Professional Documents
Culture Documents
EVALUATION R E Q U I R E M E N T S I N P L A I N E N G L I S H
Figure out how youre going to assess the performance of your information security and determine the effectiveness of your ISMS. Figure out how youre going to monitor the performance of your organization`s information security and the effectiveness of its ISMS. Determine what needs to be monitored. Figure out which information security processes need to be monitored. Figure out which information security controls need to be monitored. Select your monitoring methods. Make sure that your monitoring methods are capable of producing valid results. Figure out how you`re going to ensure that your monitoring methods will produce results that are comparable and reproducible. Establish when monitoring should be performed. Decide who should carry out the monitoring. Maintain a record of your monitoring results. Control your monitoring records. Figure out how youre going to measure the performance of your organization`s information security and the effectiveness of its ISMS. Determine what needs to be measured. Figure out which information security processes need to be measured.
TODO
DONE
TODO
DONE
3 4
TODO
DONE
TODO
DONE
The purpose of information security is to protect and preserve information. Its central purpose is to protect and preserve the confidentiality, integrity, and availability of information. It may also involve protecting and preserving the authenticity and reliability of information and ensuring that entities can be held accountable. An ISMS (information security management system) includes all of the policies, procedures, plans, processes, practices, roles, responsibilities, resources, and structures that organizations use to protect and preserve information and to manage and control information security risks. An ISMS is part of your larger management system.
TODO
DONE
6 7
TODO
DONE
TODO
DONE
TODO
DONE
9 10 11 12 13
TODO
DONE
TODO
DONE
TODO
DONE
These records are "documented information". Therefore they must be controlled (per 7.5.3).
TODO
DONE
TODO
DONE
14 15
TODO
DONE
TODO
DONE
YOUR LOCATION: DATE COMPLETED: DATE REVIEWED: PLAIN ENGLISH INFORMATION SECURITY MANAGEMENT STANDARD COPYRIGHT 2013 BY PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED. EDITION 1.0 PAGE 56
16
Figure out which information security controls need to be measured. Select your measurement methods. Make sure that your measurement methods are capable of producing valid results. Figure out how you`re going to ensure that your measurement methods will produce results that are comparable and reproducible. Establish when measurements should be performed. Decide who should carry out measurements. Maintain a record of your measurement results. Control your measurement records. Figure out how youre going to analyze the performance of your organization`s information security and the effectiveness of its ISMS. Select your analytical methods. Make sure that your analytical methods are capable of producing valid results. Figure out how you`re going to ensure that your analytical methods will produce results that are comparable and reproducible. Decide when your monitoring and measurement results should be analyzed. Determine who should analyze your monitoring and measurement results. Figure out how youre going to evaluate the performance of your organization`s information security and the effectiveness of its ISMS.
TODO
DONE
17 18
TODO
DONE
TODO
DONE
19
TODO
DONE
20 21 22 23 24
TODO
DONE
TODO
DONE
TODO
DONE
These records are "documented information". Therefore they must be controlled (per 7.5.3).
TODO
DONE
TODO
DONE
25 26
TODO
DONE
TODO
DONE
27
TODO
DONE
28
TODO
DONE
29
TODO
DONE
30
TODO
DONE
YOUR LOCATION: DATE COMPLETED: DATE REVIEWED: PLAIN ENGLISH INFORMATION SECURITY MANAGEMENT STANDARD COPYRIGHT 2013 BY PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED. EDITION 1.0 PAGE 57
31 32
Select your evaluation methods. Make sure that your evaluation methods are capable of producing valid results. Figure out how you`re going to ensure that your evaluation methods will produce results that are comparable and reproducible. Establish when your monitoring and measurement results should be evaluated. Decide who should evaluate your monitoring and measurement results. Assess the performance of your information security and determine the effectiveness of your ISMS. Monitor the performance of your organizations information security and the effectiveness of its ISMS. Measure the performance of your organizations information security and the effectiveness of its ISMS. Analyze the performance of your organizations information security and the effectiveness of its ISMS. Evaluate the performance of your organizations information security and the effectiveness of its ISMS.
TODO
DONE
TODO
DONE
33
TODO
DONE
34
TODO
DONE
35
TODO
DONE
36
TODO
DONE
37
TODO
DONE
38
TODO
DONE
39
TODO
DONE
40
TODO
DONE
9.2 SET UP AN INTERNAL AUDIT PROGRAM AND USE IT TO EVALUATE YOUR ISMS
41
Plan the development of an internal ISMS audit program for your organization. Make sure that your audit program is capable of determining whether or not your ISMS conforms to requirements. Make sure that your audit program is capable of determining whether or not your organization's ISMS conforms to its own ISMS requirements.
