Implementation of information security management system

From CEOpedia | Management online

The procedure of preparing and implementing the information security management system has been described in clauses 4.2 and 4.3 of the standard [[[ISO 27001]]:2005, p. 9]. It is made up of the following steps:

  • defining the scope and boundaries of the ISMS,
  • defining the ISMS policy,
  • defining the approach to risk assessment,
  • defining the risks,
  • analysis and evaluation of the risks,
  • identification and evaluation of risk treatment options,
  • selection of controls,
  • approval of all residual risks,
  • obtaining authorisation for system implementation,
  • preparation of a statement of applicability,
  • development of a risk treatment plan,
  • implementation of the risk treatment plan,
  • implementation of security controls,
  • defining the ways of measuring effectiveness of security controls,
  • training of employees and associates.

Scope of information security management system

The scope of the information security management system may not be freely defined, since it has to take into account the nature of operations pursued by an organisation. It is a mistake to subjectively or objectively limit the system that may cause its incomplete efficiency. The office management usually imagine, at the out-start, that the information security system will operate in the server room and the classified information bureau. Such a solution, however, would not include the number of job positions that are responsible for observing the confidentiality or maintaining the continuous access to the information. The system should thus encompass the entire local borough council office, together with subsidiary organisations that perform local council works.

A good solution is to integrate the ISMS with the quality management system. There are a number of similarities between the two systems, such as the structure of documentation, at the top of which there is the ISMS policy. Its task is to define the major directions and principles of operations with regard to the provision of information security. From the point of view of strategic management, the policy may be treated as an element of strategy concerning the proper functioning of the information system. Such an approach, in the case of an integrated management system, allows for the easier management of many policies pursued in the office.

Risk evaluation in security management system

The development of the risk evaluation method is a key stage of designing the information security management systems. The ISO 27001:2005 standard does not point to any specific method, leaving some freedom in this respect. Such an approach is justified, since systems are implemented within different organisations. A proposal of the method is, however, included in the ISO TR 13335-3:1998 standard. Although it is limited to information technology systems, it may easily be adopted to a broader category such as an information system. The method must be prepared in such a way that it will provide for its multiple repetition and ensure the comparability of results. It should take into account not only legal requirements, but also those relating to the operations pursued by an organisation. The method must contain criteria that will allow for the definition of acceptable levels of risks, and on that basis, taking a decision about acceptance.

The ISO 27001:2005 standard requires risks to be defined in four steps:

  1. identification what assets (information, hardware, etc.) are in the organisation in terms of ISMS implementation and who is responsible for them,
  2. identification as to what could pose a threat to such assets,
  3. identification of susceptibilities, or weaknesses of such assets that may be used by threats,
  4. identification of the consequences for the assets that may occur in the event of threat occurrence.

The standard does not clearly indicate that threats and susceptibilities should be identified individually for each type of assets; however, auditors who certify systems are unenthusiastic about methods in which susceptibilities have been defined in groups. Risk identification is a time consuming activity and requires the participation of representatives from all the organisational units. Due to this, its optimum form includes training sessions combined with workshops.

Risk analysis is performed on the basis of the identification results. Its purpose is to show the losses that a default on confidentiality, accessibility, accuracy, or the integrity of assets may cause. Next, the likelihood of the occurrence of incidents that default on security and losses should be indicated, taking into account the currently applied security controls. Based on that, it is possible to estimate the risk level and take decisions on whether it is acceptable, or whether it is necessary to undertake additional preventive actions.

Risk treatment options

The standard proposes four solutions: the introduction of security controls, knowing the acceptance of risks, risk avoidance or their transfer to other organisations, e.g. insurers. The choice of security controls is facilitated by a list of over 100 proposals that has been presented in the standard implementation, which should be considered. The list has been prepared on the basis of information security management principles published in the ISO 17799:2005 standard.

Acceptance of residual (acceptable) risk by the management and an implementation approval constitute a passage from the design stage to the implementation stage of the information security management system. A statement of applicability of the ISMS, which is the outcome of the completed design stage, contains a description of the selected and implemented security controls, and also of any possible reasons for excluding certain security controls recommended by the standard.

