opexxx/gist:929b22ad3104b414abef4892a78f7899

## gistfile1.txt
1	S	1. Management Support
2	T	Outline business case
3	T	Present business case
4	M	Management support is obtained
5	T	Initiate project
6	T	Plan project
7	S	2. Determine Scope
8	T	Determine external issues
9	T	Determine internal issues
10	T	Identify external interested parties
11	T	Identify internal interested parties
12	T	Identify requirements of interested parties
13	T	Determine preliminary scope
14	T	Determine refined scope
15	T	Determine final scope
16	T	Document final scope
17	T	Approve final scope
18	M	Scope is approved
19	S	3. Define Information security policy
20	T	Determine information security objectives
21	T	Write information security policy
22	T	Publish information security policy
23	S	4. Inventory of assets
24	T	Identify primary assets
25	T	Identify supporting assets
26	T	Map primary and supporting assets
27	T	Identify asset owners
28	T	Develop information classification policy
29	T	Classify assets
30	T	Develop procedures for information labelling
31	T	Label assets
32	T	Document asset inventory
33	S	5. Risk Management Methodology
34	T	Define information security risk criteria
35	T	Define information security risk acceptance criteria
36	T	Approve information security risk acceptance criteria
37	T	Define information security risk assessment process
38	T	Define information security risk treatment process
39	S	6. Information security risk assessment
40	S	Risk identification
41	T	Identify threats
42	T	Identify existing controls
43	T	Identify vulnerabilities
44	T	Identify consequences (impact)
45	S	Risk analysis
46	T	Assess consequences (impact)
47	T	Assess likelihood
48	T	Determine risk level
49	S	Risk evaluation
50	T	Evaluate risks
51	M	Risk assessment is completed
52	S	7. Information security risk treatment
53	T	Select risk treatment options
54	T	Determine controls
55	T	Produce Statement of Applicability (SoA)
55	T	Formulate risk treatment plan
56	T	Obtain approval for risk treatment plan
57	M	Risk treatment plan is approved
58	T	Implement risk treatment plan
59	T	Update Statement of Applicability (SoA)
60	M	Risk treatment plan is implemented
61	S	8. Performance Evaluation
62	S	Monitoring
63	T	Identify information needs
64	T	Create and maintain measures
65	T	Establish procedures
66	T	Monitor and measure
67	T	Analyse results
68	T	Evaluate information security performance
69	T	Evaluate ISMS effectiveness
70	T	Document results
71	S	Internal audit
72	T	Establish audit programme objectives
73	T	Determine audit programme risks and opportunities
74	T	Evaluate audit programme risks and opportunities
75	T	Establish audit programme
76	T	Implement audit programme
77	T	Conduct internal audits
78	T	Report audit results
79	S	Management review
80	T	Review reporting of the performance of the ISMS
81	T	Provide results of management review
82	S	9. Improvement
83	T	Identify nonconformities
84	T	Review nonconformities
85	T	Perform root cause analysis
86	T	Determine corrective actions
87	T	Plan corrective actions
88	T	Inplement corrective actions
89	T	Assess corrective actions
90	M	ISMS is compliant
91	S	10. Certification audit
92	T	Contact certfication bodies
93	T	Request proposals
94	T	Review proposals
95	T	Select certification body
96	T	Sign engagement letter
97	T	Schedule stage 1 audit
98	T	Undergo stage 1 audit
99	T	Schedule stage 2 audit
100	T	Undergo stage 2 audit
101	M	ISMS is certified
	1 S 1. Management Support
	2 T Outline business case
	3 T Present business case
	4 M Management support is obtained
	5 T Initiate project
	6 T Plan project
	7 S 2. Determine Scope
	8 T Determine external issues
	9 T Determine internal issues
	10 T Identify external interested parties
	11 T Identify internal interested parties
	12 T Identify requirements of interested parties
	13 T Determine preliminary scope
	14 T Determine refined scope
	15 T Determine final scope
	16 T Document final scope
	17 T Approve final scope
	18 M Scope is approved
	19 S 3. Define Information security policy
	20 T Determine information security objectives
	21 T Write information security policy
	22 T Publish information security policy
	23 S 4. Inventory of assets
	24 T Identify primary assets
	25 T Identify supporting assets
	26 T Map primary and supporting assets
	27 T Identify asset owners
	28 T Develop information classification policy
	29 T Classify assets
	30 T Develop procedures for information labelling
	31 T Label assets
	32 T Document asset inventory
	33 S 5. Risk Management Methodology
	34 T Define information security risk criteria
	35 T Define information security risk acceptance criteria
	36 T Approve information security risk acceptance criteria
	37 T Define information security risk assessment process
	38 T Define information security risk treatment process
	39 S 6. Information security risk assessment
	40 S Risk identification
	41 T Identify threats
	42 T Identify existing controls
	43 T Identify vulnerabilities
	44 T Identify consequences (impact)
	45 S Risk analysis
	46 T Assess consequences (impact)
	47 T Assess likelihood
	48 T Determine risk level
	49 S Risk evaluation
	50 T Evaluate risks
	51 M Risk assessment is completed
	52 S 7. Information security risk treatment
	53 T Select risk treatment options
	54 T Determine controls
	55 T Produce Statement of Applicability (SoA)
	55 T Formulate risk treatment plan
	56 T Obtain approval for risk treatment plan
	57 M Risk treatment plan is approved
	58 T Implement risk treatment plan
	59 T Update Statement of Applicability (SoA)
	60 M Risk treatment plan is implemented
	61 S 8. Performance Evaluation
	62 S Monitoring
	63 T Identify information needs
	64 T Create and maintain measures
	65 T Establish procedures
	66 T Monitor and measure
	67 T Analyse results
	68 T Evaluate information security performance
	69 T Evaluate ISMS effectiveness
	70 T Document results
	71 S Internal audit
	72 T Establish audit programme objectives
	73 T Determine audit programme risks and opportunities
	74 T Evaluate audit programme risks and opportunities
	75 T Establish audit programme
	76 T Implement audit programme
	77 T Conduct internal audits
	78 T Report audit results
	79 S Management review
	80 T Review reporting of the performance of the ISMS
	81 T Provide results of management review
	82 S 9. Improvement
	83 T Identify nonconformities
	84 T Review nonconformities
	85 T Perform root cause analysis
	86 T Determine corrective actions
	87 T Plan corrective actions
	88 T Inplement corrective actions
	89 T Assess corrective actions
	90 M ISMS is compliant
	91 S 10. Certification audit
	92 T Contact certfication bodies
	93 T Request proposals
	94 T Review proposals
	95 T Select certification body
	96 T Sign engagement letter
	97 T Schedule stage 1 audit
	98 T Undergo stage 1 audit
	99 T Schedule stage 2 audit
	100 T Undergo stage 2 audit
	101 M ISMS is certified