Implementing an ISMS in accordance with ISO/IEC 27001:2013

iso27001 Blog
Share on facebook
Share on twitter
Share on linkedin
Share on pinterest

An information security management system (ISMS) is a comprehensive set of policies and processes that an organi­zation creates and maintains to manage risk to information assets. The ISMS helps to detect security control gaps and at best prevents security incidents or at least minimizes their impact.

An ISMS generally employs the following three perspectives:

  • G – Governance perspective
  • IT and information security objectives derived from overarching company objectives (e.g., supported by/ derived from COSO or COBIT)
  • Refers to the control aspects of the ISMS
  • R – Risk perspective
  • Protection requirements and risk exposure of company assets and IT systems
  • Company’s attitude towards risk
  • Opportunities vs. risks
  • Serves as a basis for transpa­rent decision-making and prioritization of technical and organizational measures
  • C – Compliance perspective
  • External regulations laid out by laws, regulators, and standards
  • Internal regulations and guidelines
  • Contractual obligations

14 Components of an Organization’s ISMS:-

  1. Context of the Organization – determining the accurate scope of the management system and the analysis of the requirements and the situation of the organization and its stakeholders.
  • Leadership and Commitment – A successful ISMS is implemented “top down” and establi­shes a connection between business objectives and informa­tion security by taking stakeholders’ requirements into ac­count, and by using effective measures to reduce risk to the operational business processes to an acceptable level.
  • IS Objectives – protecting and maintai­ning confidentiality, integrity, and availability of the respecti­ve business processes and the information.
  • IS Policy – a policy that documents the organization’s strategic decision to imple­ment an ISMS, informs the target group about the obligation to comply with information security requirements as well as the self-commitment to continuously improve the ISMS.
  • Roles, Responsibilities and Competencies – management is required to assign responsibi­lity and authority for the tasks relevant to information secu­rity and to communicate to the appropriate individuals ac­cordingly.
  • Risk Management – allows us to analyze anything that could happen, as well as the potential impact of these occurrences, before making a decision as to what should be done and when  in order to prevent potential harm.
  • Performance Monitoring & KPIs – assessing the current situation compared to the desired situation as laid out in the provisions and to intervene in a corrective capacity as required.
  • Documentation – documents must be created, updated, approved and, if ne­cessary, published according to a defined workflow. The documents must be clearly labeled, e.g., title, date, author, version, storage location, performance and suita­bility test (QA), and final approval.
  • Communication – determining and describing the requirements for external and  internal com­munication, i.e. communication with stakeholders and other organizations and communica­tion within the management system and within the organi­zation.
  1. Competence and Awareness – Creating a robust and balanced level of risk awareness within a company is consequently an essential component of a func­tional ISMS that generates value for an organization by iden­tifying threats at an early stage, preventing security incidents, and eliminating the labor that would have been required to deal with these materialized threats.
  1. Supplier Relationships – the term ‘supplier’ co­vers a broad range of business relationships with external companies and partners, creation of guide­lines and agreeing on contractual provisions with suppliers.
  1. Internal Audit – ensure that all the business processes covered by the ISMS are audited at least once every three years in terms of the applicable provisions and guidelines on information security and in terms of conformity with the ISMS.
  2. Incident Management – rethinking our acti­vities and strategies and removing or replacing ineffective measures, updating existing (security) concepts or implemen­ting new (security) solutions, will gain the greatest benefit.
  1. Continuous Improvement – organizations need to analyze existing best practices and always adapt them to their own needs.

Detailed description of these components will be covered in our Courses & Learning Kits…

Subscribe To Our Newsletter

Get updates and learn from the best

More To Explore

About CYSA
Cyber Security

About CYSA+ Exam

CySA+ certification is a perfect certification for the Security Analysts as this certification covers all areas of the domain.  CySA+ is the most up-to-date security

Cyber Security Job 02
Cyber Security

How to prepare for jobs in Cyber Security – 02

In our last Blog, we discussed the K-S-A concept for Cybersecurity. In this blog, we will continue from our last blog and will discuss the domains of cybersecurity and will relate different positions to these domains.