[1] ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization's overall business risks.
It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof.
ISO/IEC 27001:2005 is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties."
Security management is a continuous process that can be compared to W. Edwards Deming's Quality Circle (Plan, Do, Check, Act).
The clients are then able to adapt their requirements based on the information received through the reports.
The Control sub-process defines the processes, the allocation of responsibility for the policy statements and the management framework.
The security management framework defines the sub-processes for development, implementation and evaluations into action plans.
The meta-data model of the control sub-process is based on a UML class diagram.
Furthermore, the Plan sub-process contains activities that are related to the underpinning contracts which are specific for (information) security.
In the Plan sub-process the goals formulated in the SLA are specified in the form of operational level agreements (OLA).
These OLA's can be defined as security plans for a specific internal organization entity of the service provider.
Besides the input of the SLA, the Plan sub-process also works with the policy statements of the service provider itself.
The operational level agreements for information security are set up and implemented based on the ITIL process.
The dotted arrows indicate which concepts are created or adjusted in the corresponding activities of the Plan sub-process.
The four labels with a black shadow mean that these activities are closed concepts and they are not expanded in this context.
Besides those already mentioned, an evaluation based on communicated security incidents occurs.
Maintenance is based on the results of the Evaluation sub-process and insight in the changing risks.
The proposals either serve as inputs for the plan sub-process and travel through the cycle or can be adopted as part of maintaining service level agreements.
The dotted arrows indicate which concepts are created or adjusted in the activities of the implementation phase.
The Security Management Process, as stated in the introduction, has relations with almost all other ITIL-processes.
However, Security Management gives indications to the concerning process on how to structure these activities.
In this example the ITIL security Management approach is used to implement e-mail policies.
The Security management team is formed and process guidelines are formulated and communicated to all employees and providers.
Policies specific to e-mail security are formulated and added to service level agreements.