Information security systems management entails the creation and following of a set of information security policies to manage and control information technology related risks.
For an effective information security system and management plan, the enterprise must develop and maintain a range of policies and processes of the relevant systems to minimise and address risks to the information assets of the entire enterprise.
The information security management system, often known by the acronym of ISMS, follows the Plan-Do-Check-Act approach required by the international standard ISO/IEC 27001 of 2005 and 2013. The approach entails the planning of the ISMS design, which includes assessment of the various risks related to information security and choosing the relevant controls to manage the risks. The second phase of the approach entails the implementation and maintenance of the selected controls. This is followed by the reviewing and evaluation of the efficiency and effectiveness of the implemented management system, with the final phase entailing the corrective steps and changes to ensure optimal performance of the management system.
ISO Standards for Information Security and Risk Management
Various international standards are in place to provide the necessary framework for setting up, implementing and controlling the ISMS. ISO/IEC 27001 covers the setting up and maintenance of a risk management process regarding the information security. The standard was recently updated and an important difference between the older version and the new 2013 version is that the latter doesn’t place any focus on the Deming cycle, which was still prevalent in the 2005 version. With the new standard, the enterprise can use any management improvement approach which can, for instance, be the Plan-Do-Check-Act approach or Six Sigma.
The ISO 27000 series, also known as ISO27k, is a family of standards that provides the guidelines for best practice in the management of information security risks. The scope of the standards is broad to ensure that the standards can be applied to all types of organisations, irrespective of their industries and sizes. ISO 27000 provides an overview of the glossary of terminology, while ISO 27001, as mentioned above, provides the requirements for setting up the information security management system and is the standard which replaced the BS7799-2 (British) standard.
ISO 27002 deals with the code of good practice for ISMS and replaced the ISO 17799 standard, with ISO 27003 providing the guidelines for the implementation of ISMS and ISO 27004 providing the measurement and metrics of performance. ISO 27005 provides the guidelines for information security risk management, and ISO 27006 gives the requirements for the bodies that audit and certify the ISMS.
Why Management of Information Security Systems is Important
People are the main risks when it comes to information security, with employees often forming a bigger risk than outside threats. IT security personnel spend many hours in handling technical aspects, but the main portion of their work entails the development of proper and relevant security policies and procedures, reviewing of security risks and applying contingency measures to control risks, while also creating awareness among employees of the said risks.
The information security of an enterprise is as vulnerable as the weakest part of the system. It is thus imperative to have a system in place to manage risks without compromising on the functionality of the IT systems. It is not a once-off process and therefore one requires a system that can address the risks on an ongoing basis.
Through the implementation and management of an ISO aligned ISMS, the enterprise is able to ensure confidentiality, integrity and availability of the information to the authorised users. This includes protection against unauthorised access and modification, as well as making sure that the information is easily accessible to the right users.
By addressing the core requirements for effective ISMS, the enterprise is able to minimise data loss and damage, while improving on its competitive edge and ensuring compliance with statutory requirements of their country.
The main goal of setting up and managing information security systems is to ensure correct implementation of relevant measurements to address, minimise and eliminate the effects of information security threats and weaknesses within the enterprise. An effective management system provides for the implementation of attributes, such as optimal availability of information and services, and the protection of confidentiality and data integrity. Customers gain confidence in the enterprise’s ability to keep their information safe and to ensure business continuity.
The implementation of an ISO 27001 aligned ISMS entails the definition of the security policies, the management scope and risk assessment, together with risk management. The above is in addition to the selection of the relevant controls.
What Makes ISMS Successful?
The information security management system must be applied throughout the enterprise with complete support from executive management, and it must be centrally controlled and managed. The system should form part of the enterprise’s risk management policies and management systems, with the security goals based on the enterprise goals. It is essential to prevent implementation of too many controls that can lead to over usage of valuable resources. The system must be ongoing and the employees should receive ongoing training in the system, rather than it becoming a policing code.
As with any system there are challenges to be addressed to ensure its success. One such challenge is the short lifespan of relevancy when it comes to security measures against threats. New threats develop daily and the system must be able to adapt to address the fast-changing and rapidly-increasing threats. It is thus imperative to ensure that the system stays dynamic.
The effects of ISMS implementation on external parties and transactions cannot be foreseen before the system is implemented. As such, the ISMS of one enterprise can render another organisation’s ISMS vulnerable. It is important to minimise the effects of ISMS implementation on business partners.
It is furthermore essential to continually review and address security concerns regarding the enterprise service deliveries, technologies used and methods followed. Such challenges can be addressed through proper integration with the enterprise’s other ISO compliant management systems, preparation for certification, auditing, certification, training and following of a maintenance programme. We offer our expertise in all the information security management systems.