Examples of Implementation of information security management system

  • Establishing a policy for information security: This involves developing a formal policy statement that reflects the organization's commitment to security and outlines the objectives for security management. This policy should be endorsed by senior management.
  • Risk Assessment: Identifying and assessing all potential risks to the organization's information security, including the threats posed by natural disasters, malicious attacks, and human error.
  • Developing control objectives: Identifying the objectives that must be met in order to secure the organization's information assets, such as physical security, access control, and data privacy.
  • Implementing controls: Putting in place the necessary controls and procedures to address the identified risks and meet the security objectives. This includes establishing a secure network architecture, implementing authentication and authorization systems, and developing a system of audit trails.
  • Verifying and monitoring security: Regularly assessing the effectiveness of the security controls, testing the system for vulnerabilities, and monitoring access to sensitive data.
  • Incident response: Developing a process for responding to security incidents, such as data breaches or malicious attacks. This includes notifying the relevant authorities, investigating the incident, and taking corrective action.
  • Reviewing the system: Reviewing the system on a regular basis to ensure it is up to date and addresses any changes in requirements. This includes revising the policy and objectives, assessing any new risks, and implementing new controls.

Advantages of Implementation of information security management system

An information security management system (ISMS) is an organized set of policies and procedures designed to protect information from unauthorized access, use, modification, destruction, or disclosure. Implementation of an ISMS can provide numerous benefits, including:

  • Improved visibility and control over IT systems and data, making it easier to identify and address security risks.
  • Reduced risk of data breaches due to improved security processes and procedures.
  • Improved efficiency and reliability in information sharing between departments and external partners.
  • Increased compliance with relevant laws and regulations.
  • Reduced costs associated with responding to security incidents or data breaches.
  • Improved customer trust and reputation due to enhanced security measures.
  • Improved employee confidence in the security of their data and systems.

Limitations of Implementation of information security management system

The following are the limitations of implementing the information security management system:

  • Limited resources: Implementing an information security management system requires resources, such as human resources, financial resources, and technical resources. Without proper resources, it is difficult to implement an effective system.
  • Lack of knowledge: In order to properly implement an information security management system, all personnel must understand the security policies and procedures. If personnel do not have the necessary knowledge, they cannot properly follow the system.
  • Difficulty in obtaining buy-in: People may not be willing to follow the policies and procedures associated with the information security management system. This can lead to lack of compliance and make it difficult to achieve the desired security objectives.
  • Cost of implementation: Implementing and maintaining an information security management system can be costly. Organizations must be aware of the financial cost of implementation, and have the resources to do so.
  • Lack of stability: The system must be continually monitored and updated to ensure that it is effective. This requires constant attention and effort, and can be difficult to maintain.

Other approaches related to Implementation of information security management system

One approach to implementing an information security management system is to consider the following steps:

  • Establish a security policy: This involves establishing a set of policies and procedures that define the organization’s approach to information security. It should include the scope of the security program, security roles and responsibilities, and any other relevant information.
  • Identify the information assets: This involves identifying the information that needs to be protected and determining the value of the information to the organization.
  • Develop security controls: This involves establishing the methods used to protect the information assets. This could include access control measures, encryption, and other measures as appropriate.
  • Monitor and review: This involves regularly reviewing the security controls and making changes as needed.
  • Prepare for incidents: This involves developing a plan for responding to security incidents. This could include procedures for reporting incidents, investigating incidents, and restoring systems.

In summary, implementing an information security management system involves establishing a security policy, identifying the information assets, developing security controls, monitoring and reviewing, and preparing for incidents.


Research conducted by the author in several local government offices has shown that technical security controls are used at a good level. Unfortunately, organisational security controls are at a satisfactory level. This is so because the implementation of technical security controls is the responsibility of an information technology officer, who has the relevant qualifications, whereas the organisational security controls are the responsibility of all employees. The implementation of such security controls will require substantial changes in the organisation's culture.

Due to that reason the implementation phase should be accompanied by a series of employee training courses. Their purpose is to acquaint employees with the new ways of the work organisation and to explain the reasons for introducing changes. Next, there comes the development and implementation of the risk treatment plan that will define the actions that need to be undertaken, their sequence, and the positions that are responsible for the introduction of changes should be indicated. The further stage includes the implementation of security controls provided for in the statement of acceptability, and defining the way of measuring their effectiveness. The measurement should allow not only for the assessment of system operations in the future, but also the results of comparisons of changes in time.

Implementation of information security management systemrecommended articles
Risk management processBusiness risk managementInformation security management systemResidual riskAccident managementStrategic risk managementSystem safetyValidation master planControl plan


Author: Slawomir Wawak