In the series of articles so far, we have discussed the Scope of ISMS under ISO 27001 as well as the Leadership requirements and some aspects of Planning.
In this article let us list out all the requirements specified under Clause 6 of the standard documentation related to “Planning”.
Under this clause, the document specifies
6.1: Actions to address risks and opportunities
6.2: Information Security objectives and planning to achieve them
6.3: Planning of changes
Under 6.1, the organization shall make an assessment of the risk, establish a risk acceptance criteria, how the risks can be addressed. Planning should also cover actions required for continual improvement and also address “Opportunities”. The mention of “opportunities” indicates that we need to plan with a “Risk-Reward” perspective so that implementation of ISMS does not adversely conflict with the business development. For treating the risk, efforts shall be made to make use of the controls suggested in Annexe A. Apart from detailed planning with responsibility assignment, resources etc, the ISMS needs to recognize the possibility of changes and how they are to be handled.
In providing “Support” for the planned activities, it is necessary to ensure that the organization shall determine the competence of the people assigned with specific roles and retain appropriate documented information as evidence of competence. It is also necessary to build appropriate awareness across the organization with appropriate internal and external communication policies. The activities shall be properly documented and updated and an appropriate document control system shall be adopted so that reference would be facilitated.
Under clause 8 on “Operation”, the standard document requires an operational planning and control system to be developed including the schedule for periodical changes.
It is interesting to note that clause 9 of the standard speaks about the need for measuring the effectiveness of the ISMS implementation. Most of the time this is ignored in implementation since there is no clear template for the same.
In this context we may appreciate that PDPCSI specifies the Data Trust Score (DTS) system and FDPPI has developed a specific suggested mechanism for evaluating the maturity of PDPCMS through a DTS number. A similar approach can be extended to the ISMS also if the DPCMS is used as a framework.
ISO 27001:2022 also requires an established internal audit programme as well as a management review and corrective action.
Lastly the standard document specifies that the ISMS must focus on “Continual Improvement” .
The 10 clauses of the standard document are supported by the 93 controls in the Annexe A, which has been drawn from ISO 27002 which needs to be referred for detailed explanation of any of the Annexe items.
We shall try to review these 93 control items in subsequent articles.