Step-by-step guidance on how to establish, implement and operate cybersecurity

management system (ISMS)

Pavol Zavarsky, CISSP, CISM, CISA, PhD
Edmonton, Canada
December 2014

Foreword
The ISO/IEC published ISO/IEC 27001:2005 standard describing requirements on Information System
Management System (ISMS) in 2005. Five years later, in 2010, ISO/IEC 27003:2010 was published containing
detailed guidelines on how to meet ISMS requirements of the ISO/IEC 27001:2005. In 2013, a significantly
revised version of ISO/IEC 27001 was released. The new ISO/IEC 27001:2013 made the ISO/IEC 27003:2010
ISMS implementation guidance on how to establish, implement and operate ISMS obsolete.
Unfortunately, an updated version of the ISO/IEC 27003:2010 that would correspond to ISO/IEC 27001:2013
has not been published yet. Therefore, the following sections of this document should be viewed as an
attempt of the author of this document to update the content of the ISO/IEC 27003:2010 ISMS
implementation guidance to correspond to the most recent version of the ISO/IEC 27001 from 2013.

1 Introduction
1.1 Purpose of the document
It is generally not recommended to start developing an IT security management system (ISMS) without first
having an understanding how to establish and implement the ISMS. This document, the step-by-step guide,
is intended to (1) mitigate the risks of establishing a flawed system, and (2) to describe steps to establish and
implement ISMS that, if required, would be in full compliance with the ISO/IEC 27001:2013 (what the current
ISO/IEC 27003:2010 guidance does not provide).
The step-by-step guide represents a tailored and updated version of the official ISMS implementation
guidance published by the ISO/IEC and known as ISO/IEC 27003:2010. The document describes steps that
should be considered when establishing, implementing and operating an effective cybersecurity
management system.

1.2 Relation to other ISMS guideline documents

This document that describes steps that need to be completed to establish and operate an effective
cybersecurity management system is the first in the series of ISMS guideline documents. While this document
provides a high-level overview of practical steps that need to be completed to operate an effective
cybersecurity management system, the following documents (under construction) in the ISMS series will
provide practical guidance on the individual steps. The guidance documentation that applies to individual
steps of the process of establishing and operating ISMS will address lower-level and system-specific details
of cybersecurity management.
Note: In writing the series of the ISMS related documentation, the authors follow the approach used by the
International Organization of Standardization (ISO) and International Electrotechnical Commission (IEC) in
publishing a family of ISMS standards, commonly known as ISO/IEC 27000 series, with some (20) of them
listed in the Reference section below. Each of the ISO/IEC ISMS standard documents addresses a different
aspect of cybersecurity management systems. Having different aspects of the ISMS addressed separately
results in a family of ISMS documents, where each document is of reasonable proportions. Moreover, by

1
 Step-by-step guidance on how to establish, implement and operate cybersecurity management system (ISMS)
Pavol Zavarsky, CISSP, CISM, CISA, PhD
December 2014

focusing on a particular aspect of a given ISMS, continuous improvement of the guideline documents is also
simplified.

1.3 Applicability
The guidance on establishment, implementation, and operation of cybersecurity management system
provided in this document is generic enough to be applicable to a variety of different types and sizes of
projects. The guidance document was developed to assist project managers, risk assessors, cybersecurity
professionals, and all with responsibilities for cybersecurity protection of computer-based systems. The step-
by-step guide allows development of a consistent and comprehensive set of documents that provides a high
level indication of the status of a given cybersecurity management system.
This step-by-step guide for establishing, implementing and operating an effective cybersecurity management
system (ISMS) is not intended to substitute the wealth of knowledge on how to establish, implement,
operate, maintain and continuously improve ISMS systems available in the ISO/IEC 27000 series guideline
documents. This ISMS guidance document reflects practical experience of its author in building effective ISMS
systems. The step-by-step guidance is intended to assist in streamlining the process of creation of top-level
ISMS documentation and to make the document creation process efficient and comprehensive. In addition
to assisting in enforcing completeness of the ISMS documentation, the document can readily serve as a
checklist to be followed in actual establishment and implementation of a cybersecurity management system
for a given project. This draft version of this document has already proven to be a source of valuable
information for project managers in estimation of required effort/workload to define, implement and
maintain cybersecurity protection at a level that meets contractual, legal, regulatory and other requirements.

