Académique Documents
Professionnel Documents
Culture Documents
4.2.1 Establish the ISMS c) Dene the risk assessment approach of the organization. Q1. Consider the following aspects relating to the organizations risk assessment approach.Tick one box for each control requirement Aspect 4.2.1.c.1 Has a risk assessment methodology been identied that is suited to the ISMS, and the identied business information security, legal and regulatory requirements? 4.2.1.c.2 Have criteria for accepting risks and identifying the acceptable levels of risk been developed (see 5.1.f)? 4.2.1.c.3 Does the selected risk assessment methodology ensure that risk assessments produce comparable and reproducible results? Yes Partial No
/ /
Q2. If you have ticked either of the boxes marked YES, PARTIAL or NO you should indicate the reasons and justification in the following boxes. Aspect 4.2.1.c.1 4.2.1.c.2 Reasons and justification (with reference to supporting evidence) The Malaysian Public Sector Information Security Information Risk Assexment Methodology (My RAM) Prosedur UUM-DCOP-ISMS-P1-002 LAPORAN PENILAIAN RISIKO The Malaysian Public Sector Information Security Information Risk Assexment Methodology (My RAM)
Muka Surat: 1
Action to be taken
4.2.1.c.3
Versi: 1.0 1 5 April 2012
Muka Surat: 2
Q2. If you have ticked either of the boxes marked YES, PARTIAL or NO you should indicate the reasons and justification in the following boxes. Aspect 4.2.1.d.1 4.2.1.d.2 4.2.1.d.3 Reasons and justification (with reference to supporting evidence) Prosedur UUM-DCOP-ISMS-P1-002 LAPORAN PENILAIAN RISIKO PROSEDUR ISMS-DCOP-ISMS-P1-002 LAMPIRAN I C PROSEDUR ISMS-DCOP-ISMS-P1-002 LAMPIRAN 1(C) DAN LAMPIRAN 1(F) Action to be taken
Muka Surat: 3
PROSEDUR ISMS-DCOP-ISMS-P1-002 4.2.1.d.5 LAMPIRAN 1(C) ,LAMPIRAN 1D DAN LAMPIRAN 1(I) COMMENTS: Enter a wider explanation of the reason(s) indicated above. Where aspects are already addressed it may be helpful to detail them.
Muka Surat: 4
/ /
Q2. If you have ticked either of the boxes marked YES, PARTIAL or NO you should indicate the reasons and justification in the following boxes. Aspect 4.2.1.e.1 Reasons and justification (with reference to supporting evidence) PROSEDUR ISMS-DCOP-ISMS-P1-002 LAMPIRAN 1(C) ,LAMPIRAN 1D, LAMPIRAN 1(I), LAMPIRAN 1(J) DAN LAMPIRAN 1(K) PROSEDUR ISMS-DCOP-ISMS-P1-002 LAMPIRAN 1(C) ,LAMPIRAN 1(D) DAN LAMPIRAN 1(I)
Muka Surat: 5
Action to be taken
4.2.1.e.2
4.2.1.e.4 4.2.1.e.5
COMMENTS: Enter a wider explanation of the reason(s) indicated above. Where aspects are already addressed it may be helpful to detail them.
Muka Surat: 6
Q2. If you have ticked either of the boxes marked YES, PARTIAL or NO you should indicate the reasons and justification in the following boxes. Aspect 4.2.1.f.1 PROSEDUR ISMS-DCOP-ISMS-P1-002 LAMPIRAN 1(C) ,LAMPIRAN 1(D) DAN LAMPIRAN 1(M) Reasons and justification (with reference to supporting evidence) Action to be taken
4.2.1.f.2
COMMENTS: Enter a wider explanation of the reason(s) indicated above. Where aspects are already addressed it may be helpful to detail them.
