Scribd
Upload
438 views7 pages

Information Security Management System (ISMS) - A Closer Look ISMS Definition

An Information Security Management System (ISMS) protects and manages information based on a systematic business risk approach. Key elements for implementing an ISMS include obtaining management commitment, organizing an implementation team, defining the ISMS scope, performing risk management including risk assessment and analysis, and conducting a Business Impact Analysis. Risk management involves identifying information assets, risks, assessing risks, and mitigating unacceptable risks through controls.

Uploaded by

Praveena Raja
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

Topics covered

  • information security policy,
  • knowledge transfer,
  • technology integration,
  • information security organizat…,
  • risk identification,
  • roles and responsibilities,
  • risk assessment,
  • business critical processes,
  • enterprise risk management,
  • security monitoring
438 views7 pages

Information Security Management System (ISMS) - A Closer Look ISMS Definition

An Information Security Management System (ISMS) protects and manages information based on a systematic business risk approach. Key elements for implementing an ISMS include obtaining management commitment, organizing an implementation team, defining the ISMS scope, performing risk management including risk assessment and analysis, and conducting a Business Impact Analysis. Risk management involves identifying information assets, risks, assessing risks, and mitigating unacceptable risks through controls.

Uploaded by

Praveena Raja
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

Topics covered

  • information security policy,
  • knowledge transfer,
  • technology integration,
  • information security organizat…,
  • risk identification,
  • roles and responsibilities,
  • risk assessment,
  • business critical processes,
  • enterprise risk management,
  • security monitoring

Information Security Management System (ISMS) - A closer Look ISMS Definition

An Information Security Management System (ISMS) is way to protect and manage information based on a systematic business risk approach, to establish, implement, operate, monitor, review, maintain, and improve information security. It is an organizational approach to information security.

Key elements for ISMS Implementation


ISMS implementation has to be customised to suit each organisation based on size, risk profile, management's risk appetite, industry, etc. The following are essential components in the process of implementing ISMS in any organisation. The details of each component will vary, however all these components have to be considered during ISMS implementation. A. Management commitment - This is the most essential element, as the starting point for implementing an ISMS is to obtain management commitment and support. Ideally, the motivation and direction will come from senior management, but success will come more easily if, management understand the reasons for implementing an ISMS and fully support its design and operation. The following items demonstrate management commitment: An information security policy; Information security objectives and plans; Roles and responsibilities for information security; Announcement or communication to the organization about the importance of adhering to the information security policy;and Sufficient resources to afre dedicated to implement the ISMS. B. Implementation team organisation - This process requires significant time and effort. Hence it is essential that organisations commit to identifying and engaging key stakeholders, and assemble the correct project team. Team size and the appropriate project leader are specific to each organisation. The project team should be able to devote sufficient time to the implementation. A smaller group of closely involved individuals is usually more effective than a larger team of occasional part-timers. If Consultants are engaged, it is important that they are supported by internal resources. Also eventual knowledge transfer to internal personnel should be ensured, else when consultants leave, knowledge can walk out. Overall responsibility for information security is often given to the IT Manager, but information security has a wider impact than just IT systems, including personnel, security, physical security and legal compliance. C. Define the scope of ISMS - In this step, the organisation determines the extent of ISMS applicability it wants. This is done after considering the various overall policy documents discussed above such as Information security policy, objectives and plans, etc. In addition, the following will be required:

Information Security Management System (ISMS) - A closer Look


Lists of the areas, locations, assets, and technologies of the organization that will be controlled by the ISMS. While reviewing these lists, the organisation has to consider questions similar to the following: What areas of the organization will be covered by the ISMS? What are the characteristics of those areas; its locations, assets, technologies to be included in the ISMS? Will it require its suppliers to abide by this ISMS? Are there dependencies on other organizations? Should they be considered?

It is important to keep the scope manageable. Only parts of the organization, such as a logical or physical grouping within the organization should be considered. Large organizations might need several Information Security Management Systems in order to maintain manageability. For example, they might have one ISMS for their Finance department and the networks used by that department and a separate ISMS for their Software Development department and systems. The end result of this exercise should be a documented scope for the ISMS. This may be a few statements or paragraphs. The documented scope often becomes one of the first sections of an organizations Security Manual. D. Risk Management i) Define method of Risk Assessment - Risk assessment is the process of identifying risks by analyzing threats to, impacts on, and vulnerabilities of information and information systems and processing facilities, and the likelihood of their occurrence. Choosing a risk assessment method is one of the most important parts of establishing an ISMS. The method chosen must help Evaluate risk based on levels of confidentiality, integrity, and availability; Set objectives to reduce risk to an acceptable level; Determine criteria for accepting risk; and Evaluate risk treatment options. The organizations approach to information security risk management and the criteria for information security risk evaluation and the degree of assurance required have to be clearly determined and documented. ii) Information Asset Inventory - Organisation has to prepare e a list of the information assets to be protected and an owner for each of those assets. It has to also identify where the information is located and how critical or difficult it would be to replace. This list should be part of the risk assessment methodology document that was created in the previous step. A sample of such a list is given in Table 1 below:
Table 1: Information Asset Inventory
Asset 1. Strategic Details Medium and long Owner CEO Location CEO PC CIA Profile Replacement Value High Risk Value Control Sufficient control?

