In the PLAN phase, the basic documents for information security work are prepared and maintained. Including risk assessment.
At least once a year, activities to increase awareness of information security should be planned. In a risk assessment, you identify the physical and virtual risks to which your area is vulnerable. Subsequently, you should document how you handle the individual risks in a risk management document.
The first step towards a local ISMS is thus identification and documentation of risks.
Find out more about how to perform a risk assessment. (Danish only)
A clear division of responsibility is necessary when working with information security. The following roles must be clearly assigned:
Clarify your information security needs
To begin with, you must clarify what your ISMS must cover. What should the local ISMS contain - for example at a faculty, a department/school or an administrative unit.
Dealing with all risk at the same time is not necessarily a good idea. It may make more sense to focus on selected risks the first year and shift focus to others in subsequent years.