2 References
Note: The International Organization of Standardization (ISO) and International Electrotechnical Commission
(IEC) published and are continuously updating and expanding their family of ISMS standards commonly
known as ISO/IEC 27000 series. The ISMS standard documents include ISO/IEC 27000:2014, ISO/IEC
27001:2013, ISO/IEC 27002:2013, ISO/IEC 27003:2010, ISO/IEC 27004:2009, ISO/IEC 27005:2011, ISO/IEC
27006:2011, ISO/IEC 27007:2011, ISO/IEC 27008:2011, ISO/IEC 27010:2012, ISO/IEC 27013:2012, ISO/IEC
27014:2013, ISO/IEC 27032:2012, ISO/IEC 27033-1:2009, ISO/IEC 27033-2:2012, ISO/IEC 27033-3:2010,
ISO/IEC 27033-5:2013, ISO/IEC 27034-1:2011, ISO/IEC 27035:2011, and ISO/IEC 27037:2012. In addition to
the ISMS 27000 series, the IEC published the IEC 62443-2-1:2010 that provides a guidance on establishing
security program for industrial automation and control systems.
The following subset of the above listed ISMS standards is directly related to the content of this guide:
ISO/IEC 27001:2013, Information technology – Security techniques – Requirements of information security
management systems, 2013.
ISO/IEC 27002:2013, Information technology – Security techniques – Code of practice for information
security management, 2013.
ISO/IEC 27003:2010 Information technology – Security techniques – Information security management
system implementation guidance, 2010.
ISO/IEC 27005:2011, Information technology – Security techniques – Information security risk management,
2011.
 Step-by-step guidance on how to establish, implement and operate cybersecurity management system (ISMS)
Pavol Zavarsky, CISSP, CISM, CISA, PhD
December 2014

ISO/IEC 27014:2013, Information technology — Security techniques — Governance of information security,

2013.
IEC 62443-2-1:2010, Industrial communication networks – Network and system security – Part 2-1:
Establishing and industrial automation and control system security program, 2010.

3 Organization of the document

First, fundamental concepts of cybersecurity management systems are briefly introduced and keywords that
are used throughout the text are defined. Meaning of the remaining keywords, that are frequently used in
the context of the cybersecurity management systems, is explained in Glossary in Appendix A at the end of
the document. The most valuable part of this document is Section 5 that provides a summary of activities
required to establish and implement an efficient and effective cybersecurity management system.

4 Keywords and Definitions

4.1 Cybersecurity management system (ISMS)
A Cybersecurity Management System (ISMS) is a systematic approach for establishing, implementing,
operating, monitoring, reviewing, maintaining and improving cybersecurity to meet contractual, legal,
regulatory and internal cybersecurity requirements. ISMS provides a structured and comprehensive
framework for an effective contractual and regulatory compliance with respect to cybersecurity. A
cybersecurity management system consists of policies, procedures, guidelines, and associated resources and
activities in the pursuit of providing an appropriate protection to computer-based assets. ISMS is based upon
concepts of assigned responsibilities and accountability for cybersecurity related decisions. ISMS facilitates
informed risk-based decisions based on assessments of risks, such as risks of non-compliance, and defined
risk acceptance levels designed to effectively treat and manage cybersecurity risks.

4.2 ISMS success factors

A large number of factors are critical to a successful implementation of cybersecurity management system.
The critical factors include (i) a visible support and commitment from all levels of management, especially
from the project top management, (ii) assignment of responsibilities, (iii) cybersecurity team capabilities; (iii)
in-depth understanding of contractual, regulatory and other requirements, (iv) comprehensiveness of the
cybersecurity management, (v) strength of the implemented cybersecurity controls, (vi) performance
assessments of the effectiveness of the ISMS, and (vii) accountability of the project top management for
alignment of cybersecurity activities with the project goals.

4.3 Management
Management activities include organizing, handling, directing, supervising, and controlling resources.
Management structures extend from one person in a small project to management hierarchies consisting of
many individuals in large projects. In terms of a cybersecurity management system at a project level, the
management involves supervision and making of decisions necessary to achieve project objectives through
an appropriate level of protection of computer-based systems. Management of cybersecurity is expressed
through formulation and enforcement of procedures and guidelines, applied throughout the project.

