SP-018: Information Security Management System (ISMS) Module
Diagram:
Legend: Information Security Management System based on Plan, Do, Check, Act Model with specific reference to Policy controls through catalog,
plus Certification and Incident Response.
Description: The Plan, Do, Check, Act model is an accepted lifecycle for information security management. The plan phase focuses on
setting policies, a strategy for implementing controls to achieve security objectives, and specific roadmaps to acheive control implementations
within systems. Controls are executed in the do phase. Tests are performed in the check phase to ensure that controls are operating as intended and
meet objectives. Deficiencies or gaps are remediated in the act phase and the cycle repeats.
Generally control execution lies with system owners and operators and is distributed across the organisation and it's suppliers, especially with
increasing us of SaaS and cloud models. Some control execution can lie with the Security organisation, especially controls specifically related to
the security of the overall environment such as incident response.
The NIST Risk Management framework defines a more detailed security lifecycle that focuses on the implementation of controls in a specific IT
system rather than at the overall ISMS level.
Assumptions: Plan, Do, Check, Act Model is basis for lifecycle.
Typical challenges: Structured planning approach can be difficult to embed into the organisation and requires commitment from
senior management over extended periods of time.
Indications: Organisation with computing environment that must be secured in a structured manner to meet Business, Legal,
Regulatory or Industry requirements.
