Please enable JavaScript.

Coggle requires JavaScript to display documents.

PDCA Cycle(Clause-4-10) - Coggle Diagram

- - - - 1.Budget :- investment to achieve information security
        2.People : taking care of info. sec and the ISMS
        3.Equipment :-Using a secure server with monitoring tools can detect a cyberattack and block it quickly.
        4. Tools such as software and hardware appliances are needed to maintain security
        Ex. You need proper tools—like firewalls, antivirus, and encryption software—to keep systems secure
        5. Facilities:- The physical workplace (offices, server rooms, etc.) should have security that matches the level of risk.
    - - 1.Ensure people have the right skills, knowledge and ability.2.Check how skilled they are and keep a record of it (like training certificates or experience summaries)
        .3. can train your own team or bring in outside experts to help with ISMS tasks
        4.Check where your team might need help or additional knowledge
        .5.Give them the training, education, or mentorship they need to get better
        6.Clearly define and agree on what skills and knowledge your organization needs for ISMS roles.
    - - 1.Know the information security policy
        2.Policy is explained clearly
        3.Understand how actions (daily work)affect security
        4.People should be aware that if they don’t follow the rules, there could be serious results, like data breaches or even disciplinary action
    - - organization shall determine the need for internal and external communication relevant to the ISMS
        1.What needs to be communicated2.Who communicates
        3.whom to communicate
        4.How to communicate Process affected by the communication
        5When to communicate?
    - - 1.Have the required documents:-ISO 27001 expects certain documents (like policies, procedures, risk assessments)
        2.Apart from what's required, add any other useful information that helps your team run the ISMS smoothly.
        3.bigger and more complex businesses need more documentation
        Depends on several factors::-Size,Type,Complexity,Highly skilled staff required less documentation..
      - 7.5.2Creating and Updating
        1.identify,discribe,review documents
      - 7.5.3 Control of documented information
  - - - 4.1.1Identify the internal Issue
        
        Documentation not required
        
        Processes, Internal practices:
        How things are done—are they secure and consistent(less changes to error)
        habits around data and security.
        
        Risk Appetite:
        How much risk is the clinic willing to accept?
        Inadequate disaster recovery or business continuity plans
        
        Objective, Organization structured & Policies:
        What the clinic aims to achieve, and how it is organized.
        Existing rules
        Ex. Lack of clear policies and procedures for sensitive
        data handling
        
        Resource & Capabilities:
        Do you have enough people, time, and knowledge to manage security?
        Ex. Insufficient staff training or awareness about security risks
        ● Limited resources for information security management
      - 4.1.3Review & Monitior
      - 4.1.2Identify the External Issue
        
        ○ Technology changes new app launch then its reduce lots of word
        
        ○ Events that affect your companyThings that happen (good or bad) that impact how your company runs
        
        ○ Competition:- one start to sell pizza another one also start same
        
        ○ Market shifts(MArkets ups & down ex. CD/Music online),Server/cloud
        
        ○ Government regulations/legal (Government laws and rules like HIPAA ,GDPR)
        
        Social, technological, environmental, ethical,
        political, and economic environment.
    - - 4.3.2What Can Affect the Scope?**
        
        ● Documentation is required by ISO 27001
        
        ○ Attitude towards change
        
        ○ Size of the organisation
        
        ○ Interaction with others
        
        ○ Organisation activities
        
        ○ Interested parties requirements
        
        ○ Internal and external issues
        
        ● Scope Can be affected by :
      - ● Owner : CISO
      - ● Validity : 1 year
      - ● Out of scope : cafeteria
      - ● Networks, IT Assets and infrastructure : IT Systems, and network used for backend finance business.
      - ● Processes and Services : Contract Management, Accounting services
      - ● Organizational Units: Finance Department
      - ● Locations: Second floor of company headquarters
    - - Parties who are affected by the ISMS (those who depend on it)
        These are the people who are impacted by how you manage information security
        *Owners/Management: They want to keep the business safe and follow all rules.
        They care about protecting the business’s reputation, money, and data
        Example: A data breach could cost the company money and damage its brand, which directly affects the owners.
        Employee -Their work and data need to be protected.
      - **Stakeholders that can influence ISMS operations (People or groups who can affect ISMS)
        (how your company runs (as per rules and regulations)
        1.Suppliers/Vendor: They give services or products to the company.
        (They may share or receive sensitive data should have to follow rules and regulation of company.)
        Ex.: A cloud service provider expects your company to follow basic security rules when storing data on their servers.
        2. Government agencies/Regulators (They make rules the company must follow.)
        Ex:-GDPR ,HIPPA
      - Interested parties(Vendor) relevant to the ISMS and their requirements(Connect with their ISMS)