3. PLAN-DO-CHECK-ACT

PDF 3.1 The PLAN Phase – Establish the ISMS

    3.1 a) The Organisation defined the scope of the ISMS in Section 1.

    3.1 b) The Organisation has defined its information security policy, which is set out in Section 5, to apply throughout the Organisation as defined in the scope (Section 1 above). The policy includes:

      3.1 b1) A framework for setting objectives for the ISMS in order to preserve its competitive edge, cash-flow and commercial interests as applicable and an enabling mechanism for information sharing, for electronic operations and an overall sense of direction will continue to be aligned with Organizational goals and all personnel and principles involved with the CIO Trust Centre are committed to preserving the confidentiality, integrity and availability of all the physical and electronic information assets for action with regard to information security; [ISO27001 4.2.1 b1)].

      3.1 b2) The requirement for “legal, regulatory and contractual” in accordance with the standard is adequately addressed by the Civil Service Bureau; [ISO27001 4.2.1 b2)]

      3.1 b3) The strategic organizational and risk management context for the establishment and maintenance of the ISMS (“the Organization’s current strategic business plan and risk management framework provide the context for identifying, assessing, evaluating and controlling information-related risks”); [ISO27001 4.2.1b3)] and

      3.1 b4) Reference to a systematic approach to risk assessment, the risk management framework (4.2 below) in which the criteria for risk evaluation are described and the structure of the risk assessment is defined (4.4 below). [ISO27001 4.2.1 b4)]

      3.1 b5) The policy, and this manual, have been approved by The Director General of IT and the President of the CIO. [ISO27001 4.2.1 b5)]

    3.1 c) The Organization has identified a suitable, systematic approach to and framework for risk assessment that produces comparable and reproducible results and that is appropriate for its business, legal, regulatory and contractual requirements, and this is described in Section 4 below. [ISO27001 4.2.1c)]

    3.1 d) Identification of risks is carried out in line with the process set out in Section 4 below. [ISO27001 4.2.1d)]

    3.1 e) Assessment (the analysis and evaluation) of risks is carried out in line with the process set out in Section 4 below. [ISO27001 4.2.1e)]

    3.1 f) Options for risk treatment are identified and evaluated in line with the process set out in Section 4 below. [ISO27001 4.2.1f)]

    3.1 g) Control objectives and controls are selected from [Annex A of ISO27001 :2005] to meet the criteria and requirements of the risk management framework, take into account the risk acceptance criteria (Section 4, below) and current legal, regulatory and contractual requirements and are contained in the Statement of Applicability [ISO27001 4.2.1g)], together with details of the controls currently implemented [ISO27001 4.2.1.j.2].

    3.1 h) The Statement of Applicability is contained in Sections 5 - 15 of this manual and in approving this manual management accept the residual risks (see sub section 4.6.3 also). [ISO27001 4.2.1h)]

    3.1 i) Management authorises the implementation of the ISMS and any changes to this manual [and approve the residual risks] [ISO27001 4.2.1i)]

3.2 The DO Phase – Implement & Operate the ISMS

    3.2 a) The Organisation’s risk treatment plan (DOC 4.1) reflects the decisions made in the PLAN phase, and identifies the management action, responsibilities and priorities for managing the identified information security risks. [ISO27001 4.2.2a)]

    3.2 b) Appropriate funding and resources are, as described in the risk treatment plan, allocated to its implementation. [ISO27001 4.2.2b)]

    3.2 c) The selected controls are implemented (and their implementation is co-ordinated across the Organisation) to meet the identified control objectives. [ISO27001 4.2.2c)]

    3.2 d) The Organisation has defined how it measures the effectiveness of its controls and has specified how to use these measurements to improve control effectiveness to produce comparable and reproducible results, and this is set out in DOC 3.1. [ISO27001 4.2.2d]

    3.2 e) Training and awareness programmes are implemented as required in the risk treatment plan. [ISO27001 4.2.2e)]

    3.2 f) The operational management procedures and work instructions required in this policy are implemented. [ISO27001 4.2.2f)]