4.4 Management system

Management system is a framework of guidelines, policies, procedures, processes and associated resources
aimed at ensuring an organization meets its objectives. In terms of cybersecurity, a cybersecurity
 Step-by-step guidance on how to establish, implement and operate cybersecurity management system (ISMS)
Pavol Zavarsky, CISSP, CISM, CISA, PhD
December 2014

management system facilitates that cybersecurity requirements of a customer and other stakeholders are
satisfied in an organized, consistent, planned, and cost-efficient way. A cybersecurity management system,
similar to other management systems, requires an organizational structure, resources, processes, policies,
practices, planning activities, responsibilities, and procedures to achieve project objectives. The term
management frequently refers to people who are performing the management activities. The term
cybersecurity management system encompasses people as a component of the management system
responsible for its effective and efficient operation. Cybersecurity management involves managing of various
cybersecurity-related activities in order to function effectively and efficiently. An application of a system of
processes, together with identification and interactions of these processes, and their management, is
referred to as a process approach. The process approach for a cybersecurity management system is based
on the principle adopted in ISO's management system standards commonly known as the Plan – Do – Check
– Act process.
Note: Regarding the usefulness of the Plan – Do – Check – Act process in the cybersecurity management
systems, flaws in judgment are a reality. A possible source of such flaws/vulnerabilities is that cybersecurity
management systems to be effective require expertise in various often dissimilar areas. Similar to a general
practice physician who is unlikely to discover or treat a large number of health issues, analogous limitations
apply to cybersecurity professionals in discovering and treating cybersecurity issues. Flaws in judgment are
possible and should be addressed, similar to other threats to cybersecurity, from risk-management
perspective.

5. Step-by-step guidance on how to establish, implement and operate cybersecurity

management system
Cybersecurity management system (ISMS) has its own development lifecycle. An ISMS for a given project has
to be (I) established, (II) implemented, (III) operated, (IV) maintained, and (V) continually improved. Table 1
summarizes the activities required to initiate, implement, and operate cybersecurity management system.
The table presents the activities of the ISMS development process as being composed of series of steps, when
a given step typically requires completion of a previous step or steps. Other prerequisites, such as proficiency
to perform a given step, are also listed in the table. The extent of the documented output for each step differs
depending on factors such as the size and type of a given project, and complexity of described processes,
activities and their possible interactions. The table also maps the activities with corresponding standard
cybersecurity requirements of the ISO/IEC 27001:2013. Therefore, following the step-by-step guidance
facilitates a full compliance with the ISO/IEC 27001:2013 requirements on the ISMS.
The activities to be performed, prerequisites of a successful completion of the activities, and documented
output, all require resources. The needed resources to perform each step can be used by project managers
in estimation of the required budget for an efficient cybersecurity management system.
As mentioned above, the high-level step-by-step guidance was developed to apply to projects of all sizes and
types of management. However, experience of the staff in performing the individual activities and other
resources are an important factor in making the cybersecurity management system effective.
 Step-by-step guidance on how to establish, implement and operate cybersecurity management system (ISMS)
Pavol Zavarsky, CISSP, CISM, CISA, PhD
December 2014

Table 1. Typical activities required to (1) establish, (2) implement and (3) operate a cybersecurity
management system (ISMS)
Typical activities required to (1) establish, (2) implement and (3) operate a cybersecurity management system
ISMS Step Activity Prerequisites of a Documented output Reference
Phase successful completion of to ISO/IEC
step activities 27001:2013
1 Project top Leadership and Documented roles, Clause 5
management nominates commitment of the responsibilities, and
and assigns project top management reporting structure.
responsibilities to a in respect to
cognizant cybersecurity cybersecurity.
professional (project
cybersecurity manager)
to create a team of
people responsible for
establishment of the
ISMS.
2 Project cybersecurity (i) Knowledge and Documented project Clause 5
manager with help of experience in establishing objectives that require
his team identifies ISMS systems, and (ii) cybersecurity.
overall project access to documentation
objectives that require that describes overall
cybersecurity. project objectives.
3 Project cybersecurity (i) Access privileges to Documented Clause 5
manager and his team review contractual, legal, cybersecurity-related
identified the regulatory and other contractual, legal,
ISMS establishment phase

contractual, legal, requirements, and (ii) regulatory and other

regulatory and other knowledge and, if requirements. The
requirements that apply possible, previous requirements should be
to project cybersecurity experience in translating documented in a way
(1)

