Standards for ISM Flashcards
What four things should organisations do about information?
Collect, process and store info; recognise info, processes and people are important assets; face a range of risks that affect info; and address these risks
As risks and the effectiveness of controls change, what must organisations do?
Monitor effectiveness of controls and procedures; identify emerging risks; and implement and improvise controls
What is an ISMS?
ISMS are the policies and guidelines in an organisation for protecting its important assets
What is Management in an infosec context?
Management is the activities to direct, control and improve the organisation
What is ISM?
ISM is making or using security policies, procedures and guidelines
What is a process?
A process is the transformation of inputs to outputs
What is the process approach?
The process approach is the use of a set of processes and the interaction between these processes
Security requirements can be identified by analysing what?
Information assets and their value; needs for information processing; and legal, regulatory and contractual requirements
Assessing risks will require analysing what?
Threats to and vulnerabilities in assets; likelihood of threat materialising; and potential impact of any incident on assets
Possible options for risk treatment include what?
Applying appropriate controls to reduce risk; accept the risk; avoid risk by not allowing those actions; share the risk with other parties
What should happen before controls are selected and implemented?
Information security requirements should be identified; risks should be determined and assessed; and decisions should be made for the treatment of risks
How does an organisation maintain and improve an ISMS?
By monitoring and assessing performance, and reporting results to management
What is the aim of continual improvement?
To increase the probability of preserving CIA
What is the aim of ISO/IEC 27001?
To set down standardised requirements
What is the context clause of ISO/IEC 27001?
The organisation should determine external and internal issues that affect its ability to maintain security
What should the organisation consider when determining the scope of their ISMS?
External and internal issues, requirements of interested parties, and interfaces and dependencies between activities performed by the organisation
What is the leadership clause of ISO/IEC 27001?
Leadership and commitment, policy and organisational roles
What is the planning clause of ISO/IEC 27001?
Actions to address risks, and security objectives and planning to meet them
What five things should a risk assessment process do?
Establish risk criteria; ensure that repeated assessments create consistent results; identify the risks; analyse the risks; and evaluate the risks
In risk assessment, what does it mean to identify risks?
Apply the risk assessment process to find risks associated with CIA, and identify the risk owners
In risk assessment, what does it mean to analyse risks?
Assess the potential consequences, the likelihood, and therefore the level of risk
In risk assessment, what does it mean to evaluate risks?
Compare the results of risk analysis with risk criteria, prioritise the different risks
What is awareness in an information security context?
Persons doing work under the company should be aware of the information security policy and all of its underlying principles
When creating and updating documentation, what should be ensured?
Identification and descriptions, format, and review and approval
When should organisations perform security risk assessments?
At planned intervals or when significant changes are made