Cleaned up Literature folder
This commit is contained in:
parent
73a6380034
commit
fe5eda4e05
586 changed files with 53911 additions and 2475 deletions
99
Corpus/ISMS/Basic ISMS governance model.md
Normal file
99
Corpus/ISMS/Basic ISMS governance model.md
Normal file
|
|
@ -0,0 +1,99 @@
|
|||
# ISMS Governance Model
|
||||
|
||||
A straightforward governance structure for your Information Security Management System based on ISO 27001 and ISO 27002.
|
||||
|
||||
*Based on [Governance model for Policies and Controls](../Standards/ISO27x/Governance%20model%20for%20Policies%20and%20Controls.md), which contains the references to the Standard.*
|
||||
## Policy Lifecycle: Who Does What
|
||||
|
||||
### Key Players
|
||||
|
||||
**Top Management**
|
||||
The buck stops here. They don't write policies, but they commission them, approve them, and make sure there's budget for security.
|
||||
|
||||
**Security Manager/CISO**
|
||||
The person who actually writes the policies, keeps them updated, and knows what they're talking about. They might bring in outside experts when needed.
|
||||
|
||||
**Line Managers**
|
||||
The bridge between policy and practice. They make sure their teams know what's expected and actually follow through.
|
||||
|
||||
**Everyone Else**
|
||||
Read the policies, acknowledge them, follow them.
|
||||
|
||||
### How Policies Get Made
|
||||
|
||||
| Step | Who's Responsible |
|
||||
|:-----|:-----------------|
|
||||
| **Commission** | Top management says "we need a policy for X" |
|
||||
| **Draft** | Security manager writes it |
|
||||
| **Consult** | Subject matter experts review it (legal, HR, IT) |
|
||||
| **Approve** | Top management signs off (or delegates for specific policies) |
|
||||
| **Communicate** | Security/HR publishes it where people can actually find it |
|
||||
| **Acknowledge** | Everyone confirms they've read it |
|
||||
| **Review** | Security manager revisits it regularly or after incidents |
|
||||
|
||||
Think of it like passing a law: the mayor commissions it, lawyers draft it, city council approves it, district captains enforce it, and citizens follow it.
|
||||
|
||||
## Key Roles in ISO 27001
|
||||
|
||||
**Top Management**
|
||||
Sets direction, assigns responsibilities, reviews the whole system periodically.
|
||||
|
||||
**Risk Owners**
|
||||
Own specific risks. They approve how risks get handled and accept whatever risk remains after controls are in place.
|
||||
|
||||
**Asset Owners**
|
||||
Responsible for protecting specific assets throughout their lifecycle. They classify data, set access rules, and authorize disposal. They can delegate tasks but remain accountable.
|
||||
|
||||
**Security Function**
|
||||
Usually a CISO or security manager. Makes sure the ISMS actually works and reports on its performance.
|
||||
|
||||
**Other Roles You'll Need**
|
||||
- Privacy officer (if handling personal data)
|
||||
- Project managers (to bake security into projects)
|
||||
- Internal auditors (to check if things actually work)
|
||||
- System administrators (the people with the keys to the kingdom)
|
||||
|
||||
## Who Does What with Controls
|
||||
|
||||
Controls are the actual security measures you implement. Here's who handles them:
|
||||
|
||||
**Top Management**
|
||||
Provides resources, assigns reporting responsibilities, reviews everything at management meetings.
|
||||
|
||||
**Risk Owners**
|
||||
Approve which controls get implemented and accept leftover risk.
|
||||
|
||||
**Asset Owners**
|
||||
Make sure assets are properly protected and periodically check that access controls still make sense.
|
||||
|
||||
**Line Managers**
|
||||
Enforce policies with their teams, check compliance regularly, fix problems when they find them.
|
||||
|
||||
**CISO/Security Manager**
|
||||
Oversees implementation, helps identify risks, supports monitoring activities.
|
||||
|
||||
**Internal Auditors**
|
||||
Check if controls actually work and if the ISMS meets requirements. They don't implement anything—they just verify.
|
||||
|
||||
**Everyone**
|
||||
Follow the rules and report security issues when they spot them.
|
||||
|
||||
### Quick Reference
|
||||
|
||||
| Role | Implementing | Monitoring | Evaluating |
|
||||
|:-----|:------------|:-----------|:-----------|
|
||||
| Top Management | Fund it | Review reports | Annual reviews |
|
||||
| Risk Owner | Approve treatment plans | Accept residual risk | Check risk status |
|
||||
| Asset Owner | Protect the assets | Review access periodically | Verify inventory |
|
||||
| Line Manager | Enforce with staff | Regular compliance checks | Report findings |
|
||||
| Internal Auditor | — | — | Test if it works |
|
||||
|
||||
### Simple Analogy
|
||||
|
||||
Think city infrastructure:
|
||||
|
||||
- **Top Management** = City Council (budget for road safety, review annual reports)
|
||||
- **Risk Owner** = City Planner (decides that intersection needs a traffic light)
|
||||
- **Asset Owner** = Road Maintenance (installs and maintains the lights)
|
||||
- **Line Manager** = Police Captain (makes sure officers enforce traffic laws)
|
||||
- **Internal Auditor** = Inspector General (checks if lights meet codes and tickets are being issued)
|
||||
Loading…
Add table
Add a link
Reference in a new issue