Information security management system

An information security management system (ISMS) is a set of policies

concerned with information security management or IT related risks. The idioms
arose primarily out of ISO 27001.

The governing principle behind ISMS is that an organization should design,

implement and maintain a coherent set of policies, processes and systems to
manage risks to its information assets, thus ensuring acceptable levels of
information security risk.

ISMS description

As with all management processes, an ISMS must remain effective and efficient in
the long term, adapting to changes in the internal organization and external
environment. ISO/IEC 27001 therefore incorporates the typical "Plan-Do-Check-
Act" (PDCA), or Deming cycle, approach:

 The Plan phase is about designing the ISMS, assessing information security

risks and selecting appropriate controls.
 The Do phase involves implementing and operating the controls.
 The Check phase objective is to review and evaluate the performance
(efficiency and effectiveness) of the ISMS.
 In the Act phase, changes are made where necessary to bring the ISMS back
to peak performance.

The best known ISMS is described in ISO/IEC 27001 and ISO/IEC 27002 and

related standards published jointly by ISO and IEC.

Another competing ISMS is Information Security Forum's Standard of Good

Practice (SOGP). It is more best practice-based as it comes from ISF's industry
experiences.

Other frameworks such as COBIT and ITIL touch on security issues, but are

mainly geared toward creating a governance framework for information and IT
more generally. COBIT has a companion framework Risk IT dedicated to
Information security.

There are a number of initiatives focused to the governance and organizational

issues of securing information systems having in mind that it is business and
organizational problem, not only a technical problem:

 Federal Information Security Management Act of 2002 is a United States

federal law enacted in 2002 that recognized the importance of information
security to the economic and national security interests of the United States.
[1]
 The act requires each federal agency to develop, document, and implement an
agency-wide program to provide information securityfor the information
and information systems that support the operations and assets of the agency,
including those provided or managed by another agency, contractor, or other
source.[1] [2]
 Governing for Enterprise Security Implementation Guide [3]of the Carnegie
Mellon University Software Engineering Institute CERT is designed to help
business leaders implement an effective program to govern information
technology (IT) and information security. Our objective is to help you make
well informed decisions about many important components of GES such as
adjusting organizational structure, designating roles and responsibilities,
allocating resources (including security investments), managing risks,
measuring results, and gauging the adequacy of security audits and reviews.
The intent in elevating security to a governance-level concern is to foster
attentive, security-conscious leaders who are better positioned to protect an
organization’s digital assets, its operations, its market position, and its
reputation.
 A Capability Maturity Model for system security engineering was
standardized in ISO/IEC_21827.
 Information Security Management Maturity Model (known as ISM-cubed or
ISM3) is another form of ISMS. ISM3 builds on standards such as ISO
20000, ISO 9001, CMM, ISO/IEC 27001, and general information governance
and security concepts. ISM3 can be used as a template for an ISO 9001-
compliant ISMS. While ISO/IEC 27001 is controls based, ISM3 is process
based and includes process metrics. ISM3 is a standard for security
management (how to achieve the organizations mission despite of errors,
attacks and accidents with a given budget). The difference between ISM3 and
ISO/IEC 21827 is that ISM3 is focused on management, ISO 21287 on
Engineering.

Need for a ISMS

Security experts say and statistics confirm that:

 information technology security administrators should expect to devote

approximately one-third of their time addressing technical aspects. The
remaining two-thirds should be spent developing policies and procedures,
performing security reviews and analyzing risk, addressing contingency
planning and promoting security awareness;
 security depends on people more than on technology;
 employees are a far greater threat to information security than outsiders;
 security is like a chain. It is as strong as its weakest link;
 the degree of security depends on three factors: the risk you are willing to
take, the functionality of the system and the costs you are prepared to pay;
 security is not a status or a snapshot but a running process.

