Electronic Books

A typical information security domain may be a data
center, o?¬? ce area, or reception area, each with a unique security pro?¬? le. Information security
domains serve as the basis for enterprise information security baseline implementation. Each
domain is autonomous in how it tailors the enterprise information security baseline requirements
to its unique environment.
How Is an ISMS Built?
An ISMS is typically risk based and process oriented. Th ere may be multiple layers of abstraction
to accommodate the distinct audiences whose concerns must be addressed. Th e ISO27001 standard
recommends a Plan, Do, Check, Act process-based approach de?¬? ned as
Plan. Establish the ISMS
Understand the environment
Assess enterprise risk
Charter Information Security Program
Assess program risk
Do. Implement and operate the ISMS
Create enterprise information security baseline
Create domain-speci?¬? c implementations
Check. Monitor and review the ISMS
Assess operational risk
Act. Maintain and improve the ISMS
Measure and monitor
Understanding Information Security Management Systems
21
Quantified risk
Control objective
Enterprise controls
Directive Process Responsibility
Domain controls
Specification SOP Duty
Do
Plan
Metrics
Reports Act
Check
Understand the Environment
Th e structure and the content of the ISMS must take into account the management environment
to be successful. Organizational considerations will in?¬‚ uence the ISMS framework.


Pages:
49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73