What is an Information Security Management System?
An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It encompasses people, processes and IT systems. The British Standards Institute (BSI) originally published a code of practice for these systems, which has now been adopted internationally as ISO/IEC 27001:2005.
There are several aspects to the standard, which can broadly be categorised into the management system itself (the ISMS) and the Control Objectives (categorised into 12 key groups). Put simply:
- the ISMS defines the information security framework (in terms of an Information Security Policy, Threat and Risk Assessment, Statement of Applicability , Information Asset Register and procedures/calendar for ongoing updates, monitoring and auditing)
- the Control Objectvies define the specific infrormation security aspects assessed and managed; including information classification, access rules, physical and environmental security, IT network security, backup, user access, and business continuity management).
Formal compliance to the standard can be obtained, this can be costly to maintain ongoing. Conformance to the standard is a simpler option, however does not provide the accreditation required by some organisations.
Where Do I Start?
If you are just starting out, here are three key steps:
- Develop an information security policy and identify your organization's key information assets. Purchase the standards, ISO/IEC 27002:2005 (previously named ISO/IEC 17799:2005) and ISO/IEC 27001:2005 to help you do this.
- Carry out a threat and risk assessment and build your ISMS. Assign responsibilities and train key staff to ensure its successful implementation.
- Once your management system is fully implemented you can register for ISO/IEC 27001:2005 certification/compliance with the relevant accrediation body.
Click here for more information on this topic, or for an assessment of your needs.