INFORMATION SECURITY MANAGEMENT SYSTEM

WHAT IS AN ISMS?

An ISMS is a systematic approach to managing sensitive company information so that it

remains secure. It includes people, processes, and IT systems by applying a risk
management process. It can help small, medium, and large businesses in any sector keep
information assets secure.
 For example, ISO 27001 is a set of specifications detailing how to create, manage, and implement ISMS policies
and controls. The ISO doesn’t mandate specific actions; instead, it provides guideline on developing appropriate
ISMS strategies.
 The framework for ISMS is usually focused on risk assessment and risk management.
 An ISMS typically addresses employee behavior and processes as well as data and technology. It can be targeted
toward a particular type of data, such as customer data, or it can be implemented in a comprehensive way that
becomes part of the company's culture.
BENEFITS OF ISMS

ISMS provides a holistic approach to managing the information systems within an organization. This offers numerous
benefits, some of which are highlighted below.
• Protects sensitive data. An ISMS protects all types of proprietary information assets whether they're paper-based,
preserved digitally or reside in the cloud. These assets can include personal data, intellectual property, financial
data, customer data and data entrusted to companies through third parties.

• Meets regulatory compliance. ISMS helps organizations meet all regulatory compliance and contractual
requirements and provides a better grasp on legalities surrounding information systems. Since violation of legal
regulations comes with hefty fines, having an ISMS can be especially beneficial for highly regulated industries
with critical infrastructures, such as finance or healthcare.

• Provides business continuity. When organizations invest in an ISMS, they automatically increase their level of
defense against threats. This reduces the number of security incidents, such as cyber attacks, resulting in fewer
disruptions and less downtime, which are important factors for maintaining business continuity.
• Reduces costs. An ISMS offers a thorough risk assessment of all assets. This enables organizations to prioritize
the highest risk assets to prevent indiscriminate spending on un needed defenses and provide a focused approach
toward securing them. This structured approach, along with less downtime due to a reduction in security incidents,
significantly cuts an organization's total spending.

• Enhances company culture. An ISMS provides an all-inclusive approach for security and asset management
throughout the organization that isn't limited to IT security. This encourages all employees to understand the risks
tied to information assets and adopt security best practices as part of their daily routines.

• Adapts to emerging threats. Security threats are constantly evolving. An ISMS helps organizations prepare and
adapt to newer threats and the continuously changing demands of the security landscape.
ISMS BEST PRACTICES

The ISO 27001, along with the ISO 27002 standards, offers best-practice guidelines for setting up an ISMS. The
following is a checklist of best practices to consider before investing in an ISMS:
 Understand business needs. Before executing an ISMS, it's important for organizations to get a bird's eye view of
the business operations, tools and information security management systems to understand the business and
security requirements. It also helps to study how the ISO 27001 framework can help with data protection and the
individuals who will be responsible for executing the ISMS.

 Establish an information security policy. Having an information security policy in place before setting up an
ISMS is beneficial, as it can help an organization discover the weak points of the policy. The security policy
should typically provide a general overview of the current security controls within an organization.

 Monitor data access. Companies must monitor their access control policies to ensure only authorized individuals
are gaining access to sensitive information. This monitoring should observe who is accessing the data, when and
from where. Besides monitoring data access, companies should also track logins and authentications and keep a
record of them for further investigation.
 Conduct security awareness training. All employees should receive regular security awareness training. The training
should introduce users to the evolving threat landscape, the common data vulnerabilities surrounding information
systems, and mitigation and prevention techniques to protect data from being compromised.
 Secure devices. Protect all organizational devices from physical damage and tampering by taking security measures to
ward off hacking attempts. Tools including Google Workspace and Office 365 should be installed on all devices, as they
offer built-in device security.
 Encrypt data. Encryption prevents unauthorized access and is the best form of defense against security threats. All
organizational data should be encrypted before setting up an ISMS, as it will prevent any unauthorized attempts to
sabotage critical data.
 Back up data. Backups play a key role in preventing data loss and should be a part of a company's security policy before
setting up an ISMS. Besides regular backups, the location and frequency of the backups should be planned out.
Organizations should also design a plan to keep the backups secure, which should apply to both on-premises and
cloud backups.
 Conduct an internal security audit. An internal security audit should be conducted before executing an ISMS. Internal
audits are a great way to for organizations to gain visibility over their security systems, software and devices, as they can
identify and fix security loopholes before executing an ISMS.
IMPLEMENTING ISMS

