An information security management system (ISMS) is a set of policies, procedures, processes and systems that manage information risks, such as cyber attacks, hacks, data leaks or theft.
The ISMS defines all of the necessary steps for the effective management of those information risks. This is why the development of an information security management system (ISMS) is critical to the success of any cyber security programme.
An ISMS framework
ISO 27001 is the international standard for information security management, and achieving full compliance with a recognised industry standard is a way of demonstrating to clients and shareholders that your company is serious about information security.
If you are starting from scratch, it is a good idea to conduct a health check and gap analysis. Performed by security experts, the health check will assess your current information security controls, policies and procedures, and compare the results with the requirements of ISO 27001:2013.
Getting support: the business case
The health check will also help you to justify the benefits of implementing an ISMS by developing a business case that contains both financial and qualitative benefits. The business case should weigh up the benefits against the potential losses of confidentiality, availability and integrity of data, in addition to the reputational and financial damage associated with a data breach.
The business case is crucial to secure top-level management buy-in, not just to authorise the budget but to promote a culture of information security throughout the organisation.
One of the primary goals of an ISMS is to ensure that all staff involved with the use and management of the organisation’s information assets understand the information security policy, procedures and other requirements to an acceptable level. Staff awareness about information security is a vital aspect of the ISMS’s success.
If you are planning to certify the ISMS, you may want to ‘ring fence’ the scope of the ISMS – for example, a specific business area or regional office that deals exclusively with the data in question. It is important to include all of the activities that fall within the scope of the ISMS, because this is what your certification body will use as the starting point for the audit.
Policy and objectives
The ISMS will require that you document who the parties relevant to your organisation’s information security are, which should extend to entities such as customers, the community, suppliers, regulators, non-governmental organisations, investors and employees. Their security requirements will need to be taken into account when implementing the ISMS.
You should also develop an information security policy specifying your information security objectives, which should be communicated to all employees and appropriate stakeholders.
A fundamental element of an ISMS is the risk assessment. A risk assessment should be undertaken by identifying all of the information assets that the organisation determines need protecting. These include not only tangible assets such as hard drives and paper-based documents, but also intangibles such as intellectual property and trade secrets. Once all of the information assets have been identified, the risk assessor should follow a process of systematically identifying all of the applicable risks to those assets.
A risk treatment plan indicates all of the controls (treatments) that will be applied to mitigating the identified risks. ISO 27001:2013 provides a set of 114 controls in Annex A that can be used to treat these risks, but it also provides the option to select controls from other control sets.
For ISO 27001:2013 certification, a Statement of Applicability (SoA) must be developed that shows the controls that have been selected from ISO 27001 and the reasons for their inclusion or exclusion.
The Board or executive team should review and confirm that they are satisfied with any residual risks that remain.
Conducting vulnerability assessments and penetration tests
Penetration testing is an essential component in any ISMS, from initial development to ongoing maintenance and continual improvement. There are three specific points in your ISMS project at which penetration testing has a significant contribution to make:
- As part of the risk assessment process: uncovering vulnerabilities in any internet-facing IP addresses, web applications, or internal devices and applications, and linking them to identifiable threats.
- As part of the risk treatment plan, ensuring that controls which are implemented actually work as designed.
- As part of the ongoing corrective action/preventive action (CAPA) and continual improvement processes, ensuring that controls continue to work as required and that new and emerging threats and vulnerabilities are identified and dealt with.
The ISMS must be reviewed by management at planned intervals to ensure its continuing suitability, adequacy and effectiveness. During this review, the management team must assess opportunities for improvement and the need for changes to the ISMS, including the policy and objectives.
As with other management systems, an ISO 27001-compliant ISMS should be audited to confirm that it meets the Standard’s requirements and the organisation’s expectations.
Prior to certification, the organisation should carry out a comprehensive review of the ISMS and SoA. These internal audits should include technical conformance checking in addition to process conformance.
Once the organisation is ready to apply for certification, it should make all evidence of compliance available to the auditors, in the form of relevant documented policies, procedures and records. Certification auditors will seek evidence (in the form of records of processes such as risk assessments, management reviews, incident reports, corrective actions, etc.) that the ISMS is operating and continually improving where necessary.
Continual improvement is central to ensuring that the ISMS adapts to the evolving threat landscape. If you do not have the appropriate resources, an ISMS management service can help you to proactively manage, monitor and maintain your information security management system (ISMS), ensuring consistent conformity to ISO 27001.
IT Governance offers a a unique blend of expertly developed ISO 27001 tools and resources – available 24/7, anywhere in the world, at a fixed price. Our ISO 27001 packaged solutions provide everything you need to implement an ISMS aligned to ISO 27001 without any of the usual associated complexities and costs.