Education and training

  In order to strengthen the organization's awareness of information security and clarify the basic requirements of the information security management system, it is very necessary to conduct training on information security management system standards and related knowledge, which is also one of the key factors for the organization to do a good job in information security management.

   Make a plan

  The establishment and maintenance of an information security management system is a complex system engineering, including a lot of work such as training, risk assessment, document preparation, operation, audit, corrective and preventive measures, etc. In order to ensure the smooth establishment of the system, the organization should make overall arrangements, that is, formulate a practical work plan, clarify the work task objectives and division of responsibilities in different time periods, control the work progress, and highlight the key points of work, such as the use of a project schedule. Once the master plan is approved, detailed plans for specific work items, such as document preparation plans, can be developed. When developing a plan, the organization should consider resource requirements, such as personnel needs, training funds, office facilities, the cost of hiring a consulting firm, etc. If third-party certification of the system is sought, the cost of certification should also be considered. The top management of the organization should ensure that the The human and financial resources necessary to establish the system.

   Determine the information security policy and the scope of the information security management system

   An information security policy is the rules and instructions that govern how assets, including sensitive information, are managed, protected, and distributed within an organization. The information security policy mentioned here is the overall policy of the organization's information security. The organization should first formulate an information security policy, describe the importance of information security within the organization, indicate the management's commitment, and propose methods for the organization to manage information security in order to provide Organizational information security provides management direction and support.

   Status Investigation and Risk Assessment

Organizing information security management status investigation and risk assessment work is the foundation and key to establishing an information security management system. In the entire process of system establishment, the workload of risk assessment accounts for a large proportion, and the quality of risk assessment work directly affects the security control. Reasonable choice, therefore, the organization should instruct a special department to be responsible for this basic work, and the risk assessor should understand the basic requirements of the standard, master the method of risk assessment, and be familiar with the organization's business operation process and information system. Risk assessment requires the participation of management, information technology, and operation personnel from different departments, and should obtain the support of information security experts if necessary. The results of the risk assessment should be confirmed.

  Information Security Management System Planning

After completing the status investigation and risk assessment, the organization shall, according to the overall requirements of the established information security policy, the scope of the information security management system, and the results of the risk assessment, clarify the organization's information security structure and responsibilities, select control objectives and control methods, and write Control summary, develop business continuity plan.