Plan: 1. Define the scope of the ISMS. 2. Define an ISMS policy. 3. Define the approach to risk assessment. 4. Identify the risks. 5. Assess the risks. 6. Identify and evaluate options for the treatment of risk. 7. Select control objectives and controls. 8. Prepare a statement of applicability (SOA ...