Security Policy: Difference between revisions

Jump to navigation Jump to search
← Older editNewer edit →
Line 82: Line 82:
When planning for the information security management system, the organization shall consider the issues referred to [[https://wiki.officience.com/Security_Policy#Understanding_the_organization_and_its_context|]] and the requirements referred to in [[https://wiki.officience.com/Security_Policy#Understanding_the_needs_and_expectations_of_interested_parties]] and determine the risks and opportunities that need to be addressed to:
When planning for the information security management system, the organization shall consider the issues referred to [[https://wiki.officience.com/Security_Policy#Understanding_the_organization_and_its_context|]] and the requirements referred to in [[https://wiki.officience.com/Security_Policy#Understanding_the_needs_and_expectations_of_interested_parties]] and determine the risks and opportunities that need to be addressed to:


* ensure the information security management system can achieve its intended outcome(s);  
:1. ensure the information security management system can achieve its intended outcome(s);  
* prevent, or reduce, undesired effects; and  
:2. prevent, or reduce, undesired effects; and  
* achieve continual improvement.
:3. achieve continual improvement.


The organization shall plan:
The organization shall plan:


* actions to address these risks and opportunities; and
:4. actions to address these risks and opportunities; and
* how to:  
:5. how to:  
:(a) integrate and implement the actions into its information security management system processes; and  
::(a) integrate and implement the actions into its information security management system processes; and  
:(b) evaluate the effectiveness of these actions.
::(b) evaluate the effectiveness of these actions.


====Information security risk assessment====
====Information security risk assessment====
Line 97: Line 97:
The organization shall define and apply an information security risk assessment process that:  
The organization shall define and apply an information security risk assessment process that:  


* Establishes and maintains information security risk criteria that include:
# Establishes and maintains information security risk criteria that include:
          (a) the risk acceptance criteria; and
:(a) the risk acceptance criteria; and
          (b) criteria for performing information security risk assessments;
:(b) criteria for performing information security risk assessments;
* Ensures that repeated information security risk assessments produce consistent, valid and comparable results;
# Ensures that repeated information security risk assessments produce consistent, valid and comparable results;
* Identifies the information security risks:  
# Identifies the information security risks:
          (a) apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system; and
:(a) apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system; and
          (b) identify the risk owners;
:(b) identify the risk owners;
* Analyses the information security risks:  
# Analyses the information security risks:
          (a) assess the potential consequences that would result if the risks identified were to materialize;  
:(a) assess the potential consequences that would result if the risks identified were to materialize;
          (b) assess the realistic likelihood of the occurrence of the risks identified; and  
:(b) assess the realistic likelihood of the occurrence of the risks identified; and
          (c)determine the levels of risk;
:(c)determine the levels of risk;
* Evaluates the information security risks:  
# Evaluates the information security risks:
          (a) compare the results of risk analysis with the risk criteria established; and  
:(a) compare the results of risk analysis with the risk criteria established; and
          (b) prioritize the analysed risks for risk treatment.
:(b) prioritize the analysed risks for risk treatment.


The organization shall retain documented information about the information security risk assessment process.
The organization shall retain documented information about the information security risk assessment process.
Line 144: Line 144:
The information security objectives shall:
The information security objectives shall:


* be consistent with the information security policy;
:1. be consistent with the information security policy;


* be measurable (if practicable);
:2. be measurable (if practicable);


* take into account applicable information security requirements, and results from risk assessment and risk treatment;
:3. take into account applicable information security requirements, and results from risk assessment and risk treatment;


* be communicated; and
:4. be communicated; and


* be updated as appropriate.
:5. be updated as appropriate.


The organization shall retain documented information on the information security objectives. When planning how to achieve its information security objectives, the organization shall determine:
The organization shall retain documented information on the information security objectives. When planning how to achieve its information security objectives, the organization shall determine:


* what will be done;
:6. what will be done;


* what resources will be required;
:7. what resources will be required;


* who will be responsible;
:8. who will be responsible;


* when it will be completed; and
:9. when it will be completed; and


* how the results will be evaluated.
:10. how the results will be evaluated.


==Support==
==Support==
Retrieved from "https://wiki.officience.com/Security_Policy"