INFORMATION SECURITY

MANAGEMENT SYSTEM - IT756A

LEDNING OCH STYRNING AV INFORMATIONSSÄKERHET

Course introduction – Rose-Mharie Åhlfeldt

Bild 1
CONTENT

• Course Information
• Course Design
• Course Materials
• Information Security Management system
• Analysis - Business and environment

Bild 2
 COURSE INFORMATION

• A practical course regarding implementing an ISMS in

organisations.
• The course contains an introduction to the field of
systematic information security work, in addition to six
different elements with theoretical and practical elements.
• Theory building is based on standards, methods and tools
for information security management systems.

Bild 3
 COURSE INFORMATION

• Current research findings are being discussed in order to

provide in-depth knowledge in the field.
• The practical application is based on international/national
regulations and recommendations related to information
security management systems.
• In addition, the practical application is based on
assignments undertaken in an external organisation (fictive)
in order to provide skills and ability to apply an ISMS in
practice.

Bild 4
 COURSE OBJECTIVES

• After completed course the student should be able to:

• define and describe systematic information security work
from best practice and current research,
• conduct analyses for the deployment of an information
security management system,
• draw up a plan for use and follow-up regarding the
deployment of a management information security
system, and
• orally and in writing, present produced results in groups
and individually, and reflect and compare the results with
current research.

Bild 5
 CONTENT OF THE COURSE

• The course is based on scientific basis and proven

experience. The literature comes from both scientific and
accepted standards and technical reports in the field.
• The course contains both lectures, supervisions and
seminars.
• Lectures are given both on campus for campus students
and online for distance students.

Bild 6
 COURSE ADMINISTRATION

• Course coordinator,
§ Rose-Mharie Åhlfeldt, Associated professor, University of Skövde
• Examiner
• Marcus Nohlberg, Senior Lecturer, University of Skövde

Bild 7
COURSE DESIGN

Bild 8
COURSE DESIGN

Bild 9
 SUPERVISIONS

• Each part of the course will be followed by a supervision

activity.
• Supervision are not a mandatory activity but we strongly
recommend to take this opportunity to show your work so
far and discuss the issues you have regarding your task.

Bild 10
 THE ASSIGNMENT

• Identify and analyse a fictitious organization's information

and plan for the deployment of an information security
management system.
• The organization is described in a separate document.
• The information that is missing about the organization is
obtained by
1. requests during the supervisions, and/or
2. documented assumptions by the student group.
• The task is time-consuming and therefore both delimitation
and scheduling need to be taken into account.

Bild 11
 SEMINARS

• Two presentation seminars are included in the two

examination activities
• During the seminars, each group will present their work in
10 minutes. Then 5 minutes for questions and
discussions.

Bild 12
 EXAMINATION

• Two examination parts (written reports)

• Report 1 - Analysis
• Analysis Business and environment
• Risk Analysis
• Gap Analysis
• Report 2 - Design – Use – Follow up
• Policy, Objectives and Organisation
• Action plan, Classification model and information classification
• Implementation and Follow-up, Management Review

Bild 13
INFORMATION SECURITY
MANAGEMENT SYSTEMS
(ISMS)

Bild 14
INFORMATION SECURITY MODEL
Business goals

Bild 15
SYSTEMATIC INFORMTION SECURITY WORK
– INFORMATION SECURITY MANAGEMENT SYSTEM

Through a systematic
work on information
security, organizations
can increase the quality
and trust of their
business.
Bild 16
SYSTEMATIC INFORMATION SECURITY WORK–
INFORMATION SECURITY MANAGEMENT SYSTEM

• Establish basic principles for managing the business.

• Create order and find out
• Create a secure division of responsibilities
• Focus on the analysis work
• Systematize the improvement work
• Follow up, evaluate results, compare and improve

Bild 17
SYSTEMATIC INFORMATION SECURITY
WORK

• Systematic information security work is process-

controlled and involves continuous work – a
process of continuous improvement.

Bild 18
FROM STANDARDS TO A METHOD

HOW can it be
WHAT to do
done

Bild 19
AIMS AND OBJECTIVES

Organi-
sation
Bild 20
 THE METHOD FOR SYSTEMATIC
INFORMATION SECURITY WORK
PURPOSE AND GOALS

• The method aims to be a support

in the systematic information
security work and how that work
should follow the company's
overall strategy and governance.

