Friday, November 29, 2013

Information Security Management System

An information security management system (ISMS) is a set of policies and procedures for systematically managing an organization's sensitive data. The goal of an ISMS is to minimize risk and ensure business continuity by pro-actively limiting the impact of a security breach.

ISO 27001 is a specification for creating an ISMS. It does not mandate specific actions, but includes suggestions for documentation, internal audits, continual improvement, and corrective and preventive action.

Chief objective of Information Security Management is to implement the appropriate measurements in order to eliminate or minimize the impact that various security related threats and vulnerabilities might have on an organization. In doing so, Information Security Management will enable implementing the desirable qualitative characteristics of the services offered by the organization (i.e. availability of services, preservation of data confidentiality and integrity etc.).


The expertise, which are necessary to implement these steps :

1.       Define ISMS Scope
Management defines the scope and the boundaries. Implementing an ISMS is an investment. Deciding and defining the scope must be done at the strategic level of the organization to ensure returns on investment.

2.       Define ISMS Policy
Normally this is done by an ISMS Cleints in consultation with ISMS Project team (composed of representatives from the scope). Draft ISMS Policy is then shoved up management's desks for review and approval.

3.       Define a Risk Assessment approach
If you have a consultant, the consultant may do this for you unless you do some research and litmus test on the various risk assessment methods to decide which fits your organization.

4.       Identify Risk
Asset owners or penetration tester if you have one.

5.       Analysis and evaluate risk
Asset owners.

6.       Perform risk treatment
Asset owners.

7.       select control objectives and control
Asset owners.

8.       Prepare a Statement of Applicability
ISMS Clients

9.       Approve residual risks

10.   Implement controls
Asset owners. Managers. To some extent this includes everybody in the defined scope. E.g. anyone using an anti-virus software, anyone closing the door at night, etc.

11.   Carry out training and awareness
Human resources for generic IS training and awareness. Members of the ISMS Project Team for more focused training per business unit.

12.   Manage Operations of the ISMS
ISMS Project Team and ISMS Clients

13.   Manage Resources
ISMS Clients

14.   Implement detective and reactive controls for security incidents
Depends on the security incident. In my recent project, physical incidents are managed by the Facilities Department. IT-related incidents by the IT.

15.   Monitor procedures and controls
Process owners and asset owners

16.   Review ISMS regularly
Internal ISMS auditors. External ISMS auditors. ISMS Clients. Risk owners. Asset owners. Management.

17.   Carry out improvement measures
ISMS Clients.

18.   Communicate the action that has been taken
Action owner.

No comments:

Post a Comment