These facts inevitably lead to the conclusion that:

Security administration is a management and NOT a purely technical issue

The establishment, maintenance and continuous update of an ISMS provide a

strong indication that a company is using a systematic approach for the
identification, assessment and management of information security risks.
Furthermore such a company will be capable of successfully addressing
information confidentiality, integrity and availability requirements which in turn
have implications for: 

 business continuity;
 minimization of damages and losses;
 competitive edge;
 profitability and cash-flow;
 respected organization image;
 legal compliance

Chief objective of Information Security Management is to implement the

appropriate measurements in order to eliminate or minimize the impact that various
security related threats and vulnerabilities might have on an organization. In doing
so, Information Security Management will enable implementing the desirable
qualitative characteristics of the services offered by the organization (i.e.
availability of services, preservation of data confidentiality and integrity etc.).

Large organizations or organizations such as banks and financial institutes,

telecommunication operators, hospital and health institutes and public or
governmental bodies have many reasons for addressing information security very
seriously. Legal and regulatory requirements which aim at protecting sensitive or
personal data as well as general public security requirements impel them to devote
the utmost attention and priority to information security risks.

Under these circumstances the development and implementation of a separate and

independent management process namely an Information Security Management
System is the one and only alternative.

The development of an ISMS framework entails the following 6 steps:

1. Definition of Security Policy,

2. Definition of ISMS Scope,
3. Risk Assessment (as part of Risk Management),
4. Risk Management,
5. Selection of Appropriate Controls and
6. Statement of Applicability
Critical success factors for ISMS

To be effective, the ISMS must:

 have the continuous, unshakeable and visible support and commitment of

the organization’s top management;
 be managed centrally, based on a common strategy and policy across the
entire organization;
 be an integral part of the overall management of the organization related to
and reflecting the organization’s approach to Risk Management, the control
objectives and controls and the degree of assurance required;
 have security objectives and activities be based on business objectives and
requirements and led by business management;
 undertake only necessary tasks and avoiding over-control and waste of
valuable resources;
 fully comply with the organization philosophy and mindset by providing a
system that instead of preventing people from doing what they are employed to
do, it will enable them to do it in control and demonstrate their fulfilled
accountabilities;
 be based on continuous training and awareness of staff and avoid the use of
disciplinary measures and “police” or “military” practices;
 be a never ending process;

What are ISO/IEC 27001:2005 & ISO/IEC 27002:2005?

ISO/IEC 27001:2005

ISO/IEC 27001:2005 (formerly BS 7799-2:2002) is a standard setting out the

requirements for an Information Security Management System. It helps identify,
manage and minimize the range of threats to which information is regularly
subjected. The standard is designed to ensure the selection of adequate and
proportionate security controls that protect information assets and give confidence
to interested parties including an organization’s customers.

It is suitable for several different types of organizational use, including the

following: 

 Formulation of security requirements and objectives; 

 To ensure that security risks are cost effectively managed; 
 To ensure compliance with laws and regulations; 
 As a process framework for the implementation and management of controls
to ensure that the specific security objectives of an organization are met; 
 Identification and clarification of existing information security management
processes; 
 To be used by management to determine the status of information security
management activities; 
 To be used by internal and external auditors to determine the degree of
compliance with the policies, directives and standards adopted by an
organization; 
 To provide relevant information about information security policies,
directives, standards and procedures to trading partners; 
 To provide relevant information about information security to customers.

An organization using ISO/IEC 27001:2005 as the basis for its ISMS, can become
registered by BSI, thus demonstrating to stakeholders that the ISMS meets the
requirements of the standard. 
ISO/IEC 27002:2005

The ISO/IEC 27002 Code of Practice for Information Security Management

establishes guidelines and general principles for organizations to initiate,
implement, maintain, and improve information security management. The
objectives outlined provide general guidance on the commonly accepted goals of
information security management. ISO/IEC 27002 contains best practices of
control objectives and controls in the following areas of information security
management:

 Security policy; 
 Organization of information security; 
 Asset management; 
 Human resources security; 
 Physical and environmental security; 
 Communications and operations management; 
 Access control; 
 Information systems acquisition, development and maintenance; 
 Information security incident management; 
 Business continuity management; 
 Compliance.