Bild 21
PARTS OF THE METHOD

• Consists of four different method

steps that together form the
process steps for a systematic
information security work

Bild 22
 IDENTIFY AND ANALYSE

• Business
• The business analysis involves identifying the organisation's
essential information assets as well as mapping internal
stakeholders (such as decision makers, object owners,
employees, support units) and prerequisites (such as goals,
strategies, organizational structure, infrastructure)
• External
• The external analysis includes identification of legal
requirements and mapping of external stakeholders (such as
owners, customers, suppliers, reviewers) and prerequisites
(such as technical, social, environmental, political)
• Risk
• The risk analysis identifies information security risks and can be
used enterprise-wide or for a specific object
• GAP
• Analysis is based on the selected security control, and refers to
the gap between the identified need for protection and the
current status of the respective security control.

Bild 23
 DESIGN

• Roles and responsibilities

• Guidance on understanding and creating an organisation for
information security, including roles, responsibilities and tasks, which
is fundamental for information security work
• Goal
• The organisation's strategic and short-term goals with information
security are formulated based on the organisation's internal and
external conditions.
• Governing documents
• Formal and decided documents that regulate information security
related activities in the organisation.
• Action plan
• Guidance on creating a plan aimed at eliminating and / or reducing
selected information security-related deficiencies
• Classification model
• Guidance on how the organisation creates a model for classifying
information assets, i.e. information and resources for managing
information.

Bild 24
 USE

• Implement and comply

• Describes activities that must be done in the organisation in order for
the decided action plan to be implemented and the decided steering
documents to be complied with and describes the responsibilities and
tasks of different roles.
• Education and communication
• Provides support in education and communication of information
security related issues. Spread awareness and knowledge about
information security.
• Classify information
• Guidance on practical information classification, which includes
identification, valuation and classification of information and IT
systems and other resources based on the organisational common
classification model.
• Monitor and review
• Through continuous monitoring and review, the organisation can gain
better knowledge of the information security situation and detect
shortcomings that need to be corrected.
Bild 25
 FOLLOW UP AND IMPROVE

• Goal fulfilment
• Provide support for how the organisation meets the strategic
and short-term goals for information security.
• Evaluate
• Provides support for how information security in general is
appropriately designed, has intended effect, and that
security measures exist and function satisfactorily.
• Management review
• The management's review means that the top management
reviews the organisation's systematic information security
work and its management to ensure its continued suitability,
adequacy and effectiveness.

Bild 26
IDENTIFY AND ANALYSE
BUSINESS AND EXTERNAL ENVIRONMENT

Bild 27
 IDENTIFY AND ANALYSE

• Business
• The business analysis involves identifying the organisation's
essential information assets as well as mapping internal
stakeholders (such as decision makers, object owners,
employees, support units) and conditions (such as goals,
strategies, organizational structure, infrastructure)
• External
• The external analysis includes identification of legal
requirements and mapping of external stakeholders (such as
owners, customers, suppliers, reviewers) and conditions (such
as technical, social, environmental, political)
• Risk
• The risk analysis identifies information security risks and can be
used enterprise-wide or for an individual object
• GAP
• Analysis is based on the selected security control, and refers to
the gap between the identified need for protection and the
current status of the respective security control.

Bild 28
BUSINESS ANALYSIS – INTERNAL
PERSPECTIVE
• In order to design the governance of a organisation’s
information in a way that takes advantage of the current
situation requires a different type of analysis. This guide
focuses on the internal perspective. It is its own activities which
are analysed in three parts:
• internal stakeholders
• internal conditions
• information assets

Bild 29
INTERNAL STAKEHOLDERS

• Internal stakeholders are referred to persons (positions) or units

within the organisation that affect or are affected by how the
organisation manage information security.
• Each one of these stakeholders have some form of needs,
expectations or requirements related to information security and its
governance for the organisation.
• The analysis identifies stakeholders and their requirements so it can
be taken into account in the design of information security.