There are various ways to set up an ISMS. Most organizations either follow a plan-do-check-act process or study the
ISO 27001 international security standard which effectively details the requirements for an ISMS.
The following steps illustrate how an ISMS should be implemented:
1. Define the scope and objectives. Determine which assets need protection and the reasons behind protecting them.
Consider the preference of what the clients, stakeholders and trustees want to be protected. Company management
should also define clear-cut objectives for the areas of application and limitations of the ISMS.
2. Identify assets. Identify the assets that are going to be protected. This can be achieved by creating an inventory of
business-critical assets including hardware, software, services, information, databases and physical locations by
using a business process map.
1. Recognize the risks. Once the assets are identified, their risk factors should be analyzed and scored by assessing the legal
requirements or compliance guidelines. Organizations should also weigh the effects of the identified risks. For example, they
could question the amount of impact it would create if the confidentiality, availability or integrity of information assets is
breached, or the probability of that breach's occurrence. The end goal should be to arrive at a conclusion outlining which risks are
acceptable and which must be tackled at all costs due to the potential amount of harm involved.
2. Identify mitigation measures. An effective ISMS not only identifies risk factors but also provides satisfactory measures to
effectively mitigate and combat them. The mitigation measures should lay out a clear treatment plan to avoid the risk altogether.
For example, a company trying to avoid the risk of losing a laptop with sensitive customer data should prevent that data from
being stored on that laptop in the first place. An effective mitigation measure would be to set up a policy or rule that doesn't permit
employees to store customer data on their laptops.
3. Make improvements. All the previous measures should be monitored, audited and checked repeatedly for effectiveness. If the
monitoring reveals any deficiencies or new risk management factors, then restart the ISMS process from scratch. This enables the
ISMS to rapidly adapt to changing conditions and offers an effective approach to mitigating the information security risks for an
organization.
There are numerous ways of approaching the implementation of an ISMS. The most common method to
follow is a ‘Plan Do Check Act’ process.

A certified ISMS, independently audited by an approved certification body, can serve as the necessary
reassurance to customers and potential clients that the organization has taken the necessary steps to
protect their personal and confidential data from a range of identified risks.
PLAN-DO-CHECK
According to ISO 27001, ISMS implementation follows a Plan-Do-Check-Act (PCDA) model for continuous
improvement in ISM processes:
• Plan. Identify the problems and collect useful information to evaluate security risk. Define the policies and
processes that can be used to address problem root causes. Develop methods to establish continuous improvement
in information security management capabilities.
• Do. Implement the devised security policies and procedures. The implementation follows the ISO standards, but
actual implementation is based on the resources available to your company.
• Check. Monitor the effectiveness of ISMS policies and controls. Evaluate tangible outcomes as well as behavioral
aspects associated with the ISM processes.
• Act. Focus on continuous improvement. Document the results, share knowledge, and use a feedback loop to
address future iterations of the PCDA model implementation of ISMS policies and controls.
WHAT SHOULD AN ISMS FRAMEWORK ADDRESS

ITIL suggests that your ISMS should address what it calls “The Four P’s”: people, process, products and technology, and
partners and suppliers. Many global IT organizations seek global certification for their ISMS frameworks, which is done
through ISO 27001. Typically, an ISMS framework addresses five key elements:
• Control: You should establish a management framework for managing information security, preparing and
implementing an Information Security Policy, allocating responsibilities, and establishing and controlling
documentation.
• Plan: In the planning phase of the framework, you will be responsible for gathering and fully understanding the
security requirements of the organization — then recommending the appropriate measures to take based on budget,
corporate culture around security, and other factors.
• Implement: Next, you’ll put the plan into action, making sure that you have the proper safeguards in place to properly
enact and enforce your Information Security Policy in the process.
• Evaluate: Once your policies and plans are in place, you need to properly oversee them to ensure that your systems are
truly secure and your processes are running in compliance with your policies, SLAs, and other security requirements.
• Maintain: Finally, an effective ISMS means you are continuously improving the entire process — looking for
opportunities to revise SLAs, security agreements, the way you monitor and control them, and more.
ISMS SECURITY CONTROLS

