Information Security Management System (ISMS)
Definition of Information Security Management System (ISMS)
An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process. It can help small, medium and large businesses in any sector keep information assets secure.[1]
The Information Security Management System (ISMS) represents the collation of all the interrelated/interacting information security elements of an organization so as to ensure policies, procedures, and objectives can be created, implemented, communicated, and evaluated to better guarantee an organization's overall information security. This system is typically influenced by organization's needs, objectives, security requirements, size, and processes. An ISMS includes and lends to effective risk management and mitigation strategies. Additionally, an organization's adoption of an ISMS largely indicates that it is systematically identifying, assessing, and managing information security risks and "will be capable of successfully addressing information confidentiality, integrity, and availability requirements." However, the human factors associated with ISMS development, implementation, and practice (the user domain) must also be considered to best ensure the ISMS' ultimate success.[2]
Elements of an ISMS[3]
An effective Information Security Management System is made up of 7 elements, as shown in the pie chart below.
The real size of these pie slices, in terms of time and cost, is all dependent on your objectives, your starting point, the scope you want to include in your ISMS, and your organisation’s preferred way of working.
Investing well in one slice will help reduce or avoid much larger investments in the other slices. But beware the pitfalls, such as following the cheap ISO 27001 documentation toolkit route, as it will cost you much more in the long run and you’ll fail to demonstrate the ‘management system’ aspects of your ISMS too.
ISMS Frameworks[4]
ISO 27001 is a leader in information security, but other frameworks offer valuable guidance as well. These other frameworks often borrow from ISO 27001 or other industry-specific guidelines.
- ITIL (Information Technology Infrastructure Library), the widely adopted ITSM framework, has a dedicated component called Information Security Management (ISM). The goal of ISM is to align IT and business security to ensure InfoSec is effectively managed in all activities.
- COBIT (Control Objectives for Information and Related Technology), another IT-focused framework, spends significant time on how asset management and configuration management are foundational to information security as well as nearly every other ITSM function—even those unrelated to InfoSec.
What Should an ISMS Framework Address[5]
ITIL suggests that your ISMS should address what it calls “The Four P’s”: people, process, products and technology, and partners and suppliers. Many global IT organizations seek global certification for their ISMS frameworks, which is done through ISO 27001. Typically, an ISMS framework addresses five key elements:
- Control: You should establish management framework for managing information security, preparing and implementing an Information Security Policy, allocating responsibilities, and establishing and controlling documentation.
- Plan: In the planning phase of the framework, you will be responsible for gathering and fully understanding the security requirements of the organization — then recommending the appropriate measures to take based on budget, corporate culture around security, and other factors.
- Implement: Next, you’ll put the plan into action, making sure that you have the proper safeguards in place to properly enact and enforce your Information Security Policy in the process.
- Evaluate: Once your policies and plans are in place, you need to properly oversee them to ensure that your systems are truly secure and your processes are running in compliance with your policies, SLAs, and other security requirements.
- Maintain: Finally, an effective ISMS means you are continuously improving the entire process — looking for opportunities to revise SLAs, security agreements, the way you monitor and control them, and more.
ISMS Security Controls[6]
ISMS security controls span multiple domains of information security as specified in the ISO 27001 standard. The catalog contains practical guidelines with the following objectives:
- Information security policies. An overall direction and support help establish appropriate security policies. The security policy is unique to your company, devised in context of your changing business and security needs.
- Organization of information security. This addresses threats and risks within the corporate network, including cyberattacks from external entities, inside threats, system malfunctions, and data loss.
- Asset management. This component covers organizational assets within and beyond the corporate IT network., which may involve the exchange of sensitive business information.
- Human resource security. Policies and controls pertaining to your personnel, activities, and human errors, including measures to reduce risk from insider threats and workforce training to reduce unintentional security lapses.
- Physical and environmental security. These guidelines cover security measures to protect physical IT hardware from damage, loss, or unauthorized access. While many organizations are taking advantage of digital transformation and maintaining sensitive information in secure cloud networks off-premise, security of physical devices used to access that information must be considered.
- Communications and operations management. Systems must be operated with respect and maintenance to security policies and controls. Daily IT operations, such as service provisioning and problem management, should follow IT security policies and ISMS controls.
