Information security management system: Difference between revisions
m (Article improvement) |
m (Text cleaning) |
||
(4 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
The '''[[information]] security [[management]] [[system]]''' (ISMS) scope comprises: | The '''[[information]] security [[management]] [[system]]''' (ISMS) scope comprises: | ||
* development of the [[security policy]] at the strategic level, | * development of the [[security policy]] at the strategic level, | ||
Line 29: | Line 14: | ||
Key chapters focus on the: | Key chapters focus on the: | ||
* implementation and maintenance of the information security [[management system]], | * implementation and maintenance of the [[information security]] [[management system]], | ||
* management responsibility, | * management responsibility, | ||
* internal audits, | * internal audits, | ||
Line 43: | Line 28: | ||
* asset management, | * asset management, | ||
* personnel security, | * personnel security, | ||
* physical and environmental security, | * physical and [[environmental]] security, | ||
* system and network management, | * system and network management, | ||
* system access control, | * system access control, | ||
* information system development and maintenance, | * information [[system development]] and maintenance, | ||
* information security incident management, | * information security [[incident management]], | ||
* operational continuity management and compliance assurance. | * operational continuity management and compliance assurance. | ||
Line 55: | Line 40: | ||
The ISO 13335 standard that currently comprises two sheets forms a background for implementing the ISMS as it provides general [[knowledge]] about the models and concepts of the information system management. It presents a number of security aspects at various levels of the organisation: corporate, interdepartmental, departmental, or in the IT area. It contains guidelines both concerning the methodology of [[risk]] evaluation, and detailed principles of securing information technology systems. | The ISO 13335 standard that currently comprises two sheets forms a background for implementing the ISMS as it provides general [[knowledge]] about the models and concepts of the information system management. It presents a number of security aspects at various levels of the organisation: corporate, interdepartmental, departmental, or in the IT area. It contains guidelines both concerning the methodology of [[risk]] evaluation, and detailed principles of securing information technology systems. | ||
==Summary== | ==Summary== | ||
While developing standards for management systems, the International Organisation for Standardisation complies with the principles of their compatibility and complementarity. Apart from ISO 27001, the most popular standards in this field also include systems of [[quality]] management, [[environment]] and occupational safety. The compatibility is seen in the application of similar management methods and tools, e.g. principles of supervision over documents and records, the development of organisational policies, carrying out management system reviews, internal audits, [[identification]] of non-conformities (or incidents), corrective and preventive [[action]]. Such an approach facilitates the simultaneous implementation of systems. It is also worth noticing that in the case of the disunited implementation of standards, the solution that works best is the one in which the organisation implements the [[quality management system]] first, encompassing the entire [[company]], acquainting the employees with new working methods. Management systems developed by ISO complement each other well, allowing for the development of an organisation towards the total [[quality management]] (TQM) concept. | While developing standards for management systems, the International Organisation for Standardisation complies with the principles of their compatibility and complementarity. Apart from ISO 27001, the most popular standards in this field also include systems of [[quality]] management, [[environment]] and occupational safety. The compatibility is seen in the application of similar management methods and tools, e.g. principles of supervision over documents and records, the development of organisational policies, carrying out management system reviews, internal audits, [[identification]] of non-conformities (or incidents), corrective and preventive [[action]]. Such an approach facilitates the simultaneous implementation of systems. It is also worth noticing that in the case of the disunited implementation of standards, the solution that works best is the one in which the organisation implements the [[quality management system]] first, encompassing the entire [[company]], acquainting the employees with new working methods. Management systems developed by ISO complement each other well, allowing for the development of an organisation towards the total [[quality management]] (TQM) concept. | ||
==Examples of Information security management system== | ==Examples of Information security management system== | ||
* ''' Network Security''': This is the implementation of technology and processes designed to protect the integrity of a network and its associated data. This includes firewalls, antivirus software, intrusion detection systems, and encryption protocols. | |||
* ''' Data Protection''': This involves implementing measures to protect the privacy of data, such as limiting access to certain areas of a network, using encryption to secure data, and using secure authentication procedures. | |||
* ''' Application Security''': This covers the security of applications and other software, such as web browsers, email clients, and databases. It involves ensuring that applications are secure against attack and that any vulnerabilities are identified and addressed. | |||
