Definition
Process: Any condition, event, or circumstance that can cause adverse effects on the confidentiality, integrity, or availability of informationProcesses are a series of structured and interrelated activities or tasks designed to achieve specific company objectives. They ensure the systematic management of an organization's operations by providing a framework for consistent and repeatable activities.
Types of Processes
Physical Hazards: Physical conditions or events that can damage information systems or infrastructure (e.g., fire, flood, earthquakes).
Human Hazards: Actions by individuals that can negatively impact information security, intentionally (e.g., insider threats, social engineering) or unintentionally (e.g., human error, lack of training).
Technical Hazards: Failures or vulnerabilities in hardware, software, or network infrastructure that can be exploited (e.g., malware, software bugs, network failures).
Environmental Hazards: External environmental factors can affect information security (for example: power outages and extreme weather conditions)..
Standards and Frameworks
tbd.
Conclusion
tbd.
...
Operational Processes: These are day-to-day activities that maintain the organization’s general activities.
Management Processes: These processes involve planning, monitoring, and reviewing tasks to ensure they meet the organization’s requirements.
Support Processes: These provide necessary resources and support to the operational and management processes. Examples include HR management, financial management, and IT support.
Standards and Frameworks
There is a large variety of different standards and frameworks focussing on processes. Below, you’ll find a subset of related references.
General processes
ISO 9001 (Quality Management Systems):
Focuses on quality management principles including strong customer focus, the motivation and implication of top management, the process approach, and continual improvement.
Provides a framework for organizations to meet customer and other stakeholder needs within statutory and regulatory requirements.
ISO 31000 (Risk Management):
Provides guidelines for risk management principles and implementation.
Applicable to any organization regardless of size, industry, or sector.
ISO 14001 (Environmental Management Systems):
Specifies requirements for an effective environmental management system (EMS).
Helps organizations improve their environmental performance through more efficient use of resources and waste reduction.
ISO/IEC 20000 (IT Service Management):
Specifies requirements for the service provider to plan, establish, implement, operate, monitor, review, maintain, and improve a service management system (SMS).
Lean Six Sigma:
Combines Lean manufacturing/Lean enterprise and Six Sigma to improve performance by systematically removing waste and reducing variation.
Focuses on process improvement and variation reduction through the application of DMAIC (Define, Measure, Analyze, Improve, Control).
Business Process Model and Notation (BPMN):
Provides a graphical representation for specifying business processes in a Business Process Diagram (BPD).
Widely used for business process modeling to ensure consistency and understanding among stakeholders.
Total Quality Management (TQM):
Focuses on long-term success through customer satisfaction.
Integrates fundamental management techniques, existing improvement efforts, and technical tools under a disciplined approach.
COBIT (Control Objectives for Information and Related Technologies):
Provides a framework for developing, implementing, monitoring, and improving IT governance and management practices.
Helps enterprises achieve their objectives for the governance and management of enterprise IT.
ITIL (Information Technology Infrastructure Library):
Provides a set of detailed practices for IT service management (ITSM) that focuses on aligning IT services with the needs of the business.
Offers guidance on the provisioning, management, and delivery of IT services.
The Balanced Scorecard:
A strategic planning and management system used to align business activities to the vision and strategy of the organization.
Improves internal and external communications, and monitors organizational performance against strategic goals.
ISMS related processes
ISO/IEC 27001: The leading international standard for ISMS, providing requirements for establishing, implementing, maintaining, and continuously improving an ISMS.
NIST Cybersecurity Framework: The National Institute of Standards and Technology developed a framework that provides guidelines for managing and reducing cybersecurity risks.
PCI DSS (Payment Card Industry Data Security Standard): Sets security requirements for organizations that handle branded credit cards from the major card schemes.
Conclusion
Processes are fundamental to the effective operation of a company. By systematically managing and securing information through well-defined and structured processes, organizations can protect their information assets against a wide range of threats. Implementing and adhering to recognized standards and frameworks provides a robust foundation for these processes, enabling organizations to not only comply with regulatory requirements but also to build trust with stakeholders and continuously improve their information security posture.
How to configure processes
Click “Create Process,” fill out the form with all necessary data, and finish by clicking the “Create“button. Processes are often centralized and documented within a company. You can enter an external link to your favorite external application, the master for processes' data. If you don't have such an application, you can maintain all your high-level processes here.
Risks may reference processes for potential analysis of the business impacts.
...
Having done this, you’ll see the new process in the overview:
...