The information security management system (ISMS) is part of the overall management system, which is based on the business risk approach to the creation, implementation, operation, monitoring, analysis, support and improvement of information security.
In case of construction in accordance with the requirements of ISO / IEC 27001, it is based on the PDCA model:
- Plan - the phase of creating an ISMS, creating a list of assets, assessing risks and choosing measures;
- Do (action) - the stage of implementation and implementation of relevant measures;
- Check - the phase of evaluating the effectiveness and performance of an ISMS. Usually performed by internal auditors;
- Act (improvements) - the implementation of preventive and corrective actions;
In Russia, GOST R ISO / IEC 27001-2006, Information Technology. Security methods and tools. Information Security Management Systems. Requirements. "
See also
- ISO 27000 Series
- Cobit