* ''' Asset Management''': This is the [[process]] of monitoring and [[controlling]] the assets of an [[organization]], such as physical assets, network resources, and data. This includes ensuring that assets are up-to-date and secure, as well as tracking their use and movement. | |||
* ''' Business Continuity [[Planning]]''': This involves creating plans and procedures to ensure that the organization can continue to operate in the event of an incident, such as a power failure or natural disaster. It includes identifying potential risks and developing plans to mitigate them. | |||
==Advantages of Information security management system== | ==Advantages of Information security management system== | ||
The Information security management system (ISMS) scope comprises a set of activities which are used to protect and secure information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. The following are the advantages of ISMS: | The Information security management system (ISMS) scope comprises a set of activities which are used to protect and secure information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. The following are the advantages of ISMS: | ||
* It helps to protect the confidentiality, integrity, and availability of information. | * It helps to protect the confidentiality, integrity, and [[availability of information]]. | ||
* It ensures that user data is handled securely and responsibly. | * It ensures that user data is handled securely and responsibly. | ||
* It helps to ensure compliance with applicable laws and regulations, such as data protection and privacy laws. | * It helps to ensure compliance with applicable laws and regulations, such as data protection and privacy laws. | ||
Line 73: | Line 58: | ||
* It helps to detect and respond to security incidents quickly. | * It helps to detect and respond to security incidents quickly. | ||
* It helps to improve organizational processes and procedures related to information security. | * It helps to improve organizational processes and procedures related to information security. | ||
* It helps to enhance the organization’s reputation and trust among its customers, partners, and stakeholders. | * It helps to enhance the organization’s reputation and trust among its customers, partners, and [[stakeholders]]. | ||
==Limitations of Information security management system== | ==Limitations of Information security management system== | ||
Line 86: | Line 71: | ||
==Other approaches related to Information security management system== | ==Other approaches related to Information security management system== | ||
In addition to an ISMS, there are other approaches related to information security management. These include: | In addition to an ISMS, there are other approaches related to information security management. These include: | ||
* Risk management processes - Risk management processes identify, assess, and manage risks to IT systems, processes, and data. These processes involve identifying potential risks, assessing their severity and likelihood, and developing a response plan. | * [[Risk management]] processes - Risk management processes identify, assess, and manage risks to IT systems, processes, and data. These processes involve identifying potential risks, assessing their severity and likelihood, and developing a response [[plan]]. | ||
* Business continuity planning - Business continuity planning (BCP) is a process that prepares an organization to respond to and recover from a disaster or disruption. The goal of BCP is to ensure that essential operations can continue in the event of an incident. | * Business continuity planning - Business continuity planning (BCP) is a process that prepares an organization to respond to and recover from a disaster or disruption. The goal of BCP is to ensure that essential operations can continue in the event of an incident. | ||
* Security awareness training - Security awareness training is a process of educating employees about security procedures, policies, and best practices. It is important for employees to understand the risks associated with their actions and how to protect the organization’s data, systems, and networks. | * Security awareness [[training]] - Security awareness training is a process of educating employees about security procedures, policies, and best practices. It is important for employees to understand the risks associated with their actions and how to protect the organization’s data, systems, and networks. | ||
* Access control - Access control is the process of limiting access to an organization’s resources, systems, and networks. Access control can be implemented through authentication, authorization, and other security controls. | * Access control - Access control is the process of limiting access to an organization’s resources, systems, and networks. Access control can be implemented through authentication, authorization, and other security controls. | ||
* Incident response planning - Incident response planning is a process of preparing for and responding to potential security incidents. An incident response plan should include procedures for identifying, responding to, and recovering from incidents. | * Incident response planning - Incident response planning is a process of preparing for and responding to potential security incidents. An incident response plan should include procedures for identifying, responding to, and recovering from incidents. | ||
In addition to an ISMS, other approaches related to information security management include risk management processes, business continuity planning, security awareness training, access control, and incident response planning. These processes help to ensure the security of an organization's IT systems, processes, and data. | |||