Information Security Management System (ISMS) - A closer Look


Information Project Plans .....etc. term plans Short Term Plans

2. 3.

CEO

CEO PC

Medium

iii) Identify Risks - For each asset defined in the previous step, risks have to be identified and classified according to their severity and vulnerability. In addition, the impact that loss of confidentiality, integrity, and availability may have on the assets has to be determined. A sample is shown in Table 2. To begin identifying risks, actual or potential threats and vulnerabilities for each asset have to be identified. A threat is something that could cause harm. For example, a threat could be an Intentional, accidental, or man-made act that could inflict harm or an act of God (such as a hurricane or tsunami) A vulnerability is a source or situation with a potential for harm (for example, a broken window is a vulnerability; it might encourage harm, such as a break in). A Risk is a combination of the likelihood and severity or frequency that a specific threat will occur.
Table 2: Information Asset Risk Identification
Asset 1. 2. 3. Strategic Information Project Plans .....etc. Details Medium and long term plans Short Term Plans Owner CEO CEO Location CEO PC CEO PC CIA Profile C:High I: High A: Med C: High I: High A: Low Replacement Value High Medium Risk Value Control Sufficient control?

iv) Assess Risks & Probability of Occurance - After the Organisation has identified the risks, it needs to assign values to the risks. The values will help the Organisation determine if the risk is tolerable or not and whether it needs to implement a control to either eliminate or reduce the risk. To assign values to risks, the considerations will be: The value of the asset being protected, The frequency with which the threat or vulnerability might occur, and The damage that the risk might inflict on the company or its customers or partners.
Table 3: Information Asset Risk Assessment
Asset 1. 2. 3. Strategic Information Project Plans .....etc. Details Medium and long term plans Short Term Plans Owner CEO CEO Location CEO PC CEO PC CIA Profile C:High I: High A: Med C: High I: High A: Low Replacem ent Value High Medium Risk Value High Medium Control Sufficient control?

Information Security Management System (ISMS) - A closer Look


v) Risk Mitigation - Next, for the risks that have been determined to be intolerable, the Organisation must take one of the following actions: decide to accept the risk, for example, actions are not possible because they are out of the Organisation's control (such as natural disaster or political uprising) or are too expensive. transfer the risk, for example, purchase insurance against the risk, subcontract the activity so that the risk is passed on to the subcontractor, etc. reduce the risk to an acceptable level through the use of controls. To reduce the risk, it should evaluate and identify appropriate controls. These controls might be controls that an organization already has in place or controls that are defined in the ISO/IEC 27002 (ISO/IEC 17799) standard. A sample is given in Table 4.
Table 4: Information Asset Risk/Control Profile
Asset 1. Strategic Information Project Plans .....etc. Details Medium and long term plans Short Term Plans Owner CEO Location CEO PC CIA Profile C:High I: High A: Med C: High I: High A: Low Replacem ent Value High Risk Value High Control Ref to ISO Clause/ Internal Control doc Ref to ISO Clause/ Internal Control doc Sufficient control? Yes

2.

CEO

CEO PC

Medium

Mediu m

Yes

3.

Information Security Management System (ISMS) - A closer Look

E. Business Impact Analysis (BIA) A BIA report quantifies the importance of business components and suggests appropriate fund allocation for measures to protect them. The possibilities of failures are likely to be assessed in terms of their impacts on safety, finances, marketing, legal compliance, and quality assurance. Where possible, impact is expressed monetarily for purposes of comparison. For example, a business may spend three times as much on marketing in the wake of a disaster to rebuild customer confidence. This is an essential component of an organization's business continuance plan; it includes an exploratory component to reveal any vulnerabilities, and a planning component to develop strategies for minimizing risk. The result of analysis is a business impact analysis report, which describes the potential risks specific to the organization studied. One of the basic assumptions behind BIA is that every component of the organization is reliant upon the continued functioning of every other component, but that some are more crucial than others and require a greater allocation of funds in the wake of a disaster. For example, a business may be able to continue more or less normally if the cafeteria has to close, but would come to a complete halt if the information system crashes. A sample series of questions a BIA team must look to answer will be: What critical interdependencies exist between internal systems, applications, business processes, and departments? What specialized equipment is required and how is it used? How would the department function if the mainframe, network and/or Internet access were not available? What single points of failure exist and how significant are those risks? What are the critical outsourced relationships and dependencies?

