Ensuring the integration of the information security management system requirements into the organization’s processes.
Ensuring that the information security management system achieves its intended outcome(s).
Directing and supporting persons to contribute to the effectiveness of the information security management system.
Supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.
Approval Of All Information Security Policies, procedures, plans etc.
Identifying the possible and actual Information Security risks.
Establishing risk acceptance criteria.
Establishing criteria for performing information security risk assessments.
Ensuring that repeated information security risk assessments produce consistent, valid and comparable results.
Identify the risk owners.
analyses the information security risks pertaining to Confidentiality, Integrity, Availability and Privacy of data.
Evaluates the information security risks.
Select appropriate information security risk treatment options, taking account of the risk assessment results.
Determine all controls that are necessary to implement the information security risk treatment option(s) chosen.
Compare the controls determined with those in Annex A and verify that no necessary controls have been omitted.
Produce a Statement of Applicability that contains the necessary controls and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls.
Obtain risk owners’ approval of the information security risk treatment plan.
Ensuring compliance towards all applicable legal requirements.