An information security management system (ISMS) is a comprehensive set of policies and processes that an organization creates and maintains to manage risk to information assets. The ISMS helps to detect security control gaps and at best prevents security incidents or at least minimizes their impact.
An ISMS generally employs the following three perspectives:
- G – Governance perspective
- IT and information security objectives derived from overarching company objectives (e.g., supported by/ derived from COSO or COBIT)
- Refers to the control aspects of the ISMS
- R – Risk perspective
- Protection requirements and risk exposure of company assets and IT systems
- Company’s attitude towards risk
- Opportunities vs. risks
- Serves as a basis for transparent decision-making and prioritization of technical and organizational measures
- C – Compliance perspective
- External regulations laid out by laws, regulators, and standards
- Internal regulations and guidelines
- Contractual obligations
14 Components of an Organization’s ISMS:-
- Context of the Organization – determining the accurate scope of the management system and the analysis of the requirements and the situation of the organization and its stakeholders.
- Leadership and Commitment – A successful ISMS is implemented “top down” and establishes a connection between business objectives and information security by taking stakeholders’ requirements into account, and by using effective measures to reduce risk to the operational business processes to an acceptable level.
- IS Objectives – protecting and maintaining confidentiality, integrity, and availability of the respective business processes and the information.
- IS Policy – a policy that documents the organization’s strategic decision to implement an ISMS, informs the target group about the obligation to comply with information security requirements as well as the self-commitment to continuously improve the ISMS.
- Roles, Responsibilities and Competencies – management is required to assign responsibility and authority for the tasks relevant to information security and to communicate to the appropriate individuals accordingly.
- Risk Management – allows us to analyze anything that could happen, as well as the potential impact of these occurrences, before making a decision as to what should be done and when in order to prevent potential harm.
- Performance Monitoring & KPIs – assessing the current situation compared to the desired situation as laid out in the provisions and to intervene in a corrective capacity as required.
- Documentation – documents must be created, updated, approved and, if necessary, published according to a defined workflow. The documents must be clearly labeled, e.g., title, date, author, version, storage location, performance and suitability test (QA), and final approval.
- Communication – determining and describing the requirements for external and internal communication, i.e. communication with stakeholders and other organizations and communication within the management system and within the organization.
- Competence and Awareness – Creating a robust and balanced level of risk awareness within a company is consequently an essential component of a functional ISMS that generates value for an organization by identifying threats at an early stage, preventing security incidents, and eliminating the labor that would have been required to deal with these materialized threats.
- Supplier Relationships – the term ‘supplier’ covers a broad range of business relationships with external companies and partners, creation of guidelines and agreeing on contractual provisions with suppliers.
- Internal Audit – ensure that all the business processes covered by the ISMS are audited at least once every three years in terms of the applicable provisions and guidelines on information security and in terms of conformity with the ISMS.
- Incident Management – rethinking our activities and strategies and removing or replacing ineffective measures, updating existing (security) concepts or implementing new (security) solutions, will gain the greatest benefit.
- Continuous Improvement – organizations need to analyze existing best practices and always adapt them to their own needs.
Detailed description of these components will be covered in our Courses & Learning Kits…