BS ISO/IEC TR 13335-3:1998

1 Scope
2 References
3 Definitions
4 Structure
5 Aim
6 Techniques for the Management of IT Security
7 IT Security Objectives, Strategy and Policies
    7.1 IT Security Objectives and Strategy
    7.2 Corporate IT Security Policy
8 Corporate Risk Analysis Strategy Options
    8.1 Baseline Approach
    8.2 Informal Approach
    8.3 Detailed Risk Analysis
    8.4 Combined Approach
9 Combined Approach
    9.1 High Level Risk Analysis
    9.2 Baseline Approach
    9.3 Detailed Risk Analysis
          9.3.1 Establishment of Review Boundary
          9.3.2 Identification of Assets
          9.3.3 Valuation of Assets and Establishment of
                  Dependence Between Assets
          9.3.4 Threat Assessment
          9.3.5 Vulnerability Assessment
          9.3.6 Identification of Existing/Planned Safeguards
          9.3.7 Assessment of Risks
    9.4 Selection of Safeguards
          9.4.1 Identification of Safeguards
          9.4.2 IT Security Architecture
          9.4.3 Identification/Review of Constraints
    9.5 Risk Acceptance
    9.6 IT System Security Policy
    9.7 IT Security Plan
10 Implementation of the IT Security Plan
    10.1 Implementation of Safeguards
    10.2 Security Awareness
          10.2.1 Needs Analysis
          10.2.2 Programme Delivery
          10.2.3 Monitoring of Security Awareness
                  Programmes
    10.3 Security Training
    10.4 Approval of IT Systems
11 Follow-up
    11.1 Maintenance
    11.2 Security Compliance Checking
    11.3 Change Management
    11.4 Monitoring
    11.5 Incident Handling
12 Summary
Annex A An Example Contents List for a Corporate IT
          Security Policy
Annex B Valuation of Assets
Annex C List of Possible Threat Types
Annex D Examples of Common Vulnerabilities
Annex E Types of Risk Analysis Method