1. ISMS
   1. Establishing and Managing ISMS
      1. Establish the ISMS
         1. Define Scope
         2. Define ISMS Policy
            1. framework for setting objectives, direction and principles
            2. business, legal, regulatory and contractual security obligations
            3. aligns with strategic risk management
            4. establishes criteria against which risk
            5. approved by management
         3. Define Risk Assessment Approach
            1. identify risk assessment methodology
            2. develop criteria for accepting rosks and identify acceptable levels of risk
         4. Identify the risks
            1. identify assets and owners
            2. identify threats to those assets
            3. identify vulnerabilities that might be exploited by the threats
            4. identify the impacts that losses CIA on the assets
         5. Analyse and Evaluate the Risks
            1. assess business impact
            2. assess likelihood of security failures and impacts to assets
            3. estimate levels of risks
            4. determine risks acceptable or require treatment
         6. Identify and Evaluate Options for the Treatment of Risks
            1. applying appropriate controls
            2. knowingly accepting risks with provisions
            3. satisfy org's policies and criteria for accepting risks
            4. avoiding risks
            5. transfer risks to other parties
            6. insurers, supplier
         7. Select Control Objectives and Controls for Treatment of Risks
         8. Obtain Management Aproval of the Proposed Residual Risks
         9. Obtain Management Authorization to Implement ISMS
         10. Prepare Statement of Applicability
             1. Control Objectives and Controls selected and reason for selection
             2. COntrol Objectives and Controls currently implemented
             3. Exclusion of any Control Objectives and Controls and justification
      2. Implement and Operate the ISMS
         1. Formulate Risk Treatment Plan
         2. Implement Risk Treatment Plan
         3. Implement Control Selected to Meet Control Objectives
         4. Define and Measure Controls Effectiveness
         5. Implement Training and Awareness Programmes
         6. Manage Operation of ISMS
         7. Manage Resources for ISMS
         8. Implement Procedures Capable of Prompt Detection of Security Events ad Response to Security Incidents
      3. Monitor and Review the ISMS
         1. Execute Monitoring and Reviewing Procedure
         2. Undertake Regular Reviews of ISMS Effectiveness
         3. Measure Effectiveness of Controls
         4. Review Risk Assessments at Planned Intervals
         5. Conduct Internal ISMS Audits at Planned Intervals
         6. Undertake Management Review of ISMS on Regular Basis
         7. Update Security Plans
         8. Record Actions and Events That Could Impact Performance of ISMS
      4. Maintain and Improve the ISMS
         1. Impement the Identified Improvements
         2. Implement Corrective and Preventive Actions
         3. Ensure Improvements Achieve Intended Objectives
   2. Documentations Requirements
      1. General
         1. ISMS Poicy and Objectives Statements
         2. ISMS Scope
         3. ISMS Procedures and Controls
         4. Risk Assessment Methodology Description
         5. Risk Assessment Report
         6. Procedures for Effective Planning, Operation and Control of InfoSec Processes and Measurement of Effectiveness
         7. Records
         8. Statement of Applicability
      2. Document Control Procedure
         1. Approval of Documents for Adequacy
         2. Review and Update Documents
         3. Changes and Current Revision Status Identification
         4. Ensure that Relevant Versions of Applicable Documents are Available
         5. Ensure Documents Remain Legible and Identifiable
         6. Ensure that Documents are Available, Transferred, Stored and Disposed According to Classification
         7. Ensure Externally Originated Documents Are Identified
         8. Ensure Distribution of Documents is Controlled
         9. Prevent Use of Obsolete Documents
         10. Apply Suitable Identification To Obsolete Documents If Still Retained for Use
      3. Control of Records
         1. Identification, Storage, Protection, Retrieval, Retention Time and Disposition Documented
2. Management Responsibility
   1. Management Commitment
      1. Establish ISMS Policy
      2. Ensuring ISMS Objectives and Plans Established
      3. Establish Roles & Responsibilities for InfoSec
      4. Communicating importance of meeting InfoSec Objectives and conforming to InfoSec Policy
      5. Provides sufficient resources
      6. Decides criteria for accepting risks and acceptable levels of risk
      7. Ensuring Internal ISMS Audit Conducted
      8. Conducting ISMS Management Reviews
   2. Resource Management
      1. Provision of Resources
      2. Training, Awareness and Competence
3. Internal ISMS Audits
   1. To Determines
      1. Conformance to ISO 27001 Standards and Legislation or Regulations
      2. Conformance to Identified InfoSec Requirements
      3. ISMS Effectively Implemented and Maintained
      4. ISMS Performs as Expected
   2. Audit Programme
      1. Audit Criteria
      2. Audit Scope
      3. Audit Frequency
      4. Audit Methods
      5. Auditor Selection
         1. Auditor Shall Not Audit Their Own Work
   3. Audit Process
      1. Audit Plan
      2. Audit Report
         1. Report Results
         2. Maintain Records
4. Management Review of the ISMS
   1. To Ensure Continuing
      1. Suitability
      2. Adequacy
      3. Effectiveness
   2. Include Assessment
      1. Opportunities for Improvement
      2. Need for Changes
   3. Review Input
      1. Result of ISMS audits & reviews
      2. Feedback from interested parties
      3. Techniques, products or procedures to improve ISMS performance & effectiveness
      4. Status of preventive and corrective actions
      5. Vulnerabilities or threats not adequately addressed previously
      6. Results from effectiveness measurements
      7. Follow-up actions from previous management reviews
      8. Changes that effect ISMS
      9. Recommendations for improvement
   4. Review Output (Decisions)
      1. ISMS effectiveness improvement
      2. Risk assessment and risk treatment plan update
      3. Modification of procedures and controls that effect InfoSec
         1. Business requirement
         2. Security requirement
         3. Business processess
         4. Regulatory or legal requirement
         5. Contractual obligations
         6. Levels of risk criteria for accepting risks
      4. Resource needs
      5. Improvement on how effectiveness of controls is being measured
5. ISMS Improvement
   1. Continual Improvement
   2. Corrective Action
      1. Identifying nonconformities
      2. Determining causes of nonconformities
      3. Evaluating need for actions to ensure nonconformities do not occur
      4. Determining and implementing corrective action
      5. Recording results of action taken
      6. Reviewing corrective action taken
   3. Preventive Action
      1. Identifying potential nonconformities and their causes
      2. Evaluating need for action to prevent occurrence of nonconformities
      3. Determining and implementing preventive action needed
      4. Recording results of action taken
      5. Reviewing preventive action taken
      6. More Cost-Effective Than Corrective Action