To manage information security effectively through all activities performed to deliver and manage services, so that the confidentiality, integrity and accessibility of relevant information assets are preserved

• Define a scheme to classify information assets according to their sensitivity / criticality.
• Define a way to document an inventory of (information) assets.
• Identify, describe and classify the most important information assets.
• Identify the most important links between configuration items (CIs) such as informationprocessing systems / facilities and the information assets identified before.
• Define a method / scheme to identify and assess information security risks.
• Perform an initial risk assessment, based on the identified assets, and focused on the most significant information security risks.
• Define clear information security policies as a basis for effective information security governance.
• Define a way to document information security controls and to monitor their status and progress of implementation.
• Identify and document the most important technical, physical and organisational information security controls in place.

• Information security requirements (from SLAs, legislation, contracts)
• Relevant risk factors (information on assets, vulnerabilities, threats)

• Manage (information) assets
  
  • Add an information asset to the asset inventory
  • Update the description or classification of an information asset in the asset inventory
  • Remove an information asset from the asset inventory
• Manage information security risks
  
  • Identify and assess a new or changed information security risk
  • Review or repeat the information security risk assessment (in regular intervals)
• Maintain information security policies
  
  • Create, approve and communicate a new information security policy
  • Update an existing information security policy
  • Retire an existing information security policy
• Plan and implement information security controls
  
  • Specify a new information security control
  • Update the specification of an existing information security control
  • Retire an existing information security control
• Manage information security events and incidents
  • Monitor, record and classify information security events
  • Identify and handle an information security incident
  • Define and monitor follow-up actions after an information security incident
• Perform access control
  
  • Process requests for access rights
  • Provide access rights
  • Modify or revoke access rights
  • Review access rights (in regular intervals)

• Up-to-date inventory of information assets
• Approved information security policies
• Up-to-date information security risk assessment
• Documented information security controls
• Reports on information security events, incidents and follow-up actions