Cybersecuity Integrated Management System Reference Model
6
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC USE Integrated Management System Enterprise Cybersecuity Integrated Management Frameworks ISO/IEC 27001 ISO 9001 ISO 22301 Context of the Organization Support Operation Governance Planning Customer Focus Roles & Responsibilities Planning Quality Policy Requirements for Products & Services BCMS Policy Operational Planning & Control BCMS Strategy Exercise & testing Improvement Performance Evaluation Annex ‘A’ Integration Operational Planning & Control Competencies Environment for the Operation of Processes Monitoring & Measuring Resources Evaluating BCMS BCMS Roles & Responsibilities BCMS Scope Competence Business Impact Assessment & Risk Assessment Recovery Product Development Lifecycle Risk Management Customer Satisfaction Supply Chain Page 1 of 6
-
Upload
secure-knowledge-management-inc -
Category
Business
-
view
281 -
download
1
Transcript of Cybersecuity Integrated Management System Reference Model
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC USE
Integrated Management System
Enterprise CybersecuityIntegrated Management Frameworks
ISO/IEC 27001
ISO 9001 ISO 22301
Context of the Organization
Support Operation
Governance Planning
Customer Focus
Roles & Responsibilities
Planning
Quality Policy
Requirements for Products &
Services
BCMS Policy
Operational Planning &
Control
BCMS Strategy
Exercise & testing
Improvement
Performance Evaluation
Annex ‘A’ Integration
Operational Planning &
Control
Competencies
Environment for the Operation of
Processes
Monitoring & Measuring Resources
Evaluating BCMS
BCMS Roles & Responsibilities
BCMS Scope
Competence
Business Impact Assessment &
Risk Assessment
Recovery
Product Development
Lifecycle
Risk Management
Customer Satisfaction
Supply Chain
Page 1 of 6
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC USE
Enterprise CybersecuityIntegrated Management Frameworks
Parent - ISO/IEC 27001Clause / Description1 Scope2 Normative references3 Terms and definitions4 Context of the organization4.1 Understanding the organization and its context4.1 (c) the organization’s risk appetite4.2 Understanding the needs and expectations of interested parties4.3 Determining the scope of the information security management system4.4 Information security management system5 Leadership5.1 Leadership and commitment5.2. Policy5.3 Organizational roles, responsibilities and authorities6 Planning 6.1 Actions to address risks and opportunities6.2 Information security objectives and planning to achieve them7 Support7.1 Resources7.2 Competence7.3 Awareness7.4 Communication7.5 Documented information8 Operation8.1 Operational planning and control8.2 Information security risk assessment8.3 Information security risk treatment9 Performance evaluation9.1 Monitoring, measurement, analysis and evaluation9.2 Internal audit9.3 Management review10 Improvement10.1 Nonconformity and corrective action10.2 Continual improvementISO 27001 ISMS Annex 'A' (Integration points with operations listed in Annex “A” - A.5 – A.18)
Page2 of 6
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC USE
Enterprise CybersecuityIntegrated Management Frameworks
Child ISO 9001Clause / Description4 Context of the organization (ISO 9001 feeds ISO/IEC 27001)4.1 (c) the organization’s risk appetite (ISO 9001 feeds ISO/IEC 27001)4.3 Determining the scope of the information security management system (ISO 9001 feeds ISO/IEC 27001)4.4 Information security management system (ISO 9001 feeds ISO/IEC 27001)5 Leadership (ISO 9001 feeds ISO/IEC 27001)5.1 Leadership and commitment (ISO 9001 feeds ISO/IEC 27001)5.1.2.Customer focus (ISO 9001)5.2 Policy (ISO 9001)5.2.1.Developing the quality policy (ISO 9001)5.2.2.Communicating the quality policy (ISO 9001)5.3. Organizational roles, responsibilities and authorities (ISO 9001)6. Planning (ISO 9001)6.1 Actions to address risks and opportunities (ISO 9001 feeds ISO/IEC 27001)6.2 Information security objectives and planning to achieve them (ISO 9001 feeds ISO/IEC 27001)6.2. Quality objectives and planning to achieve them (ISO 9001)6.3. Planning of changes (ISO 9001)7 Support (ISO 9001 feeds ISO/IEC 27001)7.1 Resources (ISO 9001 feeds ISO/IEC 27001)7.1.1.General (ISO 9001)7.1.2.People (ISO 9001)7.1.3.Infrastructure (ISO 9001)7.1.4.Environment for the operation of processes (ISO 9001)7.1.5.Monitoring and measuring resources (ISO 9001)7.1.6.Organizational knowledge (ISO 9001)7.2. Competence (ISO 9001)7.5 Documented information (ISO 9001 feeds ISO/IEC 27001)7.5. Documented information (ISO 9001)7.5.1.General (ISO 9001)7.5.2.Creating and updating (ISO 9001)7.5.3.Control of documented information (ISO 9001)8 Operation (ISO 9001 feeds ISO/IEC 27001)8. Operation (ISO 9001)8.1 Operational planning and control (ISO 9001 feeds ISO/IEC 27001)8.1. Operational planning and control (ISO 9001)8.2 Information security risk assessment (ISO 9001 feeds ISO/IEC 27001)8.2. Requirements for products and services (ISO 9001)8.2.1.Customer communication (ISO 9001)8.2.2.Determining the requirements related to products and services (ISO 9001)8.2.3.Review of requirements related to products and services (ISO 9001)8.2.4.Changes to requirements for products and services (ISO 9001)
