← Patterns / SP-018

Information Security Management System (ISMS) Module

OpenSecurityArchitecture (OSA) distills the know-how of the security architecture community and provides readily usable patterns for your application. This is a free framework, developed and owned by the community.

Release: 08.02 Authors: Russell Updated: 2025-07-05

Your browser does not support SVG. Download the diagram.

Click on controls in the diagram to view details. Download SVG

When to Use

Organisation with computing environment that must be secured in a structured manner to meet Business, Legal, Regulatory or Industry requirements.

When NOT to Use

None

Typical Challenges

Structured planning approach can be difficult to embed into the organisation and requires commitment from senior management over extended periods of time.

Threat Resistance

Not applicable

Assumptions

Plan, Do, Check, Act Model is basis for lifecycle.

Mapped Controls (29)

AC: 2AT: 2AU: 1CA: 5CM: 1CP: 1IA: 1IR: 5MA: 1MP: 1PE: 1PL: 1PS: 1RA: 2SA: 1SC: 1SI: 2
  • AC-01 Access Control Policies and Procedures
  • AC-13 Supervision And Review -- Access Control
  • AT-01 Security Awareness And Training Policy And Procedures
  • AT-05 Contacts With Security Groups And Associations
  • AU-01 Audit And Accountability Policy And Procedures
  • CA-01 Certification, Accreditation, And Security Assessment Policies And Procedures
  • CA-02 Security Assessments
  • CA-04 Security Certification
  • CA-05 Plan Of Action And Milestones
  • CA-07 Continuous Monitoring
  • CM-01 Configuration Management Policy And Procedures
  • CP-01 Contingency Planning Policy And Procedures
  • IA-01 Identification And Authentication Policy And Procedures
  • IR-01 Incident Response Policy And Procedures
  • IR-04 Incident Handling
  • IR-05 Incident Monitoring
  • IR-06 Incident Reporting
  • IR-07 Incident Response Assistance
  • MA-01 System Maintenance Policy And Procedures
  • MP-01 Media Protection Policy And Procedures
  • PE-01 Physical And Environmental Protection Policy And Procedures
  • PL-01 Security Planning Policy And Procedures
  • PS-01 Personnel Security Policy And Procedures
  • RA-01 Risk Assessment Policy And Procedures
  • RA-05 Vulnerability Scanning
  • SA-01 System And Services Acquisition Policy And Procedures
  • SC-01 System And Communications Protection Policy And Procedures
  • SI-01 System And Information Integrity Policy And Procedures
  • SI-05 Security Alerts And Advisories