Information security management system 1

Information security management system

An information security management system (ISMS) is a set of
policies concerned with information security management or IT related
risks. The idioms arose primarily out of ISO 27001.
The governing principle behind an ISMS is that an organization should
design, implement and maintain a coherent set of policies, processes
and systems to manage risks to its information assets, thus ensuring
acceptable levels of information security risk.
Plan-Do-Check-Act Cycle

ISMS description
As with all management processes, an ISMS must remain effective and
efficient in the long term, adapting to changes in the internal
organization and external environment. ISO/IEC 27001 therefore
incorporates the typical "Plan-Do-Check-Act" (PDCA), or Deming
cycle, approach:
• The Plan phase is about designing the ISMS, assessing information
security risks and selecting appropriate controls.
ENISA: Risk Management and Isms activities
• The Do phase involves implementing and operating the controls.
• The Check phase objective is to review and evaluate the
performance (efficiency and effectiveness) of the ISMS.
• In the Act phase, changes are made where necessary to bring the ISMS back to peak performance.
The best known ISMS is described in ISO/IEC 27001 and ISO/IEC 27002 and related standards published jointly by
ISO and IEC.
Another competing ISMS is Information Security Forum's Standard of Good Practice (SOGP). It is more best
practice-based as it comes from ISF's industry experiences.
Other frameworks such as COBIT and ITIL touch on security issues, but are mainly geared toward creating a
governance framework for information and IT more generally. COBIT has a companion framework Risk IT
dedicated to Information security.
There are a number of initiatives focused to the governance and organizational issues of securing information
systems having in mind that it is business and organizational problem, not only a technical problem:
• Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 that
recognized the importance of information security to the economic and national security interests of the United
States.[1] The act requires each federal agency to develop, document, and implement an agency-wide program to
provide information security for the information and information systems that support the operations and assets of
the agency, including those provided or managed by another agency, contractor, or other source.[1] [2]
• Governing for Enterprise Security Implementation Guide [3] of the Carnegie Mellon University Software
Engineering Institute CERT is designed to help business leaders implement an effective program to govern
information technology (IT) and information security. Our objective is to help you make well informed decisions
about many important components of GES such as adjusting organizational structure, designating roles and
responsibilities, allocating resources (including security investments), managing risks, measuring results, and
gauging the adequacy of security audits and reviews. The intent in elevating security to a governance-level
concern is to foster attentive, security-conscious leaders who are better positioned to protect an organization’s
digital assets, its operations, its market position, and its reputation.
Information security management system 2

• A Capability Maturity Model for system security engineering was standardized in ISO/IEC_21827.
• Information Security Management Maturity Model (known as ISM-cubed or ISM3) is another form of ISMS.
ISM3 builds on standards such as ISO 20000, ISO 9001, CMM, ISO/IEC 27001, and general information
governance and security concepts. ISM3 can be used as a template for an ISO 9001-compliant ISMS. While
ISO/IEC 27001 is controls based, ISM3 is process based and includes process metrics. ISM3 is a standard for
security management (how to achieve the organizations mission despite of errors, attacks and accidents with a
given budget). The difference between ISM3 and ISO/IEC 21827 is that ISM3 is focused on management, ISO
21287 on Engineering.