Page 3 of 6
RED = Outputs to Parent Standard ISO/IEC 27001 ISMS
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC USE
Enterprise CybersecuityIntegrated Management Frameworks
Child ISO 9001Clause / Description8.3 Information security risk treatment (ISO 9001 feeds ISO/IEC 27001)8.3. Design and development of products and services (ISO 9001)8.3.2.Design and development planning (ISO 9001)8.3.3.Design and development inputs (ISO 9001)8.3.4.Design and development controls (ISO 9001)8.3.5.Design and development outputs (ISO 9001)8.3.6.Design and development changes (ISO 9001)8.4. Control of externally provided products and services (ISO 9001)8.4.2.Type and extent of control (ISO 9001)8.4.3.Information for external providers (ISO 9001)8.5. Production and service provision (ISO 9001)8.5.1.Control of production and service provision (ISO 9001)8.5.2.Identification and traceability (ISO 9001)8.5.3.Property belonging to customers or external providers (ISO 9001)8.5.4.Preservation (ISO 9001)8.5.5.Post-delivery activities (ISO 9001)8.5.6.Control of changes (ISO 9001)8.6. Release of products and services (ISO 9001)8.7. Control of nonconforming outputs (ISO 9001)9 Performance evaluation (ISO 9001 feeds ISO/IEC 27001)9. Performance evaluation (ISO 9001)9.1 Monitoring, measurement, analysis and evaluation (ISO 9001 feeds ISO/IEC 27001)9.1. Monitoring, measurement, analysis and evaluation (ISO 9001)9.1.2.Customer satisfaction (ISO 9001)9.1.3.Analysis and evaluation (ISO 9001)9.2 Internal audit (ISO 9001 feeds ISO/IEC 27001)9.3 Management review (ISO 9001 feeds ISO/IEC 27001)10 Improvement (ISO 9001 feeds ISO/IEC 27001)10.1 Nonconformity and corrective action (ISO 9001 feeds ISO/IEC 27001)10.2 Continual improvement (ISO/IEC 9001 feeds ISO/IEC 27001)
Page 4 of 6
RED = Outputs to Parent Standard ISO/IEC 27001 ISMS
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC USE
Enterprise CybersecuityIntegrated Management Frameworks
Child ISO 22301Clause / Description4 Context of the organization (ISO/IEC 22301 feeds ISO/IEC 27001)4.1 Understanding the organization and its context (22301)4.1 (c) the organization’s risk appetite (ISO/IEC 22301 feeds ISO/IEC 27001)4.2 Understanding the needs and expectations of interested parties (22301)4.3 Determining the scope of the information security management system (ISO 22301 feeds ISO/IEC 27001)4.3.2 Scope of the BCMS (ISO 22301)4.4 Information security management system (ISO 22301 feeds ISO/IEC 27001)4.4 Business Continuity Management System (ISO 22301)5 Leadership (ISO 22301 feeds ISO/IEC 27001)5.1 Leadership and commitment (ISO 22301 feeds ISO/IEC 27001)5.2 Management Commitment (ISO 22301)5.3 Policy (ISO 22301)5.4 Organization roles, responsibilities and authorities (ISO 22301)6 Planning (ISO 22301)6.1 Actions to address risks and opportunities (ISO 22301 feeds ISO/IEC 27001)6.2 Information security objectives and planning to achieve them (ISO 22301 feeds ISO/IEC 27001)6.2 Business continuity objectives and plans to achieve them (ISO 22301)7 Support (ISO 22301 feeds ISO/IEC 27001)7.1 Resources (ISO 22301 feeds ISO/IEC 27001)7.2. Competence (ISO 22301)7.5 Documented information (ISO 22301 feeds ISO/IEC 27001)7.5 Documented information (ISO 22301)7.5.1.General (ISO 22301)7.5.3 Control of documented information (ISO 22301)8 Operation (ISO 22301 feeds ISO/IEC 27001)8 Operation (ISO 22301)8.1 Operational planning and control (ISO 22301 feeds ISO/IEC 27001)8.1 Operational planning and control (ISO 22301)8.2 Information security risk assessment (ISO 22301 feeds ISO/IEC 27001)8.2 Business impact analysis and risk assessment (ISO 22301)8.3 Information security risk treatment (ISO 22301 feeds ISO/IEC 27001)8.3 Business continuity strategy (ISO 22301)8.3.1 Determination and selection (ISO 22301)8.3.2 Establishing resource requirements (ISO 22301)8.3.2 Protection and mitigation (ISO 22301)8.4 Establish and implement business continuity procedures (ISO 22301)8.4.2 Incident response structure (ISO 22301)8.4.3 Warning and communications procedures (ISO 22301)8.4.4 Business continuity plans (ISO 22301)8.4.5 Recovery (ISO 22301)8.5 Exercising and testing (ISO 22301)
Page 5 of 6
RED = Outputs to Parent Standard ISO/IEC 27001 ISMS
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC USE
Enterprise CybersecuityIntegrated Management Frameworks
Child ISO 22301Clause / Description9 Performance evaluation (ISO 22301 feeds ISO/IEC 27001)9 Performance evaluation (ISO 22301)9.1 Monitoring, measurement, analysis and evaluation (ISO 22301 feeds ISO/IEC 27001)9.1.1 General (ISO 22301)9.1.2 Evaluation of Business Continuity Procedures (ISO 22301)9.2 Internal audit (ISO 22301 feeds ISO/IEC 27001)9.2 Internal audit (ISO 22301)9.3 Management review (ISO 22301 feeds ISO/IEC 27001)9.3 Management review (ISO 22301)10 Improvement (ISO 22301 feeds ISO/IEC 27001)10.1 Nonconformity and corrective action (ISO 22301 feeds ISO/IEC 27001)10.1 Nonconformity and corrective action (ISO 22301)10.2 Continual improvement (ISO 22301 feeds ISO/IEC 27001)
Page 6 of 6
RED = Outputs to Parent Standard ISO/IEC 27001 ISMS
