What is an Information Security Management System ?

An Information Security Management System (ISMS) is a set of policies and procedures for managing organizational confidential data and help to segregate data (Confidential/Restricted/General, etc.) of the organization. ISMS helps to manage security controls and risk across the organization. To maintain the organization’s security triad CIA (Confidentiality, Integrity, Availability) ISMS is essential.

The aim of ISMS is to reduce the risk and ensure the business continuity of the organization.

ISMS Features –

  • Risk Analysis: This standard establishes a security risk analysis process on a periodic basis in the organization, from the beginning, and on a continuous basis. Risk analysis is a management-driven process and simple steps to conduct the risk assessment. The initial step is to identify the risks to business after that analyze risk and evaluate risk as per business requirement and its impact. These will help to reduce the risk to business at optimum level and maintain the business continuity of the business.
  • Top management commitment: Leadership (Clause 5) and Management review (Clause 9.3) are outlined in ISO 27001 standard. Senior management is responsible for a commitment to ISMS as well as the information security of the organization. Leaders are also responsible for the segregation of duties of all employees and systems deployed in the organization. Management needs to conduct awareness training and related activities to aware employees and reduce the known risk which will benefit the organization in future activity and opportunities.
  •  PDCA Cycle: The organization needs to follow the PDCA (Plan-DO-Check-Act) cycle for implementation of ISMS. In the planning phase, organizations should be clear with their security goals and strategy for the implementation of ISMS. In the Do phase, an organization needs to figure out the point of objectives to get achieved. In the check phase, an organization needs to do the actual measurements. In the act phase, if an organization has not achieved the objectives, then the organization needs to work on improving on gaps identified.
  • Resources and competencies: The organization needs to balance both phases; implementation as well as maintenance. After the establishment of ISMS, an organization needs to ensure that responsible personnel is competent enough with the required skills.

Recommendation of ISMS –

ISO 27001 recommends and mandates that all required information should be documented with proper identification and approval from the management. Whenever any change gets implemented in an organization, the relevant documents should be updated accordingly and stakeholders should be informed of the update or changes implemented.

An organization should maintain tracking of performance and implementation so it can be helpful for new enhancement in infrastructure or new processes. Compliance activity with the different departments should be performed periodically that will showcase the organization as to where they stand in the ISMS journey and to achieve the objective/s.

After the compliance activity and internal audit, the organization gets an opportunity to improve in ISMS by way of Gap analysis report. To get the overall picture of ISMS the organization is required to perform internal audits frequently (Once or twice in a year or as per organization policy).

The journey and intent to implement and achieve the ISMS in an organization will increase the trust of its clients.

 

Who can implement these features?

ISO 27001/ISMS is a basic guideline to start the implementation of information security in the organization.  Any organization can implement ISMS that wants to achieve information security. It depends on the nature of business and there are mandatory and discretionary clauses and controls that the organization can implement to achieve ISMS.

 

Reference –

https://whatis.techtarget.com/definition/information-security-management-system-ISMS

https://ostec.blog/en/general/iso-27001/

https://www.itgovernance.co.uk/blog/how-to-write-an-iso-27001-compliant-risk-assessment-procedure#:~:text=An%20information%20security%20risk%20assessment,Identify%20risks

 

Credits:

Mr. Dhananjay Deo

Author,

Trupal Patel

Audit and Compliance department

Varutra Consulting Pvt. Ltd.