SP-018: Information Security Management System (ISMS) Module

Diagram:

Legend: Information Security Management System based on Plan, Do, Check, Act Model with specific reference to Policy controls through catalog, plus Certification and Incident Response.

Description: The Plan, Do, Check, Act model is an accepted lifecycle for information security management. The plan phase focuses on setting policies, a strategy for implementing controls to achieve security objectives, and specific roadmaps to acheive control implementations within systems. Controls are executed in the do phase. Tests are performed in the check phase to ensure that controls are operating as intended and meet objectives. Deficiencies or gaps are remediated in the act phase and the cycle repeats.

Generally control execution lies with system owners and operators and is distributed across the organisation and it's suppliers, especially with increasing us of SaaS and cloud models. Some control execution can lie with the Security organisation, especially controls specifically related to the security of the overall environment such as incident response.

The NIST Risk Management framework defines a more detailed security lifecycle that focuses on the implementation of controls in a specific IT system rather than at the overall ISMS level.

Assumptions: Plan, Do, Check, Act Model is basis for lifecycle.

Typical challenges: Structured planning approach can be difficult to embed into the organisation and requires commitment from senior management over extended periods of time.

Indications: Organisation with computing environment that must be secured in a structured manner to meet Business, Legal, Regulatory or Industry requirements.

Contra-indications: None

Resistance against threats: Not applicable

References:
ISO 27001 ISMS
NIST Risk Management Framework

Related patterns: n/a

Classification: Module

Release: 08.02

Authors: Russell Wing

Reviewer(s): Pending

Control details