{{infobox5|list1={{i5link|a=[[Implementation of information security management system]]}} — {{i5link|a=[[ISO 31000]]}} — {{i5link|a=[[Information security management]]}} — {{i5link|a=[[Security policy]]}} — {{i5link|a=[[Internal audit]]}} — {{i5link|a=[[Audit scope]]}} — {{i5link|a=[[Compliance test]]}} — {{i5link|a=[[Commitment letter]]}} — {{i5link|a=[[Accident management]]}} }} | |||
==References== | ==References== | ||
Line 101: | Line 85: | ||
* Hong, K. S., Chi, Y. P., Chao, L. R., & Tang, J. H. (2003). ''[https://www.researchgate.net/profile/Jih_Hsin_Tang/publication/220208053_An_integrated_system_theory_of_information_security_management/links/55e839fe08ae21d099c16c24.pdf An integrated system theory of information security management]''. [[Information management|Information Management]] & Computer Security, 11(5), 243-248. | * Hong, K. S., Chi, Y. P., Chao, L. R., & Tang, J. H. (2003). ''[https://www.researchgate.net/profile/Jih_Hsin_Tang/publication/220208053_An_integrated_system_theory_of_information_security_management/links/55e839fe08ae21d099c16c24.pdf An integrated system theory of information security management]''. [[Information management|Information Management]] & Computer Security, 11(5), 243-248. | ||
* Eloff, J. H., & Eloff, M. (2003, September). ''[http://www.sis.pitt.edu/jjoshi/courses/is2621/SecManParadigm2.pdf Information security management: a new paradigm]'' (pp. 130-136). South African Institute for Computer Scientists and Information Technologists. | * Eloff, J. H., & Eloff, M. (2003, September). ''[http://www.sis.pitt.edu/jjoshi/courses/is2621/SecManParadigm2.pdf Information security management: a new paradigm]'' (pp. 130-136). South African Institute for Computer Scientists and Information Technologists. | ||
[[Category:Information security]] | [[Category:Information security]] | ||
[[Category:Management systems standards]] | [[Category:Management systems standards]] | ||
{{aa|Slawomir Wawak}} | {{aa|Slawomir Wawak}} |
Latest revision as of 22:54, 17 November 2023
The information security management system (ISMS) scope comprises:
- development of the security policy at the strategic level,
- evaluation of the risks relating to threat occurrence,
- determination and implementation of security controls aimed at eliminating such threats,
- monitoring of the system with the aid of internal audits and a management review.
The following text is based on ISO 27001:2005 standard, which was superseded by ISO 27001:2013.
It has been reflected in the structure of ISO 27001:2005 standard that comprises nine chapters. The first four chapters contain:
- an introduction,
- a description of the scope of the standard,
- normative references,
- terms and definitions.
Key chapters focus on the:
- implementation and maintenance of the information security management system,
- management responsibility,
- internal audits,
- management review of the ISMS,
- information security management system improvement.
Such a structure corresponds to other standards established by the ISO that relate to management systems. Doubts may, however, be raised here for the reasons of separating the last three chapters, taking into consideration both the volume and separateness of their contents. In ISO 9001:2000 the review is included as a section in the chapter on management responsibility, while audit is put in the chapter on measurement, analysis and improvement, but, it should be mentioned that in both standards these are the same system management tools.
ISO 27001
The key part of ISO 27001 is Annex A that contains a list of security controls divided into the following groups:
- security policy,
- information security organisation,
- asset management,
- personnel security,
- physical and environmental security,
- system and network management,
- system access control,
- information system development and maintenance,
- information security incident management,
- operational continuity management and compliance assurance.
The security groups are strictly related to the contents of the ISO 27002:2005 standard where detailed guidelines concerning the implementation and monitoring of security controls may be found. It should be noted that in many cases the ISO 27002:2005 standard deals with an information technology system, however, in the case of implementing the information security management system, it should be interpreted more broadly, as an information system.
ISO 13335
The ISO 13335 standard that currently comprises two sheets forms a background for implementing the ISMS as it provides general knowledge about the models and concepts of the information system management. It presents a number of security aspects at various levels of the organisation: corporate, interdepartmental, departmental, or in the IT area. It contains guidelines both concerning the methodology of risk evaluation, and detailed principles of securing information technology systems.
Summary
While developing standards for management systems, the International Organisation for Standardisation complies with the principles of their compatibility and complementarity. Apart from ISO 27001, the most popular standards in this field also include systems of quality management, environment and occupational safety. The compatibility is seen in the application of similar management methods and tools, e.g. principles of supervision over documents and records, the development of organisational policies, carrying out management system reviews, internal audits, identification of non-conformities (or incidents), corrective and preventive action. Such an approach facilitates the simultaneous implementation of systems. It is also worth noticing that in the case of the disunited implementation of standards, the solution that works best is the one in which the organisation implements the quality management system first, encompassing the entire company, acquainting the employees with new working methods. Management systems developed by ISO complement each other well, allowing for the development of an organisation towards the total quality management (TQM) concept.