F. Business Continuity Planning (BCP) & Disaster Recovery (DR) Business Continuity Planning involves identifying, developing, acquiring, documenting and testing procedures and resources that will ensure continuity of an organisation's key operations in the event of an accident, disaster, emergency, and/or threat. It involves risk mitigation planning (reducing possibility of the occurrence of adverse events), and Disaster Recovery planning (ensuring continued operation in the aftermath of a disaster). These plans are drawn up based on the BIA Report, as this gives a clear indication of the business critical processes that have to be focussed on. Some basics to cover in a Business Continuity plan are: Develop and practice a contingency plan that includes a succession plan for the CEO. Train backup employees to perform emergency tasks. Determine offsite crisis meeting places and crisis communication plans for top executives.

Information Security Management System (ISMS) - A closer Look


Practice crisis communication with employees, customers and the outside world. Invest in an alternate means of communication in case the phone networks go down. Make sure that all employees-as well as executives-are involved in the exercises so that they get practice in responding to an emergency. Make business continuity exercises realistic. Form partnerships with local emergency response groupsfire fighters, police and EMTsto establish a good working relationship. Evaluate the company's performance during each test, and work toward constant improvement. Continuity exercises should reveal weaknesses. Test the continuity plan regularly to reveal and accommodate changes. Technology, personnel and facilities are in a constant state of flux at any company.

Disaster Recovery Plan is a subset of BCP. But covers elaborate details such as a documentation of the procedures as to declaring emergency, evacuation of site pertaining to nature of disaster, active backup, notification of the related officials/DR team/staff, notification of procedures to be followed when disaster breaks out, alternate location specifications, etc. It is beneficial to be prepared in advance with sample DRPs and disaster recovery examples so that every individual in an organization are better educated on the basics. Documentation should include identification and contact details of key personnel in the disaster recovery team, their roles and responsibilities in the team.

The lifecycle in information security


Security is not a permanent state which, once achieved, will never change. Every organisation and public agency is subject to continuous dynamic changes. Many of these changes also affect information security due to changes in the business processes, tasks, infrastructure, organisational Plan structures and the IT. Besides the Establish obvious changes within an ISMS institution, changes to the external conditions can also occur, for example, the statutory or contractual stipulations as well as the available Act Do information and communications Maintain & Implement Improve & Operate technologies might change ISMS ISMS considerably. It is therefore necessary to manage security actively so that the security level that has been reached is also maintained Check over the long term. Monitor &
ISMS Not only business processes and IT systems have a "lifecycle"; the policy for information security, information security organisation and ultimately the entire information security process all have a lifecycle. The information security process is commonly divided into the following phases: Review

Information Security Management System (ISMS) - A closer Look


1. 2. 3. 4. Planning Implementing the plan and carrying out the project Performance review and monitoring the achievement of objectives Eliminating discovered flaws and weaknesses and making optimisations as well as improvements

Phase 4 describes the immediate elimination of minor flaws. If fundamental or extensive changes are needed, one must of course return to the planning phase again. This model is named after the individual phases ("Plan", "Do", "Check", "Act") and is thus also referred to as the PDCA model. The PDCA cycle is considered as an upward spiral as each cycle will be perfecting the ISMS resulting in the next cycle's extent being a little lesser than the previous.

Concluding Remarks
The management system concept is being applied across many new disciplines. With the ratification of the ISO27001 standard, information security management systems have achieved new prominence, in some arenas becoming an essential requirement. In conclusion, an ISMS: Integrates information security risk into enterprise risk management. Documents informed choice decision making and due diligence. Provides a framework for regulatory compliance. Offers a structure to efficiently and effectively integrate people, process, and technology. Furnishes a mechanism for monitoring and reporting. Is business friendly, and a market differentiator.

References: http://www.csoonline.com

Useful Books and information on Business Continuity and Disaster Recovery: The Disaster Recovery Handbook: A Step-By-Step Plan - By Wallace and Webber (Anacom 2010) Building an Enterprise-Wide Business Continuity Program - By Kelley Okolita (CRC Press 2009) A Risk Management Approach to Business Continuity: Aligning Business Continuity with Corporate Governance - by Julia Graham et al (Rothstein Associates 2006)

Common questions

Powered by AI

During risk assessment in an ISMS, factors such as asset value, threat likelihood, vulnerability severity, and potential impact of risk occurrences should be considered. Evaluating these factors helps in determining the level of risk to prioritize treatment actions effectively. Understanding asset value aids in identifying critical information resources, while threat likelihood and vulnerability severity inform the urgency and types of controls needed. Assessing potential impacts guides resource allocation and strategic planning, ensuring that risk management efforts are proportional to the potential damage they aim to mitigate .

