This video focuses on the management clauses of ISO 27001:2013 standards. The management clause 6 of ISMS framework relates to 'Planning'. The 'General' and 'Risk Assessment' sections are explained in this presentation.- by Software development company in india Ref: http://www.ifour-consultancy.com http://www.ifourtechnolab.com ** Custom software development companies

1. iFour ConsultancyISMS Framework: Clause 6 - Planning

2. Planning- ISMS requirements
It is not enough to do your best; you must know what to do and then do your
best. – W. Edwards Deming
An organization needs to establish its strategic objectives and should identify
risks and opportunities and relate them to the scope of ISMS.
Following are the pre-requisites for planning phase which focuses on
establishing an effective and sustainable ISMS:
Management commitment to security
Security policy
Security strategy and plan
Security Measures
Web development company Indiahttp://www.ifourtechnolab.com

3. Planning – ISMS requirements (continued)
 ISO 27001:2013 classifies planning into:
Clause 6.1: Actions to address risks and opportunities.
 Clause 6.1.1: General
 Clause 6.1.2: Information security risk assessment
 Clause 6.1.3: Information security risk treatment
Clause 6.2: Information security objectives and planning to achieve them.
 Planning for the ISMS requirements is done keeping these factors in mind:
Size of the organization
Nature of its business
Maturity of the processes in implementing ISO
Commitment of senior management
Web development company Indiahttp://www.ifourtechnolab.com

4. Planning process
Clause 6.1 Actions to address risk and opportunities
Determine
internal issues
Determine
interested parties
& requirements
Determine
external issues
Methods,
criteria for risks
& opportunities
Determine risks &
opportunities
Intended outcomes,
Prevent or reduce undesired effects,
Continual improvement
Methods of prevention
and reduction of
undesired effects
Plan actions to
address risks &
opportunities
Acceptable level of risk
proportional to
potential impact
Action plan & how to
evaluate action &
integrate into processes
Implement actions
Web development company Indiahttp://www.ifourtechnolab.com

5. Establish an ISMS
Clause 6.1 (Continued)
Web development company Indiahttp://www.ifourtechnolab.com

6. Clause 6.1.2 Information security risk assessment
Risk is the probability of occurrence of an incident that causes harm to an
informational asset.
Purpose of risk assessment:
Threats to organizations (i.e., operations, assets, or individuals) or threats directed
through organizations against other organizations or the nation.
Vulnerabilities - internal and external to organizations.
Adverse impact to organizations that may occur, given the potential for threats exploiting
vulnerabilities.
The likelihood that harm will occur.
 Clause 6.1.2 focuses on:
Defining and information security risk assessment process.
Assessing the organization’s information security risks.
Web development company Indiahttp://www.ifourtechnolab.com

7. Clause 6.1.2 (Continued)
Defining an information security risk assessment process
 How are you going to perform risk assessment process:
The organization shall apply & define risk assessment process that:
 Establishes and maintains information security risk criteria including:
 Risk acceptance criteria
 Criteria for performing information security risk assessments
 How are you going to ensure that your repeatedly performed risk assessments
produce
Consistent
Valid
Comparable results
Web development company Indiahttp://www.ifourtechnolab.com

8. Identify Analyze Evaluate
Clause 6.1.2 (Continued)
RISK ASSESSMENT PROCESS
Web development company Indiahttp://www.ifourtechnolab.com

9.  Identify organization’s information security risks
Identify the risks associated with loss of CIA for information within the scope of ISMS.
Identify the risk owners
 Analyze organization’s information security risks
Assess the consequences that you might have to face in case the identified risks
materialize
Assess the realistic likelihood of occurrence of the identified risks
Determine the level of risks
 Evaluate organization’s information security risks
Compare the risk analysis results with risk criteria established earlier
Prioritize the analyzed risks for risk treatment
Clause 6.1.2 (Continued)
Web development company Indiahttp://www.ifourtechnolab.com

10.  Example of step wise risk assessment approach:
Clause 6.1.2 (Continued)
Calculate the asset value
•Cost of actual asset
•Cost to protect the asset
Identify vulnerabilities and categorize them into
•Very high, High, Medium or Low
Identify threats and categorize them into
•Very High, High, Medium or Low
Identify probability and business impact of potential threats
•Frequency of attack and Extent of loss
•Impact severity = Asset value x threat severity x vulnerability severity
Calculate risk score
•Risk Score = Impact severity x probability
•Based on risk score’s level, you need to decide the appropriate risk treatment.
Ascertain and establish controls
•Identify countermeasures and solutions to eliminate potential damage
•Do cost/benefit analysis before implementing the control
Web development company Indiahttp://www.ifourtechnolab.com

11. References
http://isoconsultantpune.com/iso-90012015-clause-6-planning/
http://searchsecurity.techtarget.in/tip/A-free-risk-assessment-template-for-
ISO-27001-certification
http://www.praxiom.com/iso-27001.htm
https://buildsecurityin.us-cert.gov/articles/best-practices/deployment-and-
operations/plan-do-check-act
Web development company Indiahttp://www.ifourtechnolab.com