ISMS security controls span multiple domains of information security as specified in the ISO 27001 standard. The catalog
contains practical guidelines with the following objectives:
• Information security policies. An overall direction and support help establish appropriate security policies. The security
policy is unique to your company, devised in the context of your changing business and security needs.
• Organization of information security. This addresses threats and risks within the corporate network, including
cyberattacks from external entities, inside threats, system malfunctions, and data loss.
• Asset management. This component covers organizational assets within and beyond the corporate IT network., which may
involve exchanging sensitive business information.
• Human resource security. Policies and controls pertaining to your personnel, activities, and human errors, including
measures to reduce risk from insider threats and workforce training to reduce unintentional security lapses.
• Physical and environmental security. These guidelines cover security measures to protect physical IT hardware from
damage, loss, or unauthorized access. While many organizations are taking advantage of digital transformation and
maintaining sensitive information in secure cloud networks off-premise, the security of physical devices used to access that
information must be considered.
• Communications and operations management. Systems must be operated with respect and maintenance to
security policies and controls. Daily IT operations, such as service provisioning and problem management, should
follow IT security policies and ISMS controls.
• Access control. This policy domain deals with limiting access to authorized personnel and monitoring network
traffic for anomalous behavior. Access permissions relate to both digital and physical mediums of technology. The
roles and responsibilities of individuals should be well defined, with access to business information available only
when necessary.
• Information system acquisition, development, and maintenance. Security best practices should be maintained
across the entire lifecycle of the IT system, including the phases of acquisition, development, and maintenance.
• Information security and incident management. Identify and resolve IT issues in ways that minimize the
impact to end users. In complex network infrastructure environments, advanced technology solutions may be
required to identify insightful incident metrics and proactively mitigate potential issues.
• Business continuity management. Avoid interruptions to business processes whenever possible. Ideally, any
disaster situation is followed immediately by recovery and procedures to minimize damage.
• Compliance. Security requirements must be enforced per regulatory bodies.
• Cryptography. Among the most important and effective controls to protect sensitive information, it is not a silver
bullet on its own. Therefore, ISMS governs how cryptographic controls are enforced and managed.
• Supplier relationships. Third-party vendors and business partners may require access to the network and
sensitive customer data. It may not be possible to enforce security controls on some suppliers. However, adequate
controls should be adopted to mitigate potential risks through IT security policies and contractual obligations.
ADVANTAGES OF ISMS CERTIFICATION

Certification of ISMS brings several advantages;

• Provide a structured way of managing information security within an organization
• Provide an independent assessment of an organization’s conformity to the best practices agreed upon by a
community of experts for ISMS.
• Provide evidence and assurance that an organization has complied with the standards required.
• Enhance information security governance within the organization.
• Enhance the organization’s global positioning and reputation.
• Increase the level of information security in the organization.
ISMS SECURITY CONTROLS

ISMS security controls span multiple domains of information security as specified in the ISO 27001 standard. The
catalog contains practical guidelines with the following objectives:
• Information security policies. An overall direction and support help establish appropriate security policies.
The security policy is unique to your company, devised in context of your changing business and security needs.
• Organization of information security. This addresses threats and risks within the corporate network,
including cyberattacks from external entities, inside threats, system malfunctions, and data loss.
• Asset management. This component covers organizational assets within and beyond the corporate IT
network., which may involve the exchange of sensitive business information.
• Human resource security. Policies and controls pertaining to your personnel, activities, and human errors,
including measures to reduce risk from insider threats and workforce training to reduce unintentional security
lapses.
• Physical and environmental security. These guidelines cover security measures to protect physical IT
hardware from damage, loss, or unauthorized access. While many organizations are taking advantage of digital
transformation and maintaining sensitive information in secure cloud networks off-premise, security of physical
devices used to access that information must be considered.
• Communications and operations management. Systems must be operated with respect and maintenance
to security policies and controls. Daily IT operations, such as service provisioning and problem management,
should follow IT security policies and ISMS controls.
• Access control. This policy domain deals with limiting access to authorized personnel and monitoring network
traffic for anomalous behavior. Access permissions relate to both digital and physical mediums of technology. The
roles and responsibilities of individuals should be well defined, with access to business information available only
when necessary.
• Information system acquisition, development, and maintenance. Security best practices should be
maintained across the entire lifecycle of the IT system, including the phases of acquisition, development, and
maintenance.
• Information security and incident management. Identify and resolve IT issues in ways that minimize the
impact to end users. In complex network infrastructure environments, advanced technology solutions may be
required to identify insightful incident metrics and proactively mitigate potential issues.
• Business continuity management. Avoid interruptions to business processes whenever possible. Ideally, any
disaster situation is followed immediately by recovery and procedures to minimize damage.
• Compliance. Security requirements must be enforced per regulatory bodies.
• Cryptography. Among the most important and effective controls to protect sensitive information, it is not a silver
bullet on its own. Therefore, ISMS govern how cryptographic controls are enforced and managed.
• Supplier relationships. Third-party vendors and business partners may require access to the network and
sensitive customer data. It may not be possible to enforce security controls on some suppliers. However, adequate
controls should be adopted to mitigate potential risks through IT security policies and contractual obligations.