Plan actions to address risks & opportunitiesAcceptable level of risk proportional to potential impactAction plan & how to evaluate action & integrate into processesImplement actions
Web development company India http://www.ifourtechnolab.com
Web development company India http://www.ifourtechnolab.com
4
Establish an ISMSClause 6.1 (Continued)
Web development company India http://www.ifourtechnolab.com
Web development company India http://www.ifourtechnolab.com
5
Clause 6.1.2 Information security risk assessmentRisk is the probability of occurrence of an incident that causes harm to an informational asset.Purpose of risk assessment:Threats to organizations (i.e., operations, assets, or individuals) or threats directed through organizations against other organizations or the nation.Vulnerabilities - internal and external to organizations.Adverse impact to organizations that may occur, given the potential for threats exploiting vulnerabilities.The likelihood that harm will occur.Clause 6.1.2 focuses on:Defining and information security risk assessment process.Assessing the organizations information security risks.
Web development company India http://www.ifourtechnolab.com
Web development company India http://www.ifourtechnolab.com
6
Clause 6.1.2 (Continued)Defining an information security risk assessment processHow are you going to perform risk assessment process:The organization shall apply & define risk assessment process that:Establishes and maintains information security risk criteria including:Risk acceptance criteriaCriteria for performing information security risk assessmentsHow are you going to ensure that your repeatedly performed risk assessments produce ConsistentValidComparable results
Web development company India http://www.ifourtechnolab.com
Web development company India http://www.ifourtechnolab.com
7
Clause 6.1.2 (Continued)
RISK ASSESSMENT PROCESS
Web development company India http://www.ifourtechnolab.com
Web development company India http://www.ifourtechnolab.com
8
Identify organizations information security risksIdentify the risks associated with loss of CIA for information within the scope of ISMS.Identify the risk ownersAnalyze organizations information security risksAssess the consequences that you might have to face in case the identified risks materializeAssess the realistic likelihood of occurrence of the identified risksDetermine the level of risksEvaluate organizations information security risksCompare the risk analysis results with risk criteria established earlierPrioritize the analyzed risks for risk treatment
Clause 6.1.2 (Continued)
Web development company India http://www.ifourtechnolab.com
Web development company India http://www.ifourtechnolab.com
9
Example of step wise risk assessment approach:Clause 6.1.2 (Continued)
Web development company India http://www.ifourtechnolab.com
Web development company India http://www.ifourtechnolab.com
10
Referenceshttp://isoconsultantpune.com/iso-90012015-clause-6-planning/http://searchsecurity.techtarget.in/tip/A-free-risk-assessment-template-for-ISO-27001-certificationhttp://www.praxiom.com/iso-27001.htmhttps://buildsecurityin.us-cert.gov/articles/best-practices/deployment-and-operations/plan-do-check-act
Web development company India http://www.ifourtechnolab.com
Web development company India http://www.ifourtechnolab.com11
