Have you been in this position?

As part of your role in overseeing your organization's ISMS, you often find yourself coordinating with colleagues for evidence, generating reports, and updating documentation, even when it stretches beyond your designated duties.

Here might be the solution to your problem.

Process Reference Model

All activities within an ISMS should be embedded in a set of processes to ensure the delivery of results and continuous improvement, enabling organizations to meet their security objectives effectively and efficiently.

A Process Reference Model (PRM) is a framework that provides a structured representation of processes within an organization.

Process Reference Models (PRM) distinguish between three types of processes:

1. Governance Processes: These processes define the objectives of the management system, including IS governance and management interface processes.

2. Core Processes: These are the main elements of the ISMS, delivering direct customer value. They include security policy management, information security (IS) risk assessment, IS risk treatment, outsourced services control, and IS improvement processes, among others.

3. Support Processes: These processes provide and manage necessary resources without delivering direct customer value. Examples include record control, resource management, communication processes, and IS customer relation processes.

For an information security management system, the following processes are needed.

Governance Processes

• Information Security Governance Process

• Management Review Process

Core Processes

• Security policy management process

• Requirements management process

• Risk assessment process

• Risk treatment process

• Control implementation process

• Supplier management process

• Competence and awareness assurance process

• Information security incident management process

• ISMS change management process

• Internal audit process

• Performance evaluation process

• ISMS improvement process

Support Processes

• Records control process

• Resource Management process

• Communication process

• Customer relationship management process

Example Process

Let’s have a closer look at the information security policy management process.

Process Input

The activities within this process are provided with input from all other ISMS processes, which is necessary to create policies that put the entire organisation into consideration.

In addition, change requests to make updates to already exisiting policies are provided in the form of change requests, coming from the ISMS change management process.

Process Output

The output is a set of up to date information security policies (this includes, standards, guidelines and procedures as well).

This process encompasses the entire lifecycle of a policy, starting from its development and approval, to its distribution, secure storage, and change management, followed by its retention period and eventual disposal.

P.S.: You can find all processes in my ISO 27001 Starter Kit. Simplify your path to ISO/IEC 27001 with a customizable project plan and supporting resources.

New Video

I tried my best to explain information security / cybersecurity risk management in less than 5 minutes. You decide if I was successful.