ISMS is that part of overall management system based on a business risk approach to:
Establish
Implement
Operate
Monitor
Review
Maintain &
Improve
Information security
OISMS – is a management assurance mechanism for security of information asset concerning its:
Availability
Integrity
Confidentiality
Developing ISMS Process
The following mandatory documentation is explicitly required for certification:
ISMS scope
Information security policy
Information security risk assessment process
Information security risk treatment process
Information security objectives
Evidence of the competence of the people working in information security
Other ISMS-related documents deemed necessary by the organization
Operational planning and control documents
The results of the risk assessments
The decisions regarding risk treatment
Evidence of the monitoring and measurement of information security
The ISMS internal audit program and the results of audits conducted
Evidence of top management reviews of the ISMS
Evidence of nonconformities identified and corrective actions arising
Various others: Rules for acceptable use of assets, access control policy, operating procedures, confidentiality or non-disclosure agreements, secure system engineering principles, information security policy for supplier relationships, information security incident response procedures, relevant laws, regulations and contractual obligations plus the associated compliance procedures and information security continuity procedures