and perform an in-depth cybersecurity-related that is understandable

study to fully contractual and legal to top project
understand the requirements into actions management.
cybersecurity that would guarantee
implications of the compliance with project
requirements. requirements.
4 Collection, evaluation (i) Assigned need-to- Documented existing Clause 5
and documentation of know- based access cybersecurity-related
existing cybersecurity- control privilege to read management systems
related management the documentation on and identification of
systems and their existing systems, and (ii) their benefits and
possible knowledge, skills and limitations from
interrelationships with experience to assess perspective of project’s
cybersecurity existing systems from cybersecurity
management system at project’s cybersecurity objectives.
the project level. goals perspective.
5 Analysis and Completed Steps 1 – 4 Documentation with an Clause 5
communication of plus competence to in depth-justification of
results of activities perform the activities the proposed scope of
completed in Steps 1 – 4 required to complete the the cybersecurity
to project top step. management system.
management. Definition What is proposed to be
of a preliminary scope included and excluded
of the cybersecurity from the scope is
 Step-by-step guidance on how to establish, implement and operate cybersecurity management system (ISMS)
Pavol Zavarsky, CISSP, CISM, CISA, PhD
December 2014

Typical activities required to (1) establish, (2) implement and (3) operate a cybersecurity management system
ISMS Step Activity Prerequisites of a Documented output Reference
Phase successful completion of to ISO/IEC
step activities 27001:2013
management system at explicitly identified. The
the project level. documentation should
be written in a language
understandable to the
project top
management to be
useful for estimation of
required budgetary and
other resources.
6 Analysis of justifications Completed steps 1 – 5 Documented results of Clause 5
of the proposed scope plus competence to the approval process of
of the cybersecurity perform the analysis. the proposed scope of
management system by the cybersecurity
the project top management system.
management, feedback Documented
sent by the top commitment of the
management to the project top
project cybersecurity management to provide
manager regarding required resources for
acceptability of the an effective functioning
proposed scope, and of the cybersecurity
allocation of resources. management system
with the approved
scope.
7 Development of a policy Completed steps 1 – 6, Written and authorized Clause 5
that (i) is appropriate to plus competence in policy that (i) is
the agreed upon scope developing the policy. appropriate to the
of the cybersecurity agreed upon scope of
management system , the cybersecurity
(ii) communicates the management system ,
cybersecurity objectives, (ii) communicates the
and (iii) expresses cybersecurity
commitment to meet objectives, and (iii)
contractual, legal, expresses commitment
regulatory and other to meet contractual,
applicable cybersecurity legal, regulatory and
requirements in an other applicable
efficient and effective cybersecurity
way. requirements in an
efficient and effective
way.
8 Planning of the Completed steps 1 – 7 Documented assigned Clause 6
implementation phase responsibilities for the
of the cybersecurity planning phase of the
management system ISMS implementation
with the focus on and documentation of
effectiveness and planned actions to
efficiency in meeting address risks and
cybersecurity opportunities.
requirements.
 Step-by-step guidance on how to establish, implement and operate cybersecurity management system (ISMS)
Pavol Zavarsky, CISSP, CISM, CISA, PhD
December 2014
Typical activities required to (1) establish, (2) implement and (3) operate a cybersecurity management system
ISMS Step Activity Prerequisites of a
Phase successful completion of
step activities
9 Cybersecurity risk Completed steps 1 – 8,
assessment to identify plus
project domain (i) assigned roles and
boundaries, security responsibilities for
infrastructure islands, performing the risk
work environments, assessment, (ii) skills,
portals to access the knowledge, and
project computer-based experience in performing
resources, and the risk assessment, and
approved connections (iii) ability and experience
and types of in analysis of the
communications identified risks, and (iv)
between project’s ability to communicate
infrastructure islands. the results of the risk
assessment to the project
management in an
unbiased and
understandable way.
10 Identification of risk Completed steps 1 – 9,
treatment options and plus knowledge and
formulation of a experience in (i)
cybersecurity plan that identification of risk
addresses the identified mitigation strategies for
risks in an efficient and the identified risks, (ii)
cost effective manner. translating the identified
The plan should risk mitigation strategies
determine and justify into a comprehensive set
what needs to be done of cybersecurity controls,
to mitigate the risks, and (iii) writing a logically
what resources will be organized cybersecurity
required, who will be plan.
responsible, when it will
be completed, and how
the effectiveness of the
cybersecurity controls
will be evaluated.
11 Review and Completed steps 1 – 10
authorization of the plus continued
cybersecurity commitment of the
management plan by project top management
the project top to provide recourses
management. needed for establishment,
implementation,
operation, maintenance
and continuous
improvement of the
cybersecurity
management system.
12 Determination of Completed steps 1 – 11,
necessary competences, plus ability and experience
trainings, certifications, in mapping cybersecurity
Documented output Reference
to ISO/IEC
27001:2013
Documented overall risk Clause 6
assessment, including
assumptions,
justifications, methods
used, results, and
implications of the
results of the risk
assessment. Results of
the risk assessment
should be written in a
language
understandable to the
project top
management. Business
case can be developed
to illustrate the results
of the risk assessment.
Cybersecurity Clause 6
management plan that and
describes and justifies Annex A
risk treatment options,
cybersecurity control See also
objectives and controls ISO/IEC
to effectively mitigate 27002:2013
cybersecurity risks. The
cybersecurity plan
should consider safety –
cybersecurity
constraints and possible
impacts of the
cybersecurity controls
on safety of operations.
Officially authorized Clause 6
cybersecurity
management plan by
project top
management.
Document describing Clause 7
cybersecurity
requirements and
 Step-by-step guidance on how to establish, implement and operate cybersecurity management system (ISMS)
Pavol Zavarsky, CISSP, CISM, CISA, PhD
December 2014