Risk management is a fundamental component of an effective ISMS because it systematically identifies, evaluates, and mitigates risks to information assets. The process involves defining risk assessment methodologies tailored to the organization's context, evaluating risks based on confidentiality, integrity, and availability criteria, and identifying risks from potential threats and vulnerabilities. Once assessed, risks are quantified to determine their impact and likelihood, helping to prioritize risk treatment options. Effective risk management ensures that risks are reduced to acceptable levels through appropriate controls, and it documents these processes for continued improvement and compliance purposes .

A customized approach to ISMS implementation is essential because each organization has unique requirements based on its size, risk profile, management's risk appetite, and industry-specific factors. These influence the ISMS’s scope, objectives, and controls. Customization ensures that the ISMS is aligned with the organization’s specific objectives and operational processes, thereby increasing its relevance and effectiveness. Additionally, customization helps address specific business risks and complies with regulatory requirements, ultimately supporting the organization's overall risk management strategy .

The PDCA cycle, or Plan-Do-Check-Act cycle, applies to ISMS as a dynamic management tool designed for continuous improvement of information security processes. In the 'Plan' phase, the ISMS is established based on identified risks and objectives. The 'Do' phase involves implementing and operating the ISMS. The 'Check' phase requires monitoring and reviewing the efficacy of the ISMS against performance objectives, while the 'Act' phase focuses on maintaining and improving the ISMS by addressing any identified deficiencies or opportunities for enhancements. This cyclical approach helps in adapting to changes over time and supports the ongoing refinement of security measures .

Management commitment is crucial for the successful implementation of an ISMS as it provides the necessary support and resources for its establishment. Without management's endorsement, it is challenging to align the organization's objectives with information security policies. Critical elements of management commitment include an established information security policy, clearly defined roles and responsibilities, and communication about the importance of adhering to the security policy. Additionally, sufficient resources must be allocated to the ISMS. Senior management’s support is needed to overcome resistance at various levels within an organization and ensure active participation in building a security culture .

A Business Impact Analysis (BIA) contributes to effective risk management in an ISMS by identifying the potential impacts of disruptions to business operations. It quantifies these impacts in terms of safety, financial loss, and operational functionality, providing a basis for prioritizing critical business functions and allocating resources for protection. By understanding the dependencies between system components and their importance, the BIA informs the development of continuity strategies and risk mitigation plans, ensuring that the ISMS aligns with the organization’s business objectives and resilience goals .

Regularly testing continuity and disaster recovery plans is important in an ISMS because it validates the effectiveness and reliability of these plans in mitigating risks and responding to actual disruptions. Through testing, organizations can identify weaknesses in their strategies, ensure that personnel are trained to execute them, and verify that communication protocols are effective. Testing also provides an opportunity to update plans based on changes in personnel, technology, or processes, ensuring they remain current and capable of addressing new threats or vulnerabilities .

Information Security policies, objectives, and plans play a crucial role in ISMS implementation as they provide a strategic framework that directs security practices and helps achieve desired security outcomes. A policy defines the organization's information security stance, clarifying roles and responsibilities. Objectives set specific, measurable targets for reducing risks to acceptable levels. Plans outline the implementation process, resource allocation, and procedures to achieve these objectives, ensuring alignment with organizational goals. These elements collectively guide the day-to-day operations, monitoring, and continual improvement processes of an ISMS .

Business Continuity Planning (BCP) and Disaster Recovery (DR) are interrelated components of an ISMS that ensure organizational resilience. BCP focuses on maintaining essential business functions during a disruption, involving the development, documentation, and testing of procedures to ensure ongoing operations. DR is a subset of BCP, detailing the steps to recover from a disaster event, such as restoration of IT systems and data. Both BCP and DR are informed by the Business Impact Analysis (BIA) and collaborate to protect information assets, mitigate risk, and restore normal operations as swiftly as possible after an incident .

Defining a clear scope for an ISMS is important as it delineates the boundaries within which the ISMS will operate. This includes specifying the organizational areas, locations, assets, and technologies that are covered. A well-defined scope ensures a focused application of resources, making it easier to manage information security risks within specified areas. It aids in meeting compliance requirements and aligns security controls specifically with critical business functions, enhancing the ISMS's effectiveness. Failure to define the scope accurately can lead to resource wastage and ineffective risk management strategies .

You might also like