Need for a ISMS

Security experts say and statistics confirm that:
• information technology security administrators should expect to devote approximately one-third of their time
addressing technical aspects. The remaining two-thirds should be spent developing policies and procedures,
performing security reviews and analyzing risk, addressing contingency planning and promoting security
awareness;
• security depends on people more than on technology;
• employees are a far greater threat to information security than outsiders;
• security is like a chain. It is as strong as its weakest link;
• the degree of security depends on three factors: the risk you are willing to take, the functionality of the system and
the costs you are prepared to pay;
• security is not a status or a snapshot but a running process.
These facts inevitably lead to the conclusion that:
Security administration is a management and NOT a purely technical issue[4]
The establishment, maintenance and continuous update of an ISMS provide a strong indication that a company is
using a systematic approach for the identification, assessment and management of information security risks.
Furthermore such a company will be capable of successfully addressing information confidentiality, integrity and
availability requirements which in turn have implications for: [4]
• business continuity;
• minimization of damages and losses;
• competitive edge;
• profitability and cash-flow;
• respected organization image;
• legal compliance
Chief objective of Information Security Management is to implement the appropriate measurements in order to
eliminate or minimize the impact that various security related threats and vulnerabilities might have on an
organization. In doing so, Information Security Management will enable implementing the desirable qualitative
characteristics of the services offered by the organization (i.e. availability of services, preservation of data
confidentiality and integrity etc.).[4]
Large organizations or organizations such as banks and financial institutes, telecommunication operators, hospital
and health institutes and public or governmental bodies have many reasons for addressing information security very
seriously. Legal and regulatory requirements which aim at protecting sensitive or personal data as well as general
public security requirements impel them to devote the utmost attention and priority to information security risks.[4]
Under these circumstances the development and implementation of a separate and independent management process
namely an Information Security Management System is the one and only alternative.[4]
As shown in Figure, the development of an ISMS framework entails the following 6 steps:[4]
Information security management system 3

1. Definition of Security Policy,

2. Definition of ISMS Scope,
3. Risk Assessment (as part of Risk Management),
4. Risk Management,
5. Selection of Appropriate Controls and
6. Statement of Applicability

Critical success factors for ISMS

To be effective, the ISMS must:[4]
• have the continuous, unshakeable and visible support and commitment of the organization’s top management;
• be managed centrally, based on a common strategy and policy across the entire organization;
• be an integral part of the overall management of the organization related to and reflecting the organization’s
approach to Risk Management, the control objectives and controls and the degree of assurance required;
• have security objectives and activities be based on business objectives and requirements and led by business
management;
• undertake only necessary tasks and avoiding over-control and waste of valuable resources;
• fully comply with the organization philosophy and mindset by providing a system that instead of preventing
people from doing what they are employed to do, it will enable them to do it in control and demonstrate their
fulfilled accountabilities;
• be based on continuous training and awareness of staff and avoid the use of disciplinary measures and “police” or
“military” practices;
• be a never ending process;

Notes and references

[1] NIST: FISMA Overview (http:/ / csrc. nist. gov/ groups/ SMA/ fisma/ overview. html)
[2] Caballero, Albert. (2009) "14" Computer and Information Security Handbook Morgan Kaufmann Pubblications Elsevier Inc p. 232
ISBN 978-0-12-374354-1
[3] CERT Governing for Enterprise Security Implementation Guide (http:/ / www. cert. org/ governance/ ges. html)
[4] Enisa Risk management, Risk assessment inventory, page 8 (http:/ / www. enisa. europa. eu/ act/ rm/ cr/ risk-management-inventory/ files/
deliverables/ risk-management-principles-and-inventories-for-risk-management-risk-assessment-methods-and-tools/ at_download/ fullReport)

External links
• Information Security Management Maturity Model (ISM3) (http://www.ism3.com)
• sse-cmm ("open source" standard) (http://www.sse-cmm.org/index.html)
Article Sources and Contributors 4

Article Sources and Contributors

Information security management system  Source: http://en.wikipedia.org/w/index.php?oldid=418312906  Contributors: Ali Akbar, Ant, Apokrif, BeŻet, Canterbury Tail, Dancter, Dkosutic,
Frank Kai Fat Chow, Frap, IvanLanin, JezWalters, Kuru, Mauls, Mdd, Mistaya, NoticeBored, Pastore Italy, Remuel, Rhoerbe, Saibo, SeL, Tagishsimon, Vaceituno, Veridion, Wikidemon, 39
anonymous edits

Image Sources, Licenses and Contributors

File:Risk Management Elements.jpg  Source: http://en.wikipedia.org/w/index.php?title=File:Risk_Management_Elements.jpg  License: Public Domain  Contributors: Original uploader was
Mdd at en.wikipedia
File:Isms framework.jpg  Source: http://en.wikipedia.org/w/index.php?title=File:Isms_framework.jpg  License: Attribution  Contributors: ENISA

License
Creative Commons Attribution-Share Alike 3.0 Unported
http:/ / creativecommons. org/ licenses/ by-sa/ 3. 0/