using mobious using Plan Do check Act model Plan

Review & Update information security strategy & Policies

Review and update ISMS scope

Review & update stakeholder mapping

Review & Update information security RASCI

Review & Update information security risk management approach

Maintain Inventory of Assets

Do

Analyse and evaluate information security Risk

Determine inherent risk rating per information assets

Update statement of applicability on risks

Evaluate controls

Residual risk rating

Risk treatment plan & implementation Review & Update information security

Operational security controls

Iso $27002$ controls

Others as required

Check

Monitor risk treatment progress

Information security metrics & measurement

Management review $($IT steering committee, IT Risk committee, Monthly ISMS SteerCO, Quartely Board reporting and annual gap assessments$)$

Internal Audit

Review & maintain Corrective Action Log

Act

Ensure corrective Action & Esure continual improvement