UEU Jaminan Dan Kemanan Informasi Pertemuan 3
UEU Jaminan Dan Kemanan Informasi Pertemuan 3
UEU Jaminan Dan Kemanan Informasi Pertemuan 3
Management System
(ISMS)
Pertemuan 3
• Clause 6 Planning
– 6.1 Actions to address risks and opportunities
– 6.2 Information security objectives and planning to achieve them
• Clause 7 Support
– 7.1 Resources
– 7.2 Competence
– 7.3 Awareness
– 7.4 Communication
– 7.5 Documented information
ISO 27001 Clause
• Clause 8 Operation
– 8.1 Operational planning and control
– 8.2 Information security risk assessment
– 8.3 Information security risk treatment
• Clause 9 Performance Evaluation
– 9.1 Monitoring, measurement, analysis and evaluation
– 9.2 Internal audit
– 9.3 Management review
• Clause 10 Improvement
– 10.1 Nonconformity and corrective action
– 10.2 Continual improvement
ISO 27001 Clause
Lifecycle of the Information
Security
Lifecycle of the Information
Security
• “Plan-Do-Check-Act” (“PDCA”)
• Plan - Establish the planning for policy, the ISMS objectives,
processes and procedures related to risk management and
the improvement of information security to provide results in
line with the global policies and objectives of the
organization.
• Do - Implement and exploit the ISMS policy, controls,
processes and procedures.
Lifecycle of the Information
Security
• Check - Assess and, if applicable, measure the performances
of the processes against the policy, objectives and practical
experience and report results to management for review.
• Act - Undertake corrective and preventive actions, on the
basis of the results of the ISMS internal audit and
management review, or other relevant information to
continually improve the said system.
Lifecycle of the Information
Security
Selecting a method for Risk Assessment
• There are various risk assessment methods that come into question
depending on the application, organizational boundary conditions,
type of industry and level of information security that is aspired to
– ISO/IEC 27005: 2011 Information technology -- Security
techniques -- Information security risk management
– COSO (Committee of Sponsoring Organizations of the Treadway
Commission)
– BSI standard 100-3 entitled "Risk analysis“
– etc
Classifying risks and damages