General planning, part a)
When planning for the information security management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: ensure the information security management system can achieve its intended outcome(s).
General planning, part b)
When planning for the information security management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: prevent, or reduce, undesired effects.
General planning, part c)
When planning for the information security management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: achieve continual improvement.
General planning, part d)
The organization shall plan: actions to address these risks and opportunities.
General planning, part e)
The organization shall plan: how to 1) integrate and implement the actions into its information security management system; and 2) evaluate the effectiveness of these actions.
Information security risk assessment, part a)
The organization shall define and apply an information security risk assessment process that: establishes and maintains information security risk criteria that include: 1) the risk acceptance criteria; and 2) criteria for performing information security risk assessments.The organization shall retain documented information about the information security risk assessment process.
Information security risk assessment, part b)
The organization shall define and apply an information security risk assessment process that: ensures that repeated information security risk assessments produce consistent, valid and comparable results. The organization shall retain documented information about the information security risk assessment process.
Information security risk assessment, part c)
The organization shall define and apply an information security risk assessment process that identifies the information security risks: 1) to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system; and 2) identify the risk owners. The organization shall retain documented information about the information security risk assessment process.
Information security risk assessment, part d)
The organization shall define and apply an information security risk assessment process that analyzes the information security risks [to] 1) assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) were to materialize 2) assess the realistic likelihood of occurence of the risks identified in 6.1.2 c) 1)[and] 3) determine the levels of risk. The organization shall retain documented information about the information security risk assessment process.
Information security risk assessment, part e)
The organization shall define and apply an information security risk assessment process that evaluates the information security risks [to] 1) compare the results of risk analysis with the risk criteria established in 6.1.2 [and] 2) prioritize the analyzed risks for risk treatment. The organization shall retain documented information about the information security risk assessment process.
Information security risk treatment, part a)
The organization shall define and apply an information security risk treatment process to: select appropriate information security treatment options, taking account of the risk assessment results. The organization shall retain documented information about the information security risk treatment process.
Information security risk treatment, part b)
The organization shall define and apply an information security risk treatment process to: determine all controls that are necessary to implement the information security risk treatment option(s) chosen. The organization shall retain documented information about the information security risk treatment process. NOTE 1: Organizations can design controls as required, or identify them from any source
Information security risk treatment, part c)
The organization shall define and apply an information security risk treatment process to: compare the controls determined in 6.1.3 b) with those in Annex A and verify that nonecessary controls have been omitted. The organization shall retain documented information about the information security risk treatment process. Note 2) Annex A contains a list of possible information security controls. Users of this document are directed to Annex A to ensure that no necessary information security controls are overlooked.
Information security risk treatment, part d)
The organization shall define and apply an information security risk treatment process to: produce a Statement of Applicability that contains the necessary controls (see 6.1.3 b) and c)) justification for inclusions, whether the necessary controls are implemented or not, and the justification for excluding any of the Annex A controls. The organization shall retain documented information about the information security risk treatment process.
Information security risk treatment, part e)
The organization shall define and apply an information security risk treatment process to: formulate an information security risk treatment plan. The organization shall retain documented information about the information security risk treatment process.
Information security risk treatment, part f)
The organization shall define and apply an information security risk treatment process to: obtain risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks. The organization shall retain documented information about the information security risk treatment process.
Information security objectives and planning to achieve them, part a)
The organization shall establish information security objectives at relevant functions and levels. The information security objectives shall: be consistent with the information security policy. The organization shall retain documented information on the information security objectives.
Information security objectives and planning to achieve them, part b)
The organization shall establish information security objectives at relevant functions and levels. The information security objectives shall: be measurable (if practicable). The organization shall retain documented information on the information security objectives.
Information security objectives and planning to achieve them, part c)
The organization shall establish information security objectives at relevant functions and levels. The information security objectives shall: take into account applicable information security requirements, and results from risk assessment and risk treatment. The organization shall retain documented information on the information security objectives.
Information security objectives and planning to achieve them, part d)
The organization shall establish information security objectives at relevant functions and levels. The information security objectives shall: be monitored. The organization shall retain documented information on the information security objectives.
Information security objectives and planning to achieve them, part e)
The organization shall establish information security objectives at relevant functions and levels. The information security objectives shall: be communicated. The organization shall retain documented information on the information security objectives.
Information security objectives and planning to achieve them, part f)
The organization shall establish information security objectives at relevant functions and levels. The information security objectives shall: be be updated as appropriate. The organization shall retain documented information on the information security objectives.
Information security objectives and planning to achieve them, part g)
The organization shall establish information security objectives at relevant functions and levels. The information security objectives shall: be available as documented information. The organization shall retain documented information on the information security objectives.
Information security objectives and planning to achieve them, part h)
The organization shall retain documented information on the information security objectives. When planning how to achieve its information security objectives, the organization shall determine: what will be done.
Information security objectives and planning to achieve them, part i)
The organization shall retain documented information on the information security objectives. When planning how to achieve its information security objectives, the organization shall determine: what resources will be required.
Information security objectives and planning to achieve them, part j)
The organization shall retain documented information on the information security objectives. When planning how to achieve its information security objectives, the organization shall determine: who will be responsible.
Information security objectives and planning to achieve them, part k)
The organization shall retain documented information on the information security objectives. When planning how to achieve its information security objectives, the organization shall determine: when it will be completed.
Information security objectives and planning to achieve them, part l)
The organization shall retain documented information on the information security objectives. When planning how to achieve its information security objectives, the organization shall determine: how the results will be evaluated.