Plan:
1. Define the scope of the ISMS.
2. Define an ISMS policy.
3. Define the approach to risk assessment.
4. Identify the risks.
5. Assess the risks.
6. Identify and evaluate options for the treatment of risk.
7. Select control objectives and controls.
8. Prepare a statement of applicability (SOA).

Do:
9. Formulate a risk treatment plan.
10. Implement the risk treatment plan.
11. Implement controls.
12. Implement training and awareness programs.
13. Manage operations.
14. Manage resources.
15. Implement procedures to detect and respond to security incidents.

Check:
16. Execute monitoring procedures.
17. Undertake regular reviews of ISMS effectiveness.
18. Review the level of residual and acceptable risk.
19. Conduct internal ISMS audits.
20. Undertake regular management review of the ISMS.
21. Record actions and events that impact an ISMS.

Act:
22. Implement identified improvements.
23. Take corrective or preventive action.
24. Apply lessons learned.
25. Communicate results to interested parties.
26. Ensure improvements achieve objective