1. Chapter 3 資訊安全管理系統

2. 4.1 General Requirements Develop, implement, maintain and continually improve a documented ISMS Process based on PDCA

3. 4.2 Establishing and Managing the ISMS Estalish the ISMS Implement and operate the ISMS Monitor and review the ISMS Maintain and improve the ISMS

4. 4.3 Documentation Requirements General Control of documents Control of records

5. Extent of ISMS Documentation Range and details depend upon complexity of products and processes customer and regulatory requirements industry standards and codes education, experence and training workforce stability past security problems

6. ISMS Documentation Security Manual Level 1 Level 2 Level 3 Level 4 Procedures Work Instructions, Checklists, forms, etc. Records Policy, scope, risk assessment, statement of applicability Describes process who, what, when, where Describes how tasks and soecific activities are done Provides objective evidence of compliance to ISMS requirements

7. ISMS Documentation Level 1 Security Policy Manual summary of the management framework including the information security policy and the control objectives and implemented controls given in the statement of applicability. Level 2 Procedures procedures adopted to implement the controls required. Describe the who, what, when, and where of security processes and inter-department controls

8. ISMS Documentation Level 3 Explains details of specifis tasks or activities Level 4 Records objectives evidence of activities carried out in compliance with levels 1,2 and 3 documentation

9. Contents of the Desk Top review Clause 4.1 General Requirements Evidence of a documented ISMS. Establish that there is a documented ISMS, that the client has identified all information assets that require protection, has defined an approach to risk management and documented the degree of assurance required.

10. Contents of the Desk Top review Clause 4.2 Requirements Evidence of the following activities/documentation Scope of the ISMS Security policy Risk Assessment Risk Management Control Selection Risk Treatment Plan Statement of Applicability Review of the above

11. Clause 4.2 Requirements Scope Must be clearly defined, where relevant, scope must not mislead. Security Policy Published, management approval, communicated to all employees, relevent to the organization, mechanisms in place to review and update.

12. Clause 4.2 Requirements Risk Assessment Has this been conducted, if so have all assets been included, is there a comprehensive threat and vulnerability analysis, is the process documented and repeatable, is the risk assessment current, is the risk being managed. The selection of the controls must be based on the risk assessment.

13. Clause 4.2 Requirements Risk management Are selected controls based on risk assessment results, is it clear from the risk assessment which controls are baseline measures, which are mandatory and which may be considered optional?

14. Clause 4.2 Requirements Control Selection Understand why controls have been selected, seek objective evidence to support why certain controls have not been selected. Risk Treatment Plan Has a risk treatment plan that identifies the appropriate management action, responsibilities and priorities for managing information security risks.

15. Clause 4.2 Requirements Statement of Applicability has it been prepared, have the reasons for control selection and exclusions been documented? Review of the above Have reviews been planned of the policy, scope, risk assessment, is there evidence to support such reviews have taken place.

16. Clause 4.3 Documentation Requirements Documentation objective evidence i.e. electronic or hard copy documentation of all mandatory elements of the ISMS framework, overall security policy, and policies relating to each of the controls where applicable, security procedures, management system procedures, formal document control, records.

17. Clause 4.3 Documentation Requirements Document Control A formal written procedure/s need to be established to ensure that all documentation is managed in accordance with company policies. The organization must clearly identify who/which function has the responsibility for maintaining and updateing procedures with a mechanism in place to review and ensure the procedures are kept up to date and withdrawn when obsolete. It is a requirement that documentation must be readily available for the staff who wish to it only where appropriate. All documentation must be legible, dated and readily identifiable.

18. Clause 4.3 Documentation Requirements Records evidence must be available to demonstrate that the ISMS is working. Without any objective evidence of the operation of the ISMS the audit will have to be conducted at the end of State 1.