“Risk assessment” is implemented in the following order.
Identify
Identify where and how risks exist.
Analyze
Analyze the extent of the losses and impact.
Assess
Determine the order of priority, starting with risks that have the
greatest probability of occurring and incur the greatest losses.
Measures
Prepare a response manual, and carry out other
preparations such as education and training.
(2)Method for operating ISMS
It is necessary to formulate a concrete basic policy and targets for information security based on the results of the risk analysis and assessment.
After formulating the basic policy and targets, there is a need to implement
information security measures including human and physical security
measures, in addition to technical measures. The information security of
the organization is continuously improved through the process of verifying
the results and reassessing the measures.
Identify
risks
Analyze
risks
Measures
Assessment
2
Information security policy
An “information security policy” explicitly describes the basic security
policy of an organization in order to consistently implement information
security measures throughout the organization. The information security
policy explicitly describes the usage and operation of systems and the organizational framework, rather than the technical measures for information
security. Under the information security policy, the organization identifies
the important information assets within the organization and formulates
measures that determine how the organization is to protect the assets.
The information security policy is made up of a “basic policy”, “standards for measures”, and “procedures for implementation.” An information security policy commonly covers the “ba sic policy” and “standards
for measures.”
285