Muka Surat: 7
Q2. If you have ticked either of the boxes marked YES, PARTIAL or NO you should indicate the reasons and justification in the following boxes. Aspect 4.2.1.g.1 4.2.1.g.2 4.2.1.g.3 Reasons and justification (with reference to supporting evidence) No specific process being applied to select and implement control objectives and controls meeting the requirements identied by the risk assessment and risk treatment process Action to be taken
Muka Surat: 8
4.2.1 Establish the ISMS h) Obtain management approval of the proposed residual risks. Q1. Consider the following aspect relating to the process of approving the proposed residual risks and the process to obtain management authorization to implement and operate the ISMS. Tick one box for each control requirement Aspect 4.2.1.h.1 Is there a process in place and being used for obtaining management approval of residual risks? Yes / Partial No
Q2. If you have ticked either of the boxes marked YES, PARTIAL or NO you should indicate the reasons and justification in the following boxes. Aspect Reasons and justification (with Action to be taken
reference to supporting evidence) PROSEDUR ISMS-DCOP-ISMS-P1-007 4.2.1.h.1 - Kelulusan Pengarah Pusat Komputer COMMENTS: Enter a wider explanation of the reason(s) indicated above. Where aspects are already addressed it may be helpful to detail them.
4.2.2 Implement and operate the ISMS a) Formulate a risk treatment plan that identifies the appropriate management action, resources, responsibilities and priorities for managing information security risks (see 5).
Muka Surat: 9
Q2. If you have ticked either of the boxes marked YES, PARTIAL or NO you should indicate the reasons and justification in the following boxes. Aspect 4.2.2.a.1 4.2.2.a.2 PROSEDUR ISMS-DCOP-ISMS-P1-007 Kelulusan Pengarah Pusat Komputer Reasons and justification (with reference to supporting evidence) Action to be taken
No specific process being applied to ensure that the necessary responsibilities and 4.2.2.a.3 priorities are identified for managing information security risks. COMMENTS: Enter a wider explanation of the reason(s) indicated above. Where aspects are already addressed it may be helpful to detail them.
4.2.2 Implement and operate the ISMS b) Implement the risk treatment plan in order to achieve the identified control objectives, which includes consideration of funding and allocation of roles and responsibilities. c) Implement controls selected in 4.2.1.g to meet the control objectives.
Versi: 1.0 1 5 April 2012 Muka Surat: 10
/ / /
Q2. If you have ticked either of the boxes marked YES, PARTIAL or NO you should indicate the reasons and justification in the following boxes. Aspect 4.2.2.b.1 4.2.2.b.2 4.2.2.b.3 4.2.2.c.1 4.2.2.c.2 COMMENTS: Enter a wider explanation of the reason(s) indicated above. Where aspects are already addressed it may be helpful to detail them.
Versi: 1.0 1 5 April 2012
Action to be taken
Muka Surat: 11
4.2.3 Monitor and review the ISMS d) Review risk assessments at planned intervals and review the level of residual risk and identified acceptable risk. Q1. Consider the following aspects relating to the process of reviewing the risk assessment, level of residual risk and identified acceptable risk regularly. Tick one box for each control requirement Aspect 4.2.3.d.1 Is there a process in place and being used for reviewing the risk assessments at planned intervals, and for the review of the level of residual risk and identified acceptable risk? 4.2.3.d.2 Does this process take account of changes to the organization? 4.2.3.d.3 Does this process take account of changes in technology? 4.2.3.d.4 Does this process take account of changes to business objectives and processes? 4.2.3.d.5 Does this process take account of identified threats? 4.2.3.d.6 Does this process take effectiveness of implemented controls? account of the Yes Partial No
4.2.3.d.7 Does this process take account of external events, such as changes to the legal or regulatory environment, changed contractual obligations, and changes in social climate?
Q2. If you have ticked either of the boxes marked YES, PARTIAL or NO you should indicate the reasons and justification in the following boxes.
Versi: 1.0 1 5 April 2012 Muka Surat: 12
Action to be taken
COMMENTS: Enter a wider explanation of the reason(s) indicated above. Where aspects are already addressed it may be helpful to detail them.
Muka Surat: 13