Information security management system
|Information security management system|
|Methods and techniques|
The information security management system (ISMS) scope comprises of:
- development of the security policy at the strategic level,
- evaluation of the risks relating to threat occurrence,
- determination and implementation of security controls aimed at eliminating such threats,
- monitoring of the system with the aid of internal audits and a management review.
The following text is based on ISO 27001:2005 standard, which was superseded by ISO 27001:2013.
It has been reflected in the structure of ISO 27001:2005 standard that comprises of nine chapters. The first four chapters contain:
- an introduction,
- a description of the scope of the standard,
- normative references,
- terms and definitions.
Key chapters focus on the:
- implementation and maintenance of the information security management system,
- management responsibility,
- internal audits,
- management review of the ISMS,
- information security management system improvement.
Such a structure corresponds to other standards established by the ISO that relate to management systems. Doubts may, however, be raised here for the reasons of separating the last three chapters, taking into consideration both the volume and separateness of their contents. In ISO 9001:2000 the review is included as a section in the chapter on management responsibility, while audit is put in the chapter on measurement, analysis and improvement, but, it should be mentioned that in both standards these are the same system management tools.
The key part of ISO 27001 is Annex A that contains a list of security controls divided into the following groups:
- security policy,
- information security organisation,
- asset management,
- personnel security,
- physical and environmental security,
- system and network management,
- system access control,
- information system development and maintenance,
- information security incident management,
- operational continuity management and compliance assurance.
The security groups are strictly related to the contents of the ISO 27002:2005 standard where detailed guidelines concerning the implementation and monitoring of security controls may be found. It should be noted that in many cases the ISO 27002:2005 standard deals with an information technology system, however, in the case of implementing the information security management system, it should be interpreted more broadly, as an information system.
The ISO 13335 standard that currently comprises of two sheets forms a background for implementing the ISMS as it provides general knowledge about the models and concepts of the information system management. It presents a number of security aspects at various levels of the organisation: corporate, interdepartmental, departmental, or in the IT area. It contains guidelines both concerning the methodology of risk evaluation, and detailed principles of securing information technology systems.
While developing standards for management systems, the International Organisation for Standardisation complies with the principles of their compatibility and complementarity. Apart from ISO 27001, the most popular standards in this field also include systems of quality management, environment and occupational safety. The compatibility is seen in the application of similar management methods and tools, e.g. principles of supervision over documents and records, the development of organisational policies, carrying out management system reviews, internal audits, identification of non-conformities (or incidents), corrective and preventive action. Such an approach facilitates the simultaneous implementation of systems. It is also worth noticing that in the case of the disunited implementation of standards, the solution that works best is the one in which the organisation implements the quality management system first, encompassing the entire company, acquainting the employees with new working methods. Management systems developed by ISO complement each other well, allowing for the development of an organisation towards the total quality management (TQM) concept.
- Dhillon, G., & Backhouse, J. (2000). Technical opinion: Information system security management in the new millennium. Communications of the ACM, 43(7), 125-128.
- Hong, K. S., Chi, Y. P., Chao, L. R., & Tang, J. H. (2003). An integrated system theory of information security management. Information Management & Computer Security, 11(5), 243-248.
- Eloff, J. H., & Eloff, M. (2003, September). Information security management: a new paradigm (pp. 130-136). South African Institute for Computer Scientists and Information Technologists.
Author: Slawomir Wawak