Examples of Information security management system
- Network Security: This is the implementation of technology and processes designed to protect the integrity of a network and its associated data. This includes firewalls, antivirus software, intrusion detection systems, and encryption protocols.
- Data Protection: This involves implementing measures to protect the privacy of data, such as limiting access to certain areas of a network, using encryption to secure data, and using secure authentication procedures.
- Application Security: This covers the security of applications and other software, such as web browsers, email clients, and databases. It involves ensuring that applications are secure against attack and that any vulnerabilities are identified and addressed.
- Asset Management: This is the process of monitoring and controlling the assets of an organization, such as physical assets, network resources, and data. This includes ensuring that assets are up-to-date and secure, as well as tracking their use and movement.
- Business Continuity Planning: This involves creating plans and procedures to ensure that the organization can continue to operate in the event of an incident, such as a power failure or natural disaster. It includes identifying potential risks and developing plans to mitigate them.
Advantages of Information security management system
The Information security management system (ISMS) scope comprises a set of activities which are used to protect and secure information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. The following are the advantages of ISMS:
- It helps to protect the confidentiality, integrity, and availability of information.
- It ensures that user data is handled securely and responsibly.
- It helps to ensure compliance with applicable laws and regulations, such as data protection and privacy laws.
- It helps to reduce the risk of data breaches and cyberattacks.
- It helps to detect and respond to security incidents quickly.
- It helps to improve organizational processes and procedures related to information security.
- It helps to enhance the organization’s reputation and trust among its customers, partners, and stakeholders.
Limitations of Information security management system
The ISMS scope comprises the limitations that must be taken into account when managing information security. These limitations include:
- The security policies, processes and procedures that are to be implemented and enforced.
- The physical, technical and administrative controls that must be put in place in order to protect sensitive data from unauthorized access.
- The personnel responsible for the implementation and enforcement of information security management.
- The procedures for responding to, reporting on and mitigating security incidents.
- The procedures for assessing and monitoring the effectiveness of the implemented information security controls.
- The methods and technologies used for protecting the confidentiality, integrity, and availability of the data.
- The measures to be taken in order to ensure the compliance with legal and regulatory requirements related to the protection of sensitive data.
In addition to an ISMS, there are other approaches related to information security management. These include:
- Risk management processes - Risk management processes identify, assess, and manage risks to IT systems, processes, and data. These processes involve identifying potential risks, assessing their severity and likelihood, and developing a response plan.
- Business continuity planning - Business continuity planning (BCP) is a process that prepares an organization to respond to and recover from a disaster or disruption. The goal of BCP is to ensure that essential operations can continue in the event of an incident.
- Security awareness training - Security awareness training is a process of educating employees about security procedures, policies, and best practices. It is important for employees to understand the risks associated with their actions and how to protect the organization’s data, systems, and networks.
- Access control - Access control is the process of limiting access to an organization’s resources, systems, and networks. Access control can be implemented through authentication, authorization, and other security controls.
- Incident response planning - Incident response planning is a process of preparing for and responding to potential security incidents. An incident response plan should include procedures for identifying, responding to, and recovering from incidents.
In addition to an ISMS, other approaches related to information security management include risk management processes, business continuity planning, security awareness training, access control, and incident response planning. These processes help to ensure the security of an organization's IT systems, processes, and data.
Information security management system — recommended articles |
Implementation of information security management system — ISO 31000 — Information security management — Security policy — Internal audit — Audit scope — Compliance test — Commitment letter — Accident management |
References
- Dhillon, G., & Backhouse, J. (2000). Technical opinion: Information system security management in the new millennium. Communications of the ACM, 43(7), 125-128.
- Hong, K. S., Chi, Y. P., Chao, L. R., & Tang, J. H. (2003). An integrated system theory of information security management. Information Management & Computer Security, 11(5), 243-248.
- Eloff, J. H., & Eloff, M. (2003, September). Information security management: a new paradigm (pp. 130-136). South African Institute for Computer Scientists and Information Technologists.
Author: Slawomir Wawak