TODO
DONE
42
TODO
DONE
An audit is an evidence gathering process. Evidence is used to evaluate how well audit criteria are being met. Audits must be objective, impartial, and independent, and the audit process must be systematic and documented. Use the ISO 19011 2011 auditing standard to help establish your internal audit program. See http://www.praxiom.com/19011.htm
43
TODO
DONE
YOUR LOCATION: DATE COMPLETED: DATE REVIEWED: PLAIN ENGLISH INFORMATION SECURITY MANAGEMENT STANDARD COPYRIGHT 2013 BY PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED. EDITION 1.0 PAGE 58
44
Make sure that your audit program is capable of determining whether or not your ISMS conforms to the ISO IEC 27001 2013 information security requirements. Make sure that your audit program is capable of determining whether or not your ISMS has been implemented effectively. Make sure that your program is capable of determining whether or not your ISMS is being properly maintained. Establish your internal ISMS audit program. Establish your internal audit methods. Establish internal audit responsibilities. Establish internal audit planning requirements. Make sure that each internal audit studies the results of previous audits. Make sure that each internal audit considers the importance of the processes being audited. Make sure that each internal audit preserves the objectivity and impartiality of the audit process. Establish your internal audit schedules. Specify how often internal audits should be done. Conduct internal audits at planned intervals. Consider the results of previous audits when you schedule your organization's internal audits. Establish internal audit reporting requirements. Make sure that internal audit results are reported to the appropriate members of management.
TODO
DONE
45
TODO
DONE
46
TODO
DONE
47 48 49 50 51
TODO
DONE
TODO
DONE
TODO
DONE
TODO
DONE
TODO
DONE
52
TODO
DONE
53
TODO
DONE
54 55 56 57
TODO
DONE
TODO
DONE
TODO
DONE
TODO
DONE
58 59
TODO
DONE
TODO
DONE
YOUR LOCATION: DATE COMPLETED: DATE REVIEWED: PLAIN ENGLISH INFORMATION SECURITY MANAGEMENT STANDARD COPYRIGHT 2013 BY PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED. EDITION 1.0 PAGE 59
60 61 62 63 64 65 66 67
Implement your internal ISMS audit program. Define the scope for each internal audit. Specify audit criteria for each internal audit. Select impartial and objective internal auditors. Carry out regular internal information security audits. Report your internal audit results to management. Maintain your internal ISMS audit program. Maintain documents that can prove that you've implemented your internal ISMS audit program. Maintain a record of internal audit implementation. Control records that show audits are being done. Maintain a record of internal audit results. Control your record of internal audit results.
TODO
DONE
TODO
DONE
TODO
DONE
TODO
DONE
TODO
DONE
TODO
DONE
TODO
DONE
TODO
DONE
68 69 70 71
TODO
DONE
These records are "documented information". Therefore they must be controlled (per 7.5.3).
TODO
DONE
TODO
DONE
These records are "documented information". Therefore they must be controlled (per 7.5.3).
TODO
DONE
Establish a management review process. Use reviews to ensure that your ISMS is still suitable. Use reviews to ensure that your ISMS is still adequate. Use reviews to ensure that your ISMS is still effective. Plan your organizations ISMS review process. Schedule ISMS reviews at planned intervals. Review the performance of your ISMS. Review your risk assessment results.
TODO
DONE
TODO
DONE
TODO
DONE
A review is an activity. Its purpose is to figure out how well the thing being reviewed is capable of achieving established objectives. Reviews ask the following question: is the subject of the review a suitable, adequate, effective, and efficient way of achieving your organizations objectives?
TODO
DONE
TODO
DONE
TODO
DONE
TODO
DONE
TODO
DONE
YOUR LOCATION: DATE COMPLETED: DATE REVIEWED: PLAIN ENGLISH INFORMATION SECURITY MANAGEMENT STANDARD COPYRIGHT 2013 BY PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED. EDITION 1.0 PAGE 60
80 81
Review that status of risk treatment plans. Review the status of actions that were taken after previous management reviews. Review security performance feedback. Review information security objectives and achievements. Review monitoring and measurement results, evaluations, and analyses. Review previous nonconformities and the corrective actions that were taken. Review information security audit results. Review information security performance trends. Review feedback from interested parties. Review continual improvement opportunities. Generate management review outputs. Make decisions which take advantage of continual improvement opportunities or which address the need to change your organizations ISMS. Retain a record of management review results. Use your records to prove that reviews were actually carried out and results were achieved. Control your management review records.
TODO
DONE
TODO
DONE
82 83
TODO
DONE
TODO
DONE
84
TODO
DONE
85
TODO
DONE
86 87 88 89 90 91
TODO
DONE
TODO
DONE
TODO
DONE
TODO
DONE
TODO
DONE
TODO
DONE
92 93
TODO
DONE
TODO
DONE
These records are "documented information". Therefore they must be controlled (per 7.5.3).
94
TODO
DONE
Consider each task and select a response. If you havent done it, select TODO. If youve already done it, select DONE. In the spaces below, enter the name and location of your organization, who completed this section, who reviewed it, and the dates.
YOUR LOCATION: DATE COMPLETED: DATE REVIEWED: PLAIN ENGLISH INFORMATION SECURITY MANAGEMENT STANDARD COPYRIGHT 2013 BY PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED. EDITION 1.0 PAGE 61