Bild 30
EXAMPLE ON STAKEHOLDERS AND
REQUIREMENT
Category Stakeholders Requirements/role

Decision makers Board Decides on and controls the

Top Management work on how information
CEO security is to be conducted.
Finance Manager Requirements for cost-
HR manager effectiveness and efficiency
Object owners Object owner Making demands on
Process owner information security for the
Information owner items they "own"
System owner
Bild 31
EXAMPLE ON STAKEHOLDERS AND
REQUIREMENT
Category Stakeholders Requirements/role

Support units IT department Are both subject to information

HR department security management and
responsible for certain security
arrangements
Co-workers Employees Must comply with rules. Want
Consults to be able to work productively
despite security controls
Information Security CISO Designs the governance and
IT- security officer ensures that it is introduced in
CSO various ways in the business
Bild 32
STEP 1 - TOOLS
• Use the excel sheet "Tool Analyse Business section 1, internal
stakeholders

Bild 33
STEP 2 - INTERNAL STAKEHOLDERS
• With starting point in table, and with help of own experiences or other
sources, identify every important stakeholders.

Bild 34
STEP 3 - ROLE
• Discuss their role, how they affect and are affected of, information
security and its governance.

Bild 35
STEP 4 - REQUIREMENT
• Identify needs, expectations and requirements with help of
discussions, meetings, interviews etc. Document in the tool.

Bild 36
INTERNAL PREREQUISITES

• Internal prerequisites refers to the conditions, in addition to internal

stakeholders within the organisation that need to be taken into
consideration when designing the information security controls.
• Each one of these conditions have some kind of impact on how best
the organisation should design information security and its
governance for the business.
• The analysis identifies the internal conditions and their impacts.

Bild 37
EXAMPLE ON INTERNAL PREREQUISITES
AND IMPACT
Internal prerequisite Type of prerequisite

Policy Objectives Strategies Existing policy, goals and strategies tell where the
business is heading. Information security's governance
and objectives must be adapted accordingly.
Business management Existing management and planning of the business, such
as IT management model, business planning process,
budget process etc, affects the management of information
security.
Organisation structure The structure tells about responsibilities. roles, reporting
paths and decision making. The structure governing the
conditions for the responsibility and authority for the Bild 38
information security can be designed.
EXAMPLE ON INTERNAL PREREQUISITES
AND IMPACT
Internal prerequisite Type of prerequisite

Organisation culture The culture tells about what works and what is expected regarding
the management of information security. Some business may be
familiar with the vague goal orientation while others require detailed
control.
Business processes Both processes for business management and other processes such
as purchasing, recruitment, product- and service development,
marketing, delivery, complaints etc., affect and are affected by
information security management.
Resources Mainly refers to access to personnel and financial resources and
their impact.
Standards, Guidelines Existing standards that the organization has chosen to work on and
Bild 39
how they affect the management of information security.
EXAMPLE ON INTERNAL PREREQUISITES
AND IMPACT
Internal prerequisite Type of prerequisite

Competence Existing competence in the business affects what

responsibilities can be handed out and what types of
security controls that can work effectively.
Communication Communication paths and ways to communicate is central
to governance. Information security management should
take into account existing ways of communicating
internally.
Infrastructure Existing infrastructure and technology, including IT, that
affect the management of information security. Note that
information assets are managed in a separate analysis
Bild 40
section.
PROCEDURES FOR ANALYSIS
1. Tool: Use Excel sheet Tool - Analyse business, tab 2 Internal
prerequisites.

Bild 41
PROCEDURES FOR ANALYSIS
2. Internal prerequisites: Based on the table below and using the own
experience or from other sources, identify all important internal prerequisites.

Bild 42
PROCEDURES FOR ANALYSIS

3. Impact: Discuss the prerequisites, how they affect and are affected by,
information security and governance.

Bild 43
PROCEDURES FOR ANALYSIS
4. Requirements: Identify the impact and its importance on how information
security management should be designed, for example, by means of
document review, discussion, meetings, interviews etc. Documenting this in
the tool.

Bild 44
INFORMATION ASSETS

• Information assets are information including the resources (e.g. IT

systems) that process the information. Information assets are the
subject of protection with regard to information security.
• It is therefore important to identify the essential/critical resources in
order to address the right protection.
• The analysis identifies essential/critical assets as an important basis
for further work.

Bild 45
INFORMATION ASSETS
1. Tool: Use Excel sheet Tool Analyse Business, tab 3 Information Assets.
2. Inventory: Identifying essential/critical information assets.

