1. Security Management & Principles: The core components of risk management, information security policy, procedures, standards, guidelines, baselines, classification, education, and security organization serve as the foundation of information security. Security controls are implemented and maintained to address the three interdependent principles present in all programs: Confidentiality, Integrity and Availability, also known as the "CIA triad."
2. Security Management Responsibilities: This includes the resources, funding, and strategic representation needed to participate in a security program. The assigned responsibilities get the ISMS off the ground and keep it thriving and evolving as the environment changes. Management support is one of the most important factors for the success of the security program.
3. Top-Down Approach: The top-down approach means that top management provides support and direction, which is cascaded down through middle-level management and then to staff members.
4. Risk Management: Risk management is the process of identifying, analyzing, assessing, evaluating, and reducing risk to an acceptable level, and implementing the right defense mechanisms to maintain an acceptable level of risk.
5. Security Awareness: To achieve the desired results of the security program, an organization must communicate the "what, how and why" of security to their employees. This awareness should be comprehensive, tailored, and organization-wide.
6. Business Continuity and Disaster Management: Ensures continuity, recovery and restoration of the business in case of disaster. In the case of an emergency, it would involve getting critical systems to another environment while repair of the original facilities is taking place.
7. Legal Compliance: Includes compliance to various civil, criminal, and administrative (regulatory) laws such as intellectual property laws, trade secrets, copyrights, trademarks, patents, and data protection.