Typical activities required to (1) establish, (2) implement and (3) operate a cybersecurity management system
ISMS Step Activity Prerequisites of a Documented output Reference
Phase successful completion of to ISO/IEC
step activities 27001:2013
and security clearances requirements into corresponding expected
of the personnel required competences of competences of the
implementing the the project personnel. personnel. Document
cybersecurity should also describe
management plan. applicable actions to
verify the personnel’s
competence to perform
the tasks. Described
applicable actions can
include details on
appropriate trainings or
practical exercises to
acquire the necessary
competence.
13 Obtaining approval from Completed steps 1 – 12, Documented approval Clause 6
the project plus knowledge, skills and of the acceptance of
management regarding experience in residual risks, including
the acceptance of identification of residual accountability of the
residual risks not cybersecurity risks. project top
addressed by the management for all
controls of the residual cybersecurity
cybersecurity plan. risks. The examples of
residual risks are risks
that are not managed
on the project level, but
rather are part of the
cybersecurity risk
management at the
corporate level that
might have different
priorities and does not
necessarily be fully in
line with the project’s
cybersecurity
requirements.
14 Determination of the Completed steps 1 – 13 Documented agreed- Clause 7
form and content of plus implementation of upon form and
intra-project and inter- the need-to-know frequency of intra-
project communication principle throughout the project and inter-
relevant to the project lifecycle. Control project communication
cybersecurity of documented relevant to the
management. Control of information should be cybersecurity
documented addressed in the management.
information. cybersecurity
management plan (see
step 10)
 Step-by-step guidance on how to establish, implement and operate cybersecurity management system (ISMS)
Pavol Zavarsky, CISSP, CISM, CISA, PhD
Typical activities required to (1) establish, (2) implement and (3) operate a cybersecurity management system
ISMS Step Activity
Phase
15 Informing project team
members on the details
of the cybersecurity
plan by applying need-
to-know cybersecurity
principle.
16 Implementation of
controls and processes
needed to meet the
project’s cybersecurity
requirements
17 Ongoing cybersecurity
risk assessment
(2) implementation and (3) operations phases
18 Regular verification of
performance (efficiency
and effectiveness) of
the cybersecurity
management system.
The performance
verification has its own
lifecycle that requires (i)
determination and
documentation of what
needs to be monitored,
measured and
evaluated, and (ii)
reliable, repeatable and
documented methods
for monitoring,
measurement, analysis,
and interpretation of
results.
December 2014
Prerequisites of a
successful completion of
step activities
Completed steps 1 – 14
Completed steps 1 – 15,
plus verification of the
completion of step 12
regarding competencies
needed for vulnerability-
free implementation of
the controls.
Completed steps 1 – 16
plus (i) competencies in
identification of
weaknesses in security
policies, procedures,
system design, and
implemented technical,
operational and
management controls,
and (ii) resources to
perform the ongoing risk
assessment.
Completed steps 1 – 17,
plus competent and
trustable personnel that is
(i) capable to perform the
cybersecurity
performance verification
tasks, (ii) understands
limitations of the
performed cybersecurity
verifications, and (iii) is
able to interpret and
present the findings from
a cyber risk-based
perspective.
Documented output Reference
to ISO/IEC
27001:2013
The personnel of the Clause 6
project receive in
writing descriptions of
the components of the
cybersecurity plan that
apply to the given
person’s roles and
responsibilities.
Detailed documentation Clause 8
of implemented
cybersecurity controls
and steps performed to
verify their
effectiveness. Each
cybersecurity control
should be explicitly
linked to the project’s
cybersecurity
requirements.
Documentation of Clause 8
regular risk
assessments, including
details on and
justification of the
scope and methods
used to identify and
assess the risks.
The document Clause 9
describes and justifies
(i) the scope of
performance
verifications, (ii) utilized
cybersecurity
performance
verification procedures
and tools, (iii) results of
the cybersecurity
performance
verifications, and (iv)
implications of the
findings. The
performance
verification of the
cybersecurity
management system
should be documented
from compliance with
 Step-by-step guidance on how to establish, implement and operate cybersecurity management system (ISMS)
Pavol Zavarsky, CISSP, CISM, CISA, PhD
December 2014

