In which order is an Information Security Management System set up?

In which order is an Information Security Management System set up?
A . Implementation, operation, maintenance, establishment
B . Implementation, operation, improvement, maintenance
C . Establishment, implementation, operation, maintenance
D . Establishment, operation, monitoring, improvement

Answer: C

Explanation:

The establishment phase of an ISMS involves defining the scope, context, objectives, and leadership commitment for information security management within an organization. It also involves identifying and assessing the risks and opportunities related to information security and selecting the appropriate controls to treat them. The implementation phase of an ISMS involves executing the plans and actions to achieve the information security objectives and implement the selected controls. It also involves ensuring the availability of resources and competencies for information security management. The operation phase of an ISMS involves monitoring and measuring the performance and effectiveness of the ISMS and reporting on the results. It also involves addressing nonconformities and taking corrective actions to prevent recurrence. The maintenance phase of an ISMS involves reviewing and evaluating the ISMS at planned intervals and identifying opportunities for improvement. It also involves updating the ISMS as necessary to reflect changes in the internal and external context of the organization. Therefore, an ISMS is set up in the following order: establishment, implementation, operation, maintenance.

Reference: ISO/IEC 27001:2022, clauses 6-10; ISO/IEC 27000:2022, clause 4.