14 IT Security Manager Key Activities on based on ISO27001

1. Establishing the management isecurity forum (unless the organization chooses to establish the forum first and then ask the forum to select the manager).

2. Developing, with the forum, the security policy, its objectives and strategy.

3. Defining, with the forum, the scope of the ISMS.

4. Briefing the forum on current threats, vulnerabilities and steps taken to counter them.

5. Carrying out the initial risk assessment.

6. Identifying changed risks and ensuring that appropriate action is taken.

7. Ensuring that the risk is managed by agreeing with the board, and the forum, the organization’s approach to risk management, the risk treatment plan and the level of assurance that will be necessary.

8. Selecting control objectives and controls that, when implemented, will meet the objectives.

9. Preparing the statement of applicability.

10. Recording and handling security incidents, including establishing their causes and determining appropriate corrective and/or preventive action.

11. Reporting to the forum on progress with implementing the ISMS, and on incidents, issues, security matters and current threats.

12. Carrying out reviews.

13. Monitoring compliance with the standard.

14. Taking preventive action, including all the requirements identified in clause 8.3 of the standard. There should be a documented procedure that identifies the IS manager’s responsibility for preventive action and that sets out how the risk treatment plan should be managed and what additional monitoring and information gathering may be necessary for this responsibility to be discharged effectively.