Step 1: PLAN: Planning and risk assessment

AU’s information security policy sets out minimum requirements for the activities that must be carried out when implementing or evaluating a local ISMS.

In this stage, the year’s activities can be planned. We recommend basing the choice of activities on a risk assessment.

In the PLAN phase, the basic documents for information security work are prepared and maintained. Including risk assessment.

At least once a year, activities to increase awareness of information security should be planned. In a risk assessment, you identify the physical and virtual risks to which your area is vulnerable. Subsequently, you should document how you handle the individual risks in a risk management document.

The first step towards a local ISMS is thus identification and documentation of risks.

Find out more about how to perform a risk assessment. (Danish only)

Get off to a good start

Organisation and clarification

A clear division of responsibility is necessary when working with information security. The following roles must be clearly assigned:

  • The senior management team – which has approved the university’s information security policy
  • The information security department – which provides support for the implementation of ISMS
  • The manager of the unit – who is responsible for implementing the local ISMS
  • The system owner – who is responsible for the data contained in a specific system

Clarify your information security needs

To begin with, you must clarify what your ISMS must cover. What should the local ISMS contain - for example at a faculty, a department/school or an administrative unit.

  • Clarify what systems and information you have and what threats they face.
  • Document choices and initiatives in relation with the ???
  • Plan emergency response initiatives.
  • Prepare and approve a plan for managing information security risks.

Dealing with all risk at the same time is not necessarily a good idea. It may make more sense to focus on selected risks the first year and shift focus to others in subsequent years.

Document your activities

  • Adopt a file naming convention
  • Decide on acceptable file formats.
  • There must also be a process for reviewing and approving the documentation.
  • There must be an audit trail for changes to the documentation.