You are in the staging environment.
Switch to the Live
Information Security Management

Information Security Management

Objective

To manage information security effectively through all activities performed to deliver and manage services, so that the confidentiality, integrity and…

To manage information security effectively through all activities performed to deliver and manage services, so that the confidentiality, integrity and accessibility of relevant information assets are preserved

Activities: Initial Process Setup

Define a scheme to classify information assets according to their sensitivity / criticality. Define a way to document an inventory…
  • Define a scheme to classify information assets according to their sensitivity / criticality.
  • Define a way to document an inventory of (information) assets.
  • Identify, describe and classify the most important information assets.
  • Identify the most important links between configuration items (CIs) such as informationprocessing systems / facilities and the information assets identified before.
  • Define a method / scheme to identify and assess information security risks.
  • Perform an initial risk assessment, based on the identified assets, and focused on the most significant information security risks.
  • Define clear information security policies as a basis for effective information security governance.
  • Define a way to document information security controls and to monitor their status and progress of implementation.
  • Identify and document the most important technical, physical and organisational information security controls in place.

Process Inputs

Information security requirements (from SLAs, legislation, contracts) Relevant risk factors (information on assets, vulnerabilities, threats)
  • Information security requirements (from SLAs, legislation, contracts)
  • Relevant risk factors (information on assets, vulnerabilities, threats)

Activities: Ongoing Process Execution

Manage (information) assets Add an information asset to the asset inventory Update the description or classification of an information asset…
  • Manage (information) assets
    • Add an information asset to the asset inventory
    • Update the description or classification of an information asset in the asset inventory
    • Remove an information asset from the asset inventory
  • Manage information security risks
    • Identify and assess a new or changed information security risk
    • Review or repeat the information security risk assessment (in regular intervals)
  • Maintain information security policies
    • Create, approve and communicate a new information security policy
    • Update an existing information security policy
    • Retire an existing information security policy
  • Plan and implement information security controls
    • Specify a new information security control
    • Update the specification of an existing information security control
    • Retire an existing information security control
  • Manage information security events and incidents
    • Monitor, record and classify information security events
    • Identify and handle an information security incident
    • Define and monitor follow-up actions after an information security incident
  • Perform access control
    • Process requests for access rights
    • Provide access rights
    • Modify or revoke access rights
    • Review access rights (in regular intervals)

Process Outputs

Up-to-date inventory of information assets Approved information security policies Up-to-date information security risk assessment Documented information security controls Reports on…
  • Up-to-date inventory of information assets
  • Approved information security policies
  • Up-to-date information security risk assessment
  • Documented information security controls
  • Reports on information security events, incidents and follow-up actions
Top