- Access control. This policy domain deals with limiting access to authorized personnel and monitoring network traffic for anomalous behavior. Access permissions relate to both digital and physical mediums of technology. The roles and responsibilities of individuals should be well defined, with access to business information available only when necessary.
- Information system acquisition, development, and maintenance. Security best practices should be maintained across the entire lifecycle of the IT system, including the phases of acquisition, development, and maintenance.
- Information security and incident management. Identify and resolve IT issues in ways that minimize the impact to end users. In complex network infrastructure environments, advanced technology solutions may be required to identify insightful incident metrics and proactively mitigate potential issues.
- Business continuity management. Avoid interruptions to business processes whenever possible. Ideally, any disaster situation is followed immediately by recovery and procedures to minimize damage.
- Compliance. Security requirements must be enforced per regulatory bodies.
- Cryptography. Among the most important and effective controls to protect sensitive information, it is not a silver bullet on its own. Therefore, ISMS govern how cryptographic controls are enforced and managed.
- Supplier relationships. Third-party vendors and business partners may require access to the network and sensitive customer data. It may not be possible to enforce security controls on some suppliers. However, adequate controls should be adopted to mitigate potential risks through IT security policies and contractual obligations.
Implementing an ISMS[7]
There are numerous ways of approaching the implementation of an ISMS. The most common method to follow is a ‘Plan Do Check Act’ process. The international standard detailing the requirements for implementing an ISMS, ISO 27001, along with the best-practice guidelines contained in ISO 27002, serve as two excellent guides to get you started with implementing an ISMS. A certified ISMS, independently audited by an approved certification body, can serve as the necessary reassurance to customers and potential clients that the organization has taken the necessary steps to protect their personal and confidential data from a range of identified risks.
The strength of an ISMS is based on the robustness of the information security risk assessment, which is key to any implementation. The ability to recognize the full range of risks that the organization and its data may face in the foreseeable future is a precursor to implementing the necessary mitigating measures (known as ‘controls’).
ISO 27001 provides a list of recommended controls that can serve as a checklist to assess whether you have taken into consideration all the controls necessary for legislative, business, contractual, or regulatory purposes.
Principles of an Information Security Management System[8]
While the implementation of an ISMS will vary from organization to organization, there are underlying principles that all ISMS must abide by in order to be effective at protecting an organization’s information assets. These principles – a few of which are mentioned below – will help guide you on the road ISO/IEC 27001 certification.
The first step in successfully implementing an ISMS is making key stakeholders aware of the need for information security. Without buy-in from the people who will implement, oversee, or maintain an ISMS, it will be difficult to achieve and maintain the level of diligence needed to create and maintain a certified ISMS.
In order for an organization’s ISMS to be effective, it must analyze the security needs of each information asset and apply appropriate controls to keep those assets safe. Not all information assets need the same controls, and there is no silver bullet for information security. Information comes in all shapes and sizes, as do the controls that will keep your information safe.
Implementing an ISMS is not a project with a fixed length. To keep an organization safe from threats to your information, an ISMS must continually grow and evolve to meet the rapidly changing technical landscape. Therefore, continual reassessment of an Information Security Management System is a must. By frequently testing and assessing an ISMS, an organization will know whether their information is still protected or if modifications need to be made.
See Also
Data Security
Security Architecture
Security Policy
Security Reference Model (SRM)
Information Security Governance
Information Security
Adaptive Security Architecture (ASA)
Business Model for Information Security (BMIS)
Common Data Security Architecture (CDSA)
Payment Card Industry Data Security Standard (PCI DSS)
Data Security
Computer Security
Enterprise Information Security Architecture (EISA)
Fault Configuration Accounting Performance Security (FCAPS)
Graduated Security
Information Systems Security (INFOSEC)
Information Security Management System (ISMS)
Information Technology Security Assessment
Mobile Security
Network Security
Cyber Security
References
- ↑ Defining Information Security Management System (ISMS)? iso.org
- ↑ What is Information Security Management System (ISMS)? Wikipedia
- ↑ What’s included in an ISMS? ISMS.Online
- ↑ ISMS Frameworks Muhammad Raza
- ↑ What Should an ISMS Framework Address BMCBlogs
- ↑ ISMS Security Controls BMC
- ↑ Implementing an ISMS ITGovernanceUSA
- ↑ Principles of an Information Security Management System PJR Inc.