Typical activities required to (1) establish, (2) implement and (3) operate a cybersecurity management system
ISMS Step Activity Prerequisites of a Documented output Reference
Phase successful completion of to ISO/IEC
step activities 27001:2013
cybersecurity
requirements
perspective.
19 Planning and The step that is subject of The document Clause 9
implementation of an the internal audit has to describes the audit
internal audit of the be completed. criteria and scope of the
cybersecurity audit. The results of the
management system by audit are reported to
the project top the relevant
management and management and
performed by auditors typically retained and
that ensure objectivity protected throughout
and impartiality of the the project lifecycle.
audit process.
20 Management review of Completed step 19 Document that Clause 9
the audit results comments on and Clause 10
proposes measures to
address audit findings.
21 Identification of Completed steps 1 – 20, Document that Clause 10
nonconformities and plus an in-depth describes the identified
the causes of the understanding of the nonconformities and
(4) continuous
improvement

nonconformities, cybersecurity actions taken to correct

evaluation of a need to requirements and the the nonconformities,
take a corrective action, cybersecurity and assessment of
implementation of management system that results of the corrective
corrective actions, and has been implemented to actions.
assessment of results of meet the requirements.
corrective actions.

Appendix A. Glossary
accountability - assignment of actions and decisions to an entity
availability - property of being accessible and usable upon demand by an authorized entity
confidentiality - property that information is not made available or disclosed to unauthorized individuals,
entities, or processes
conformity - fulfillment of a requirement
control - means of managing risk, including policies, procedures, processes, guidelines, practices or
organizational structures, which can be of technical, operational, management, or legal nature.
Control is also used as a synonym for safeguard or countermeasure.
control objective - statement describing what is to be achieved as a result of implementing controls
consultation - a two-way process of informed communication between an organization and its stakeholders on
an issue prior to making a decision or determining a direction on that issue. Consultation is an input
to decision making, not a joint decision making.
cybersecurity - preservation of integrity, availability, and confidentiality in computer-based systems; other
properties, such as authenticity, accountability, non-repudiation, and reliability can be also involved
 Step-by-step guidance on how to establish, implement and operate cybersecurity management system (ISMS)
Pavol Zavarsky, CISSP, CISM, CISA, PhD
December 2014