    3.2 g) The Organisation has committed specific resources to the effective management of the ISMS, including the nomination of Mubarak Abdulla Alhiddi as the Chief Security Officer [CSO] for the Trust Centre and Adlin Hisyamuddin as the Information Security Manager; and the recruitment of additional technical staff, inclusion of information security in all jobs relating to the management, maintenance and operations of a National Trust Centre for the issuing of Digital Certificate as well as investing in information security products and services as required by the risk treatment plan (DOC 4.1). [ISO27001 4.2.2g)]

    3.2 h) The Organisation has implemented monitoring procedures and controls as required by control objectives 10.10 and 13.1 below. [ISO27001 4.2.2h)]

3.3 The CHECK Phase – Monitor and Review the ISMS

    3.3 a) The controls implemented to meet control objectives 10.10 and 13.1 below are operated to [promptly detect processing errors, and] detect security events, to identify failed and successful security breaches and incidents, enable management to assess whether security activities are performed in line with the criteria set for them, and take action to resolve any breach of security in a way that reflects the Organisation’s priorities. Also see sub section 3.4 below. [ISO27001 4.2.3a)]

    3.3 b) The Organisation and its management regularly review the effectiveness of the ISMS, in line with the policy and procedures identified in control 5.1.2 below, seek to continuously improve the effectiveness of the ISMS through analysing audit results, and monitoring events and activity, all in the context of the business goals and risk treatment plan, and at least once a year. [ISO27001 4.2.3b) and e), 7.1, 8.1]
    3.3 c) The Organisation measures the effectiveness of controls, as set out in DOC 3.1, to verify that security requirements have been met. [ISO27001 4.2.3c)]

    3.3 d) At planned intervals as well as whenever there are significant changes in the Organisation, technology, business objectives and processes, identified threats or external (legal, regulatory, social) changes, the Organisation reviews those aspects of its risk assessment and risk treatment plan, including levels of residual risk and acceptable risk (taking into account changes in the effectiveness of controls), that are affected by the changes, or carries out additional assessments of specific risks in relation to new technologies, and system or any other changes that affect Organisational information or information assets. [ISO27001 4.2.3d)]

    3.3 e) Management ensures that the Organisation carries out regular internal ISMS and other audits, as required in controls 6.1.8, 15.2 and 15.3 below, and the results of these audits inform the reviews identified in 3.3b) above. [ISO27001 5.1.g & 4.2.3e)]

    3.3 f) Actions or events that could impact the effectiveness of the ISMS are recorded in line with sub sections 10.10 and 13 below [ISO27001 4.2.3f & g)] and are reviewed at management review.

    3.3 g) The risk treatment plan (DOC 4.1) is updated to take into account the findings of monitoring and reviewing activities.
    3.3 The ACT Phase – Maintain & Improve the ISMS

3.4 Opportunities for The ISMS

    3.4 a)Where improvement opportunities for the ISMS are identified during the CHECK phase (see 3.3b) and d) above), they are implemented if they meet the criteria of the risk treatment plan. [ISO27001 4.2.4a)]

    3.4 b) The Organisation has documented procedures for corrective and preventative action throughout the ISMS (including but not limited to those in sections 10.2.2, 13, 14.1.5 and 15.2 of this manual; sub section 6.1.7 enables it to learn from the experiences of other organisations and control 13.2.2 ensures it learns from its own experiences) and these include evaluating the need for action to prevent the occurrence of non-conformities. [ISO27001 4.2.4b] All controls have an element of preventative action involved in them.

    3.4 c) The results of reviews are communicated to everyone involved via email and action delegated to the appropriate people, in line with 6.1.3 and 13.2.1 below. [ISO27001 4.2.4c)]

    3.4 d) The implemented improvements are subject to monitoring and audit (see 15) to ensure that their intended objectives have been achieved. [ISO27001 4.2.4 d)]

    Adlin Hisyamuddin
    Information Security Manager

    ____________________________

    On:

    08 November, 2007
    ____________________________

    Change history

    Issue 1 08 November, 2007 Initial issue