• The deadline for the implementation of the ISMS.

• The certificate of previous audits.

• The result of a gap analysis.

• A commitment to continual improvement of the ISMS.

• Establish and maintain criteria on information security risks.

• Identify risks associated with the loss of confidentiality, integrity and availability of information.

• Select appropriate information security risk treatment options taking into account the results of the risk assessment.

• All of the above.

• External and internal issues.

• Assets and resources.

• Risks and opportunities.

Threats and vulnerabilities.

• Conduct a second party audit.

• Hire an information security coordinator.

• Implementing a measurement system used to evaluate information security management performance that can provide suggestions for improvement.

• Appoint at least two internal auditors for the information security system.

• Perform an information security risk treatment process to select appropriate information security risk treatment options taking into account the results of the risk assessment.

• A consultancy to carry out precisely the treatment of information security risks.

• A manager appointed by the top management to carry out the information security risk treatment under his expertise.

• To acquire a set of information security tools to automate the treatment of risks.

• A responsible person designated by the top management to carry out the control of documented information under his expertise.

• Acquire a set of information security tools to control documented information effectively.

• A consultancy to accurately perform the control of documented information.

• Adequate protection, e.g., against loss of confidentiality, misuse, or loss of integrity.

• Acquire a set of security tools.

• Consider organizational boundaries, information systems boundaries and physical boundaries.

• Processes, Technology, People.

• All of the above.