CLAUSE NO 6:-

Objectives and how to achive ;-

1. communicated at approperiate level :-

2. what resources are required.
3. who is responsible for the objective.
4. how results are to be evaluated.
5. Documented information

Example- 1. operational objective- like you are a cloud IAAS provider, if your own
infra is not up and running
then how you are able to provide the service.
Objective- achiving- 99.99% information system
uptime.

2. Financial objective- after the certification your objective is to Increase

revenue by 10% or whatever your goal is.
because after this certificetion my I.S related loses are
decreased and I.S incidents are also
decreased.

3. Business Objectives - to enter in a new market segment like after MITY audit i
am able to provide my services to the
Govt. Agencies.

4. Compliance Objective :- Rules, regulation, laws like for european union you have
to be GDPR compliant.
For health sector HIPPA is the there.
PCIDSS is also there when you are dealing with some
credit card information.

MAJORS:-

1. objective should be measureable. ex 99.99% uptime,

6.1.2-I.S risk assessment process :- 1. Risk identification ---- 1. Asset 2.

threat 3. Vulnerablity
2. Risk Analysis ---- 1.
IMPACT 2. Liklihood
3. Risk Evaluation

Risk Assessment Methodology :- 1. How to identify the risk - Anything which is

able to Harm your CIA. of indormation.-
2. how to identify risk
owners -
3. define the criteria for
accessing consequences and assessing the liklihood of the risk,
4. Define how the risk will
be calculated.
5. Risk Appetitte:- Criteria
for accepting risks.

Asset- DATA, HARDWARE, SOFTWARE, INFRA , SERVER, NETWORK, PEOPLE-critical

Vulnerablties related to assets- fire extinguisher unavailablities, Absence of
Antivirus, Lack of business continuity plans, lack of incident response plan-
phishing attack.
Threat- viruses, eqiupment malfunction, key people leaving the company.

IMPACT- what level of risk impact on your CIA of the information.

Likelihood - historic data that can prove that this threat can happen multiple
time.

RISK REGISTER HEADERS-1. Asset

2. Asset owner- mainly the head of the
department
3. threat
4. vulnerablity
5. Impact
6. Liklihood
7. Risk

Functional Area/Department Risk identifier

Risk Owner

1. Sales and Marketing

2. HR & Admin
3. Support
4. Product Development
5. Procurement
6. IT & Implementation
7. Legal & Secretarial

CLAUSE NO 7-

Clause No 8- OPERATION :- 8.1 operations, planning and controls ---- How

we plan - implement and control.

1. Operational planning is how we plan and control the processes needed in

the management system.
2. During planning we identify risk, opportunities, and other elements of the
management system that need to have controls put controls in place.
3. With proper operational planning and control in place we can monitor and
mitigate the impact of unexpected changes so that we can take the necessary
actions and mitigate the adverse effects if necessary.

Clause No 9- Performance evaluation-

9.1- Monitoring, Measurement, Analysis and Evaluation

For monitoring and measurement, the organisation establish :

1. What to watch and measure.

2. Who monitors and measures.
3. Methods to be used so on produce valid results (i.e comparable)

For analysis and evaluation, the organisation establishs:

1. who analysis and evaluate the results from monitoring and measurement and when,
2. Methods to be used so on produce valid results.

ISO 27001 doesnot require that you have a seperate doc. for measurement- what is
important is to define the objective and responsiblities who is
going to measure wheather objectives are fulfilled.

Objectives are documented here :

1. General ISMS Objectives - in the Information Security policy
2. Specific control objectives- in the SOA
*Responsiblities for measurement are documented in the I.S policy.