The ISA diagram has three major sections it is important to note that these sections need to be addressed in their sequence order. In general, the first section establishes the business process and the requirements, which in this context are the risks. The second section is focused on the development of the Cyber-Security Management System (CSMS). The third section is the enduring tasks of monitoring and improving the CSMS.
All of the standards mentioned above, as well as the industry specific standards begin with a description of the system and its business rational or its framework for existing. The first section is focused on the risk assessment based on the business framework. The point is that risks are dependent on the nature of the business enterprise, and the risks are driven by the degree of acceptable risk, or risk appetite; and the types of services or the type of production.
In the second section, the risks are addressed by developing the CSMS system which will provide the foundation in terms of the ICS Cybersecurity infrastructure. There are essentially three pillars of effort in this section. First is developing a security policy, organization and awareness, here the focus is on defining the CSMS scope, training and awareness, and developing security policies and procedures. Second is focused-on security counter measures. Here the focus is on personnel, physical and environmental security, network segmentation and access control. The third pillar is risk management, CSMS maintenance, documentation, and incident response planning.
The third section is devoted to sustainment, no system can exist without adjustment to the threats in its environment. The point here is improvement through continuous feedback. There is no relief to the attacks on the system. As these attacks continue and change due to the defense, the defense too must change to meet these new threats. The third section is the effort devoted to maintaining the system, continuously monitoring and upgrading the CSMS systems defense against new and emerging threats.