Information Security Management System

An information security management system (ISMS) is a set of policies and procedures for systematically managing an organization's sensitive data. The goal of an ISMS is to minimize risk and ensure business continuity by pro-actively limiting the impact of a security breach.

ISO 27001 is a specification for creating an ISMS. It does not mandate specific actions, but includes suggestions for documentation, internal audits, continual improvement, and corrective and preventive action.

Chief objective of Information Security Management is to implement the appropriate measurements in order to eliminate or minimize the impact that various security related threats and vulnerabilities might have on an organization. In doing so, Information Security Management will enable implementing the desirable qualitative characteristics of the services offered by the organization (i.e. availability of services, preservation of data confidentiality and integrity etc.).

The expertise, which are necessary to implement these steps :

1.       Define ISMS Scope

Management defines the scope and the boundaries. Implementing an ISMS is an investment. Deciding and defining the scope must be done at the strategic level of the organization to ensure returns on investment.

2.       Define ISMS Policy

Normally this is done by an ISMS Cleints in consultation with ISMS Project team (composed of representatives from the scope). Draft ISMS Policy is then shoved up management's desks for review and approval.

3.       Define a Risk Assessment approach

If you have a consultant, the consultant may do this for you unless you do some research and litmus test on the various risk assessment methods to decide which fits your organization.

4.       Identify Risk

Asset owners or penetration tester if you have one.

5.       Analysis and evaluate risk

Asset owners.

6.       Perform risk treatment

Asset owners.

7.       select control objectives and control

Asset owners.

8.       Prepare a Statement of Applicability

ISMS Clients

9.       Approve residual risks

Management.

10.   Implement controls

Asset owners. Managers. To some extent this includes everybody in the defined scope. E.g. anyone using an anti-virus software, anyone closing the door at night, etc.

11.   Carry out training and awareness

Human resources for generic IS training and awareness. Members of the ISMS Project Team for more focused training per business unit.

12.   Manage Operations of the ISMS

ISMS Project Team and ISMS Clients

13.   Manage Resources

ISMS Clients

14.   Implement detective and reactive controls for security incidents

Depends on the security incident. In my recent project, physical incidents are managed by the Facilities Department. IT-related incidents by the IT.

15.   Monitor procedures and controls

Process owners and asset owners

16.   Review ISMS regularly

Internal ISMS auditors. External ISMS auditors. ISMS Clients. Risk owners. Asset owners. Management.

17.   Carry out improvement measures

ISMS Clients.

18.   Communicate the action that has been taken

Action owner.