cybersecurity event - identified occurrence of a system, service or network state indicating a possible breach or
failure of cybersecurity safeguards, or a previously unknown situation that may be cybersecurity
relevant
cybersecurity incident - single or a series of unwanted or unexpected cybersecurity events that have a significant
probability of compromising cybersecurity safeguards and business operations
cybersecurity governance - system by which project's cybersecurity activities are directed and controlled
cybersecurity management system (ISMS) - part of the overall management system, based on a business risk
approach, to establish, implement, operate, monitor, review, maintain and improve cybersecurity.
The management system includes organizational structure, policies, planning activities,
responsibilities, practices, procedures, processes and resources.
decision criteria - thresholds, targets, or patterns used to determine the need for action or further investigation,
or to describe the level of confidence in a given result
effectiveness - extent to which planned activities are realized and planned results achieved
efficiency - relationship between the results achieved and the resources used
external context - external environment in which the project management seeks to achieve its objectives
guideline - description that clarifies what should be done and how, to achieve the objectives
integrity - property of protecting the accuracy and completeness of assets
internal context - internal environment in which the project management seeks to achieve its objectives. The
internal context can include (i) organizational structure, roles and accountabilities; (ii) policies,
objectives, and strategies that are in place to achieve them; (iii) the capabilities, understood in terms
of resources and knowledge (e.g. capital, time, people, processes, systems and technologies); (iv)
computer-based systems, (v) decision-making processes, (vi) relationships with, and perceptions and
values of, internal stakeholders; (vi) organization's culture; (vii) standards, guidelines and models
adopted by the organization; and (viii) form and extent of contractual relationships.
management system - framework of guidelines, policies, procedures, processes and associated resources aimed
at ensuring an organization meets its objectives
non-conformity - non-fulfillment of a requirement
project asset - anything that has value to the project – people and their qualifications and skills, reputation,
software, hardware, services, buildings, etc.
project management - person or group of people who have responsibility for implementation of strategies and
policies to accomplish the objectives of the project and who are accountable for the performance
and conformance of the project
project management - coordinated activities to direct and control the project
project stakeholder - any person or organization that affect, is affected by, or perceive to be affected by the
activities of the project
policy - overall intention and direction as formally expressed by management
preventive action - action to eliminate the cause of a potential non-conformity or other undesirable potential
situation
procedure - specified way to carry out an activity or a process
process - set of interrelated or interacting activities which transforms inputs into outputs
residual risk - risk remaining after risk treatment. Residual risk can contain unidentified risk.
 Step-by-step guidance on how to establish, implement and operate cybersecurity management system (ISMS)
Pavol Zavarsky, CISSP, CISM, CISA, PhD
December 2014

review - activity undertaken to determine the suitability, adequacy and effectiveness of the subject matter to
achieve established objectives
review objective - statement describing what is to be achieved as a result of a review
risk - effect of uncertainty on objectives. Cybersecurity risk is associated with the potential that threats will
exploit vulnerabilities of a computer-based asset or group of assets and thereby cause harm to an
organization.
risk acceptance - decision to accept a risk
risk analysis - process to comprehend the nature of risk and to determine the level of risk. Risk analysis provides
a basis for decisions about risk treatment.
risk assessment - overall process of risk identification, risk analysis and risk evaluation
risk criteria - terms of reference against which the significance of risk is evaluated. Risk criteria are based on
organizational objectives, external and internal context, and can be derived from standards, laws,
policies and other requirements.
risk evaluation - process of comparing the results of risk analysis with risk criteria to determine whether the risk
and/or its magnitude is acceptable or tolerable. Risk evaluation assists in the decision about risk
treatment.
risk identification - process of finding, recognizing and describing risks
risk management - coordinated activities to direct and control an organization with regard to risk
risk management process - systematic application of management policies, procedures and practices to the
activities of communicating, consulting, establishing the context and identifying, analyzing,
evaluating, treating, monitoring and reviewing risk
risk treatment - process to modify risk. Risk treatments that deal with negative consequences are sometimes
referred to as risk mitigation, risk elimination, risk prevention and risk reduction. Risk treatment can
create new risks or modify existing risks.
risk communication and consultation - continual and iterative processes that an organization conducts to
provide, share or obtain information, and to engage in dialogue with stakeholders regarding the
management of risk.
statement of applicability - documented statement describing the control objectives and controls that are
relevant and applicable to the organization's ISMS
third party - person or body that is recognized as being independent of the parties involved, as concerns the
issue in question
threat - potential cause of an unwanted incident, which may result in harm to a system or organization
validation - confirmation, through the provision of objective evidence, that the requirements for a specific
intended use or application have been fulfilled
verification - confirmation, through the provision of objective evidence, that specified requirements have been
fulfilled. This could also be called compliance testing.
vulnerability - weakness of an asset or control that can be exploited by one or more threats