ISO 27000

outlineISMS - Information Security Management System

4.2.1 -"Establish the ISMS"- is close to Plan, involving alignment with objectives, establishing risk criteria, assessing the business impact of potential failures, and selecting control objectives and controls from Annex A.

A statement of applicability includes justification of exclusions. So although Annex A is long and could require detailed work, the main clauses require risk assessment, putting a value on information.

4.2.2 is close to Do - "implement and operate" the ISMS.

4.2.3 is a form of Study or Check - detection of errors, regular reviews, consideration of changes in technology and organisation.

4.2.4 seems incomplete as an equivalent of Act. It starts with "maintain and improve" and includes corrective and preventive action, both of which could relate to other phases. However the Management Responsibility is also described in later clauses.

4.3 is about documents, document control and records. Documents for standards is often seen as restrictive but perhaps one approach would be to regard any existing document as a system model as in the Soft Systems approach from Peter Checkland. Given computers and networks it is now possible to amend documents while maintaining control.

5 is about management commitment. This is evidenced through establishing policy, providing resources and conducting reviews. Resources include those for "training, awareness and competence".

6 is about internal audits. These should allow for study and reflection. They are not intended just to identify nonconformances.

7 Is about Management Review again, another chance for Act. With a complete clause in the standard it should be clear that the Review is intended to happen on a regular basis.

8 is about improvement, as something that happens at any level in the organisation.