1. What is an Information Security Management System (ISMS)?
The information security management system (ISMS) represents the collation of all the interrelated/interacting information security elements of an organisation so as to ensure policies, procedures, and objectives can be created, implemented, communicated, and evaluated to better guarantee an organisation’s overall information security. This system is typically influenced by organisation’s needs, objectives, security requirements, size, and processes. An ISMS includes and lends to effective risk management and mitigation strategies.
An information security management system is a structured and systematic approach to managing company information. It provides businesses with a framework to manage information security and other IT related risks, with wide-ranging controls to keep data secure from diverse security threats.
An ISMS uses a risk management process that comprises organisational structures, people, policies, processes and IT systems. An organisation’s objectives determine ISMS implementation, the size and structure of security requirements, and the procedures employed.
2. Do You Need an Information Security Management System?
A global increase in data breaches has caused heightened information security concerns across all industries. Considering the significant financial and legal damages caused by breaches, all businesses with valuable information (incl. customer data) should consider implementing an information security management system.
Managing information security in essence means managing and mitigating the various threats and vulnerabilities to assets, while at the same time balancing the management effort expended on potential threats and vulnerabilities by gauging the probability of them actually occurring.
Once a threat and/or vulnerability has been identified and assessed as having sufficient impact/likelihood to IT assets, a mitigation plan can be enacted. The mitigation plan chosen largely depends on which of the seven information technology (IT) domains the threat and/or vulnerability resides in. The threat of user apathy toward security policies (the user domain) will require a much different mitigation plan than one used to limit the threat of unauthorised probing and scanning of a network (the LAN-to-WAN domain).
3. Who is Responsible for ISMS in Your Business?
An ISMS is often developed by a team established by IT stakeholders, comprising board members, managers, external specialists, IT staff and others as required. The team is tasked with designing, implementing and maintaining a set of policies that comply with ISO 27001, the international standard for information security management systems. A compliant ISMS should become an integral part of your company’s culture that functions to maintain strong information security across the organisation.
4. ISO 27001 and Information Security Management
ISO 27001 is a category of international standards developed by ISO and International Electrotechnical Commission (IEC). It outlines the criteria that businesses can follow to maintain the security of their information assets. ISO 27001 is designed around the PCDA, Plan – Do – Check – Act model:
- Plan – The ISMS team should define the organisation’s problem and collect data to establish security vulnerabilities.
- Do – The team should develop and implement a solution and establish controls to gauge how effective the solution is.
- Check – Using your control measurement, perform a comparison before you implemented the solution and after.
- Act – Document the results of your solution and make notes of changes to be implemented during the next PCDA cycle.
5. What is Annex A within ISO 27001?
Annex A provides an outline of each control. You should refer back to it when conducting an ISO 27001 gap analysis and risk assessment. These processes help organisations identify the risks they face and the controls they must implement to tackle them. Annex A within ISO 27001 is a section that outlines information security controls that an organisation should consider for applicability and then implement based on the selected treatment options for the risks within the information security risk assessment. Annex A comprises of 14 security domains, 35 control objectives, and 114 security controls. The security domains are:
The 14 control sets of Annex A:
A.5 Information security policies (2 controls): how policies are written and reviewed.
A.6 Organisation of information security (7 controls): the assignment of responsibilities for specific tasks.
A.7 Human resource security (6 controls): ensuring that employees understand their responsibilities prior to employment and once they’ve left or changed roles.
A.8 Asset management (10 controls): identifying information assets and defining appropriate protection responsibilities.
A.9 Access control (14 controls): ensuring that employees can only view information that’s relevant to their job role.
A.10 Cryptography (2 controls): the encryption and key management of sensitive information.
A.11 Physical and environmental security (15 controls): securing the organisation’s premises and equipment.
A.12 Operations security (14 controls): ensuring that information processing facilities are secure.
A.13 Communications security (7 controls): how to protect information in networks.
A.14 System acquisition, development and maintenance (13 controls): ensuring that information security is a central part of the organisation’s systems.
A.15 Supplier relationships (5 controls): the agreements to include in contracts with third parties, and how to measure whether those agreements are being kept.
A.16 Information security incident management (7 controls): how to report disruptions and breaches, and who is responsible for certain activities.
A.17 Information security aspects of business continuity management (4 controls): how to address business disruptions.
A.18 Compliance (8 controls): how to identify the laws and regulations that apply to your organisation.
6. What are the Benefits of Being ISO 27001 Certified?
Some of the ways in which ISO 27001 certification can benefit your organisation:
- Avoid hefty fines. ISO 27001 is the accepted global benchmark for the effective management of information assets. It enables organisations to avoid the costly penalties associated with non-compliance with data protection requirements and the financial losses resulting from data breaches.
- Protect your reputation. Cyber attacks are on the increase in Ireland, and can have a massive impact on your organisation and its reputation. An ISO 27001-certified ISMS (information security management system) helps protect your organisation and keeps you out of the headlines!
- Comply with business, legal, contractual and regulatory requirements. ISO 27001 certification is also in line with rigid regulatory requirements such as the European GDPR (General Data Protection Regulation), and other cyber security laws.
- Improve structure and focus. When an organisation grows rapidly, it does not take long before there is confusion around responsibility for information assets. ISO 27001 helps organisations set up clear information risk responsibilities.
- Reduce the need for frequent audits. ISO 27001 certification is globally accepted and demonstrates effective security, reducing the need for repeat customer audits.
- Independent third party assessments. Provides an independent appraisal of your organisation’s conformity to the best practices recommended by ISMS experts. Provides evidence and assurance that your organisation has complied with international standards.
- IT Security Management Framework. Establishes a complete IT Security Management Framework that enables your team to ensure information security compliance throughout to prevent any risks.