The latest version of Information Security Management System is a risk-based system which takes into account the context of the organisation with respect to ISMS. It requires the organisation to identify their internal issues, external issues and the interested parties' requirements. These three items mentioned above lead to the risks (uncertainties) and opportunities (desirable twist of uncertainties into a favourable situation) in the ISMS of the organisation.
Those risks need to be assessed based on a pre-defined criterion (eg. low risk, medium risk, high risk) and plan for actions on the risks and opportunities based on the criterion through appropriate controls. There are pre-defined controls in Annex-A after the ten clauses of the standard, which cover almost all types of InfoSec uncertainties. The organisation can also choose to define and exercise additional controls (though this would rarely be required). Like any other management system, this standard also stresses upon a Plan-Do-Check-Act approach.
Those risks need to be assessed based on a pre-defined criterion (eg. low risk, medium risk, high risk) and plan for actions on the risks and opportunities based on the criterion through appropriate controls. There are pre-defined controls in Annex-A after the ten clauses of the standard, which cover almost all types of InfoSec uncertainties. The organisation can also choose to define and exercise additional controls (though this would rarely be required). Like any other management system, this standard also stresses upon a Plan-Do-Check-Act approach.