Bild 46
INFORMATION ASSETS
• Document the following (1):

• ID: For easy identification it is recommended that each information asset is assigned a
unique identifier.
• Name: Enter the name of the information assets, such as "Agresso” or “Subscriber data".
• Description: Describe the asset in terms of use, technology, etc. For example, ”Salary
system" or "CRM system delivered by X as a cloud service".

Bild 47
 INFORMATION ASSETS
• Document the following (2):

• Information/data: Describe the type of information/data is processed, such "Sensitive data".

• Critical: Answer "Yes" for assets that are absolutely central and critical to the business. This
answer implies a priority in the further handling of the asset.
• Owner and Contact: Enter the person or function in the business responsible for the
information asset as well as contact information. This is used when you want to contact the
owner to implement information classification.

Bild 48
SUMMARY
• Business analysis
• Important to take it step by step
• Start building from the beginning - everything will not be ready right
away
• The steps of the method - Analyse business
1. Internal stakeholders
2. Internal prerequisites
3. Information assets
4. The tool to support

Bild 49
IDENTIFY AND ANALYSE
THE ENVIRONMENT

Bild 50
IDENTIFY AND ANALYSE THE
WORLD AROUND US
• Business environment is referred to everything that lies
outside the organisation’s direct control, but either affects or is
affected by the information security of the business.

Bild 51
EXTERNAL STAKEHOLDERS

• External stakeholders are persons, groups or organisations

outside the organisation, which affect or are affected by how your
own organisation manage information security.
• Each one of these stakeholders have some form of needs,
expectations, requirements or other influence in relation to
information security and its governance of the business.
• The analysis identifies stakeholders and their demands and
influence so it can be considered in the design of information
security.

Bild 52
EXAMPLES OF EXTERNAL
STAKEHOLDERS
Category External stakeholders (example)

Owner Limited company, parent company, The government etc

Customer Customer, users, those who use the business’ products

and services.
Suppliers Suppliers, subcontractors, out- and insourcing partners,
cloud service suppliers, business partners, security
suppliers etc.
Reviewers Inspection authorities (Data Inspection Board, National
Audit Office, Security Police etc.)
Competitors Competitors who run similar activities or who otherwise
compete with the business
Public Public, citizens, residents
Bild 53
EXTERNAL STAKEHOLDERS

Bild 54
EXTERNAL PREREQUISITES

• External prerequisites refers to the prerequisites, in addition to

external stakeholders and legal requirements, in the business
operating environment which need to be taken into consideration
when designing the ISMS, for example, political and technical
conditions.
• Each one of these prerequisites, has any form of impact on how
best we should design an ISMS in the organisation.
• The analysis identifies therefore external prerequisites and
their impact.

Bild 55
EXAMPLES OF EXTERNAL
PREREQUISITES
External prerequisite Type of impact (example)

Technical prerequisites Technological developments and developments in IT

have a strong impact on information security both in the
form of new threats but also new solutions.

Examples where IT innovations can affect:

1. Cloud services place new demands on how

information security can be controlled
2. Virtual and augmented reality (VR, AR) where
customers can access the business's product or service
in a whole new way
3. The Internet of Things (IoT) where things are
connected and need good information security
4. New ways of identifying users (authentication) such as
Bild 56
fingerprints, voice, face shape
EXAMPLES OF EXTERNAL
PREREQUISITES
External prerequisite Type of impact (example)

Social prerequisites Social and cultural conditions indicate what is considered

good and acceptable. It may concern attitudes in society,
public health, educational attainment but also the general
situation in society.

Examples where social conditions can affect:

1. The degree of monitoring and logging that individuals

in society accept
2. How easy or difficult it is to reach individuals in the
community with information about information security

Bild 57
EXAMPLES OF EXTERNAL
PREREQUISITES
External prerequisite Type of impact (example)

Financial prerequisites External economic and financial conditions also affect

the scope for information security. Perhaps especially
concerning resources, but it can also apply to economic
factors such as interest rates, inflation, demand for
products and services, exchange rate changes etc.

Examples where external financial conditions can affect:

1. The interest rate situation can affect the cost of
financing IT security solutions that run over a long period
of time, making them more or less cost effective.
2. The general demand for the type of products or
services you provide may rise, and this will mean that
additional resources need to be invested in information
security.
Bild 58
EXAMPLES OF EXTERNAL
PREREQUISITES
External prerequisite Type of impact (example)

Political prerequisites In politically controlled organizations, it is important to

include these assumptions in the analysis as they can
affect your information security and its design.

