KEMBAR78
Gap Analysis | PDF | Information Security | Risk
Scribd
Upload
41 views7 pages

Gap Analysis

The document outlines the framework for an Information Security Management System (ISMS), detailing the context of the organization, leadership roles, planning, support, operations, performance evaluation, and continual improvement. It specifies requirements for documentation, risk assessment, resource allocation, and communication, along with the need for top management commitment and defined responsibilities. Additionally, it emphasizes the importance of monitoring, internal audits, and corrective actions to enhance the effectiveness of the ISMS.

Uploaded by

mzeeshanif
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
41 views7 pages

Gap Analysis

The document outlines the framework for an Information Security Management System (ISMS), detailing the context of the organization, leadership roles, planning, support, operations, performance evaluation, and continual improvement. It specifies requirements for documentation, risk assessment, resource allocation, and communication, along with the need for top management commitment and defined responsibilities. Additionally, it emphasizes the importance of monitoring, internal audits, and corrective actions to enhance the effectiveness of the ISMS.

Uploaded by

mzeeshanif
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
You are on page 1/ 7

Caluses

4 Context of Organization
4.1 Understanding the organization and its context
4.2 understanding the needs and the expectations of interested parties
4.3 Determining scope of information security management system
4.4 Information Secuirty Management system

5 Leadership
5.1 Leadership and Commitment
5.2 Policy
5.3 Organizational roles and Responsibilities

6 Planning
6.1 Actions to address risks and opportunities
6.1.1 General
6.1.2 Infromation security risk assessment
6.1.3 Implement a risk teatment process and select controls
6.2Information security objectives and planning to achieve them
6.3 Planning of changes

7 Support
7.1 Resources
7.2 Competeness
7.3 Awareness
7.4 Communication
7.5 Documented Information

8 Operation
8.1 Operational planning and control
8.2 Information security risk assessment
8.3 Information security risk treatment

9 Performance Evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal Audit

9.3 Management Review

10 Improvement
10.1 Continual Improvement
10.2 Nonconformity and corrective action
Requirements
Documents Needed
determine external and internal issues relevant to the ISMS objectives Documented analysis of internal and external iss
Identify stakeholders and their information secuirty requirements List of interested parties and their requirements
Define the boundaries and applicabilty of the ISMS ISMS scope document
Establish implement, maintain and continually improve the ISMS ISMS framework documentation

Requirements Documents Needed


Top management must demonstarte leadership and
Establish an information Evidence of leadership commitment
commitment to the ISMS security policy alligned with the
organization's objectives Information Security Policy
Assign and communicate responsibilities for information secuirty
Roles and Responsibilities documents
roles
Requirements Documents Needed

Plan Actions to address risk and oppertunities Documented


Risk risk assessment
aasessment methodology
methodology
Establish and implements a ris assessment process Risk reports
Risk treatment plan
Implement a risk teatment process and select controls statement
Information Security of applicability(SOA)
objectives
Set measurable information secuirty pbjectives and plans Plan to achieve objectives

Determine and provide necessary resources for the ISMS Resoucre Allocation recodrs
Ensure personel are competent through education , training or experience Competence and training records
Personal must be aware of the infromation security policy, their contributi Awareness materials
Establish internal and external communication relevant to ISMS Communication Plan Procedures
Document Control
Control the creation, updating and control of documented infromation Master list of documents and records

Plan implement and control the processe needed to meet ISMS Operational Procedures
requirements Change management procedures
Perofrm risk assessments at planned intervals records of risk assessments
Implement risk treatment plan Risk treatment plan
Determine what needs to be monitored and measured, methods and analyz
Moniroting and measurement plan
Conduct internal audits at planned intervals

Management review procedures


Top management reviews the ISMS at planned intervals
Management review meeting minutes

Non conformity and corrective action procedure


address nonconformities and take actions to prevent recurrence Corrective action records
enhance the suitability, adequecy and effectiveness of the ISMS Improvement Logs
ümeeting evidences or records
Evidence to Confirm
ü stake Compliance Remarks
holder analysis
reports
üstake holder analysis reports
üMaps
üApproved
üProcess Communication
ISMS records
üüEvidence
ümeeting
organizational
minutes of ISMS
with
chart
top
implementation
management
ü Signed statements
Evidence to
implementation
üSigned IS Confirm
charts Compliance
policy
üorganizational ü Remarks
communicationü records
communication to
ü Job description
staff ü
communication records
üRecords showing planning activities
Evidence to Confirm Compliance ü risk Remarks
assessment
üCompleted schedules
Risk assessment
ü risk
üApproved risk treatment register
plans
üMonitoring and measurement SOA
ü Updated
records üMeeting minutes
discussing objectives

üBudget Documents
üResource
üTraining attendanceplans
sheets
üCertificates
üCommunication records
üStaff
üCommuniacation
üControlled acknowledgements
documentsLogs with
üMeeting
versioningrecords üAccess
logs

üLogs of operational activities


üChange requests
üUpdated and approvals
risk assessments
üRiskofassessment
üEvidence implementedreports
controls
üMonitoring reports
üCompleted audit checklists
üPerformance metricsabd
üAduit findings andcorrective
reports
actions
üAction items from management
reviews
üDecisions made

üNonconformity reports
ü records
üContinual of corrective
improvement actions
projects
ü Feedback mechanism
Column1
Completed
Partially completed
Missing

You might also like