Standards for ISM Flashcards
What four things should organisations do about information?
Collect, process and store info; recognise info, processes and people are important assets; face a range of risks that affect info; and address these risks
As risks and the effectiveness of controls change, what must organisations do?
Monitor effectiveness of controls and procedures; identify emerging risks; and implement and improvise controls
What is an ISMS?
ISMS are the policies and guidelines in an organisation for protecting its important assets
What is Management in an infosec context?
Management is the activities to direct, control and improve the organisation
What is ISM?
ISM is making or using security policies, procedures and guidelines
What is a process?
A process is the transformation of inputs to outputs
What is the process approach?
The process approach is the use of a set of processes and the interaction between these processes
Security requirements can be identified by analysing what?
Information assets and their value; needs for information processing; and legal, regulatory and contractual requirements
Assessing risks will require analysing what?
Threats to and vulnerabilities in assets; likelihood of threat materialising; and potential impact of any incident on assets
Possible options for risk treatment include what?
Applying appropriate controls to reduce risk; accept the risk; avoid risk by not allowing those actions; share the risk with other parties
What should happen before controls are selected and implemented?
Information security requirements should be identified; risks should be determined and assessed; and decisions should be made for the treatment of risks
How does an organisation maintain and improve an ISMS?
By monitoring and assessing performance, and reporting results to management
What is the aim of continual improvement?
To increase the probability of preserving CIA
What is the aim of ISO/IEC 27001?
To set down standardised requirements
What is the context clause of ISO/IEC 27001?
The organisation should determine external and internal issues that affect its ability to maintain security