The activities of Information Security Management are involved in multiple phases of the Service Lifecycle, including the:
* Development and maintenance of the Information Security Policy
* Communication, implementation and enforcement of the security policies
* Assessment and classification of all information assets and documentation
* Implementation and continual review of appropriate security controls
* Monitoring and management of all security incidents
* Analysis, reporting and reduction of the volumes and impact of security breaches and incidents
* Scheduling and execution of security reviews, audits and penetration tests.
Training and awareness is particularly vital, and is often the weakness in an organization’s control of security (particularly at the end-user stage). As part of the maintain element of the ISMS, consideration should be given as to methods and techniques that can be improved so that the policies and standards can be more easily followed and implemented.