ISO 27000

outline
ISMS - Information Security Management System
4.2.1 -"Establish the ISMS"- is close to
Plan, involving alignment with objectives,
establishing risk criteria, assessing the
business impact of potential failures, and
selecting control objectives and controls from
Annex A.

A statement of applicability includes

justification of exclusions. So although Annex
A is long and could require detailed work, the
main clauses require risk assessment, putting
a value on information.
4.2.2 is close to Do - "implement
and operate" the ISMS.

4.2.3 is a form of Study or

Check - detection of errors,
regular reviews, consideration of
changes in technology and
organisation.
4.2.4 seems incomplete as an
equivalent of Act. It starts with
"maintain and improve" and includes
corrective and preventive action, both
of which could relate to other phases.
However the Management
Responsibility is also described in
later clauses.
4.3 is about documents, document
control and records.
Documents for standards is often seen
as restrictive but perhaps one approach
would be to regard any existing
document as a system model as in the
Soft Systems approach from Peter
Checkland.
Given computers and networks it is now
possible to amend documents while
maintaining control.
5 is about management commitment.
This is evidenced through establishing
policy, providing resources and
conducting reviews. Resources include
those for "training, awareness and
competence".

6 is about internal audits. These should

allow for study and reflection. They are
not intended just to identify
nonconformances.
7 Is about Management Review
again, another chance for Act. With a
complete clause in the standard it
should be clear that the Review is
intended to happen on a regular
basis.

8 is about improvement, as
something that happens at any level
in the organisation.