Standards Conformance
Introduction
In the full version of the product there are various notes by way of explanation and terminology, but let us explain the strategy for demonstrating compliance:
Conformance with the requirements for documentation and records is met directly by ensuring that the required documents and records exist. That is ensured by making them part of this IMS and, most importantly, that is all that ought to be done. Conformance in this manner is indicated in the table by a tick (
) in the "D" or "R" column, as appropriate ("D" for documentation and "R" for record). In practice, success is achieved by ensuring that all the people concerned have the necessary competence, and this is assisted through training. Training and awareness is a formal IMS activity (which is therefore documented in the page on training and awareness). In cases where the ISO requirement is meet wholly or partially through training there is also a tick in the "T" column ("T" for training).
| ISO/IEC 27001:2005 Requirement | Explanation of conformance | D |
T |
R |
|||||||
| 4 Information security management system | |||||||||||
| 4.1 General requirements | Conformance with this requirement is demonstrated by this IMS as a whole | |
|
|
|||||||
| 4.2 Establishing and managing the ISMS |  |
||||||||||
| 4.2.1 Establish the ISMS | |||||||||||
| (a) Define scope | See the welcome page | |
|||||||||
| (b) Define ISMS policy | See the IMS Policy page | |
|||||||||
| (1) include framework for setting objectives | The IMS Policy embraces the PCDA cycle as the framework for setting objectives | |
|||||||||
| (2) take account of business, legal, regulatory and contractual requirements | This is a policy requirement | |
|||||||||
| (3) align with strategic risk management context | In defining the overall approach to managing information security risk, the IMS policy explains how it is aligned with the strategic risk management context | |
|||||||||
| (4) establish risk evaluation criteria (see 4.2.1c) | See the section on risk acceptance criteria in the IMS Policy page | |
|||||||||
| (5) be approved by management | The IMS policy was first approved at the IMSF meeting held on <<>> . Subsequent changes are prosecuted through the version control mechanism | |
|||||||||
| Note: ISMS policy is a superset of the information security policy | Top level policies concerning information security form part of the IMS policy | |
|||||||||
| (c) Define approach to risk assessment | The overall approach is summarised in the IMS Policy | |
|||||||||
| (1) identify the methodology | See the Information Security Risk page | |
|||||||||
| (2) develop criteria for accepting risk and identify acceptable level (see 5.1f) | See the section on risk acceptance criteria in the IMS Policy page | |
|||||||||
| The method ensures comparable and reproducible results | This is addressed by using standard criteria to determine the effect of controls on reducing the likelihood (or frequency) and/or scale of an event. The Statement of Applicability assists to ensure completeness of the method and conformability in choosing additional controls should that prove necessary | |
|||||||||
|
|||||||||||
| 5.2.2 Training, awareness and competence | |||||||||||
| All personnel assigned responsibilities within the ISMS are competent since the organisation has: | |||||||||||
| (a) determined the necessary competencies of people affecting the ISMS | See the Training and Awareness page and the associated records | |
|
||||||||
| (b) provided training or taking other actions | See the Training and Awareness page and the associated records | |
|
|
|||||||
(c) evaluated the effectiveness of actions taken |
See the Training and Awareness page and the associated records | |
|
||||||||
| (d) maintained records of education, training, skills etc | See the Training and Awareness page and the associated records | |
|
||||||||
| All relevant personnel are aware of information security and their contribution to the achievement of ISMS objectives | See the information security training and awareness programme records | |
|
||||||||
| 6 Internal ISMS audits | |||||||||||
| Audits are conducted at planned intervals to determine: | See the internal IMS audit schedule | |
|
||||||||
| (a) conformance to ISO/IEC requirements, relevant legislation and regulations | See the IMS audit page | |
|||||||||
| (b) conformance to identified information security requirements | See the IMS audit page | |
|||||||||
|
|||||||||||
| 8.3 Preventive action | |||||||||||
| Determine action to eliminate causes of potential non-conformities with ISMS requirements | See the IMS Management page | |
|||||||||
| Preventive actions are appropriate to impact of potential problems | See the IMS Management page | |
|||||||||
| Documented procedure for preventive action defines requirements for | |||||||||||
| (a) identifying potential non-conformities and their causes | See the IMS Management page | |
|||||||||
| (b) evaluating the need for action to prevent occurrence | See the IMS Management page | |
|||||||||
| (c) determining/implementing preventive action | See the IMS Management page | |
|||||||||
| (d) recording results of actions taken (see 4.3.3) | See the IMS Management page | |
|||||||||
| (e) reviewing corrective action taken | See the IMS Management page | |
|||||||||
| Identify changed risks and focus preventive action on significantly changed risks | See the IMS Management page | |
|||||||||
| Priority of action determined based on results of the risk assessment | See the IMS Management page | |
|||||||||