Implementation of information security management system

Implementation of information security management system
See also

The procedure of preparing and implementing the information security management system has been described in clauses 4.2 and 4.3 of the standard [[[ISO 27001]]:2005, p. 9]. It is made up of the following steps:

  • defining the scope and boundaries of the ISMS,
  • defining the ISMS policy,
  • defining the approach to risk assessment,
  • defining the risks,
  • analysis and evaluation of the risks,
  • identification and evaluation of risk treatment options,
  • selection of controls,
  • approval of all residual risks,
  • obtaining authorisation for system implementation,
  • preparation of a statement of applicability,
  • development of a risk treatment plan,
  • implementation of the risk treatment plan,
  • implementation of security controls,
  • defining the ways of measuring effectiveness of security controls,
  • training of employees and associates.

Scope of information security management system

The scope of the information security management system may not be freely defined, since it has to take into account the nature of operations pursued by an organisation. It is a mistake to subjectively or objectively limit the system that may cause its incomplete efficiency. The office management usually imagine, at the out-start, that the information security system will operate in the server room and the classified information bureau. Such a solution, however, would not include the number of job positions that are responsible for observing the confidentiality or maintaining the continuous access to the information. The system should thus encompass the entire local borough council office, together with subsidiary organisations that perform local council works.

A good solution is to integrate the ISMS with the quality management system. There are a number of similarities between the two systems, such as the structure of documentation, at the top of which there is the ISMS policy. Its task is to define the major directions and principles of operations with regard to the provision of information security. From the point of view of strategic management, the policy may be treated as an element of strategy concerning the proper functioning of the information system. Such an approach, in the case of an integrated management system, allows for the easier management of many policies pursued in the office.

Risk evaluation in security management system

The development of the risk evaluation method is a key stage of designing the information security management systems. The ISO 27001:2005 standard does not point to any specific method, leaving some freedom in this respect. Such an approach is justified, since systems are implemented within different organisations. A proposal of the method is, however, included in the ISO TR 13335-3:1998 standard. Although it is limited to information technology systems, it may easily be adopted to a broader category such as an information system. The method must be prepared in such a way that it will provide for its multiple repetition and ensure the comparability of results. It should take into account not only legal requirements, but also those relating to the operations pursued by an organisation. The method must contain criteria that will allow for the definition of acceptable levels of risks, and on that basis, taking a decision about acceptance.

The ISO 27001:2005 standard requires risks to be defined in four steps:

  1. identification what assets (information, hardware, etc.) are in the organisation in terms of ISMS implementation and who is responsible for them,
  2. identification as to what could pose a threat to such assets,
  3. identification of susceptibilities, or weaknesses of such assets that may be used by threats,
  4. identification of the consequences for the assets that may occur in the event of threat occurrence.

The standard does not clearly indicate that threats and susceptibilities should be identified individually for each type of assets; however, auditors who certify systems are unenthusiastic about methods in which susceptibilities have been defined in groups. Risk identification is a time consuming activity and requires the participation of representatives from all the organisational units. Due to this, its optimum form includes training sessions combined with workshops.

Risk analysis is performed on the basis of the identification results. Its purpose is to show the losses that a default on confidentiality, accessibility, accuracy, or the integrity of assets may cause. Next, the likelihood of the occurrence of incidents that default on security and losses should be indicated, taking into account the currently applied security controls. Based on that, it is possible to estimate the risk level and take decisions on whether it is acceptable, or whether it is necessary to undertake additional preventive actions.

Risk treatment options

The standard proposes four solutions: the introduction of security controls, knowing the acceptance of risks, risk avoidance or their transfer to other organisations, e.g. insurers. The choice of security controls is facilitated by a list of over 100 proposals that has been presented in the standard implementation, which should be considered. The list has been prepared on the basis of information security management principles published in the ISO 17799:2005 standard.

Acceptance of residual (acceptable) risk by the management and an implementation approval constitute a passage from the design stage to the implementation stage of the information security management system. A statement of applicability of the ISMS, which is the outcome of the completed design stage, contains a description of the selected and implemented security controls, and also of any possible reasons for excluding certain security controls recommended by the standard.


Research conducted by the author in several local government offices has shown that technical security controls are used at a good level. Unfortunately, organisational security controls are at a satisfactory level. This is so because the implementation of technical security controls is the responsibility of an information technology officer, who has the relevant qualifications, whereas the organisational security controls are the responsibility of all employees. The implementation of such security controls will require substantial changes in the organisation's culture.

Due to that reason the implementation phase should be accompanied by a series of employee training courses. Their purpose is to acquaint employees with the new ways of the work organisation and to explain the reasons for introducing changes. Next, there comes the development and implementation of the risk treatment plan that will define the actions that need to be undertaken, their sequence, and the positions that are responsible for the introduction of changes should be indicated. The further stage includes the implementation of security controls provided for in the statement of acceptability, and defining the way of measuring their effectiveness. The measurement should allow not only for the assessment of system operations in the future, but also the results of comparisons of changes in time.

See also:


Author: Slawomir Wawak