how policies are written and reviewed.
Risk management is the cornerstone of the ISMS, allowing for continuous means to identifying threats to the organisation and select appropriate Annex A controls to implement and maintain.
assignment of responsibilities for specific tasks.
ensuring employees understand their responsibilities prior to employment, when roles change and after leaving
identify information assets and defining appropriate protection responsibilities.
ensure that employees can only view information that’s relevant to their job role (need-to-know-basis)
encryption and key management of sensitive information.
secure the organisation premises and equipment.
ensure that information processing facilities are secure.
how to protect information in networks.
ensure that information security is a central part of the organisation and systems
agreements included in contracts with third parties, and how to measure agreements are being kept.
how to report disruptions and breaches, and who is responsible for certain activities.
how to address business disruptions.
Identify the laws, regulations and standards that apply to your organisation