Political conditions can also result in legal requirements

being taken care of as in the legal part of the analysis.

Bild 59
EXAMPLES OF EXTERNAL
PREREQUISITES
External prerequisite Type of impact (example)

Environmental prerequisites Environmental conditions are climate, weather, wind,

ecology and sustainability issues that can affect your
information security and its design.

Examples where environmental conditions can affect:

1. If extreme weather is expected, this can affect the
possibility of data communication if wires fall.
2. The climate can affect where it is safest and most
economical to place a hall for IT operations.
3. Fire, flood and earthquake are other examples of
environmental conditions.

Bild 60
EXTERNAL PREREQUISITES

Bild 61
IDENTIFY AND ANALYSE THE
WORLD AROUND US
• Legal requirements refer to requirements related to information security
posed in different types of provisions as laws, regulations, official
regulations and local municipal regulation.
• Certain legal requirements apply to all operations national or global,
while other requirements are limited to one certain industry or a type of
organisation.
• These requirements can be broadly divided into two categories;
• requirements on how the information security work must be designed
• requirements on how the protection for certain types of information should
be designed.
• The analysis identify essential legal requirements so that these can be
considered in the design of information security in the organisation.

Bild 62
DIFFERENT REQUIREMENTS FOR
DIFFERENT ORGANISATIONS
• Which legal requirements for your organisation will depend on,
among other things:
• type of organisation (e.g. private, public)
• industry (e.g. water ISP)
• what information the organisation manage (financial
information, trade secrets, security, proprietary information,
personal information).

Bild 63
WORK WITH LEGAL EXPERTISE

• The development of the legal requirements that directly or

indirectly affect the information, is very fast.
• Identify the applicable legal requirements relating to
information security together with legal expertise.

Bild 64
WORK WITH LEGAL EXPERTISE

• Establish a list on regulations and laws that apply to your

organisation, and that directly or indirectly put demands on
information security.

Bild 65
COMPLIANCE WITH LEGAL
REQUIREMENTS?
• Analyse how you will implement these requirements on a overall
level.
• This discussion, for example, involve different types of security
controls, or on how the requirements will affect how information
security is managed and organised in your organisation.
• Since some legal requirement is relatively general, while others
are more specific and pretty narrow, it is not always directly
expressed in the legal text what needs to be done.
• Therefore, the legal requirements must be discussed and
interpreted. To do this analysis in a good way require expertise of
including organisation, information security and law.

Bild 66
PROCEDURES

1. Use the tool

• Open the Excel template "Analyse environment”, then use tab 3
”Legal requirements".

2. Identify the legal requirements for the organisation

• Identify all applicable legal requirements, which directly or
indirectly require information security.
• Switch perspectives between the legal requirements that apply
across Europe, national, your own branch, and the categories
of information handled.

Bild 67
PROCEDURES

• Document the following in the tool

• ID: Give each requirement a unique identifier, abbreviated ID. Then
you can easily get back to them later
• Constitution/law: Enter the law, and any specific section of the law
(paragraph, article, section) that you have identified.
• Type of requirements: Select from the menu if the requirement is
such that it requires immediate security controls or if it requires
information security in general.
• Requirements (text / Summary): Share the legal requirement by
citing the Constitution. For reasons of space, it can be more
practical to formulate a summary of requirement.

Bild 68
LEGAL REQUIREMENTS

Bild 69
IDENTIFY AND ANALYSE THE
WORLD AROUND US
• Initially, it is important to not get stuck too long in the
analyses.
• As a start of the work, these analyses of different parts of
the environment can be implemented relatively quickly
and in an overall level.
• They are still the basis for further work.
• Therefore, return to the analysis results, update them
with new information and fill in more details if needed.

Bild 70
SUMMARY
• Environment analysis
• Important to take it step by step
• Start building from the beginning - everything will not be ready
right away
• The steps of the method - Analyse environment
1. External stakeholders
2. External prerequisites
3. Legal requirements

Bild 71
A MANAGEMENT SYSTEM (ISMS)
- A CONTINUOUS IMPROVEMENT PROCESS

Act Plan

Check Do

Bild 72

72