“A company is only as strong as the rules it’s built on”
Every organisation needs to have rules and regulations to properly maintain its security. What should the company do in case of an attack? Who should be the first to be informed? What should be the next step?
An Information security management system (ISMS) is a set of policies and procedures created by the company to create and monitor the security infrastructure of the company. ISMS is used as a guide by the companies to handle any type of cyber threat. It needs to contain all the details needed for the maintenance of the security of data, of the companies network etc.
Information Security Management (ISM) has a very broad scope, it essentially covers all aspects of making security happen in an organisation. An Information security management system is usually headed by an Chief Information Security Officer who is responsible for creating and implementing the ISMS.
Key Phases of ISM are
- Leadership – It is the leader’s responsibility to define the security policy and allocate roles and responsibilities to people and set the tolerability of the risks. CISO is usually the leader in most organisations, in the absence of the CISO, the responsibilities fall to the CEO. It is CISO’s responsibility to set the threshold of the risks the companies would be willing to accept.
- Planning – This phase includes where the company defines the risk assessment and explains the methods on how they plan to handle those identified risks. It also includes setting up of the organisational security objectives.
- Support – It is important to properly allocate the resources for maintenance of security. A company should promote security awareness among the staff and educate them on correct practices. Documentation is a key aspect of any process, so is documenting all the key aspects of the security.
- Operation – This involves planning and control of operations, routine performance of risk assessments and perform risk treatments i.e ways to reduce the risk in accordance with the established plan
- Performance evaluation – One should continuously monitor the risks and vulnerabilities. Audit and review of the company systems and networks should be carried periodically from internal as well as external teams to properly understand the shortcomings of the infrastructure.
- Improvement – All the drawbacks found need to be fixed at the earliest so as to keep the company and its data safe from any threats or attacks.
Standards for ISMS
The ISO/IEC 27000 series is the ISMS family of standards which contains information security standards published by International Organisation of Standardization (ISO) and the International Electrotechnical Commission (IEC). The series is broad in scope covering a variety of topics not just CIA triad i.e Confidentiality, Integrity and Availability. This is helpful for organisations of all shapes and sizes guiding them to have a better security infrastructure and protect their data and networks.
Most of these standards are guideline standards, which help an organisation to set up the security aspects of the organisation. Few of these standards are compliant standards i.e a company can meet the standards requirement and get itself certified by an accredited certification body following successful completion of an audit.
ISO 27000
It contains the definitions, terminology and the overview of an ISMS. It defines the ISMS and the components of it and the purpose of creating an ISMS for an organization.
ISO 27001
This is a compliant standard, a company can choose to get itself certified by undergoing an external audit by a recognised accredited certification body like United Kingdom Accreditation Service, Certification Europe etc.
ISO 27002
This standard discusses the security controls that an organisation might choose to implement. It lays out the guidance on how to use those security controls. Major topics discussed in the standard are
- Information Security Policies
- Organization of Information Security
- Human Resource Security
- Asset Management
- Access Control
- Cryptography
- Physical and environmental Security
- Operation Security
- Communication Security
- Business Continuity Management
- Information Security Incident Management
- Compliance
ISO 27003
This standard provides the guidance on how to be compliant to the requirements of ISO 27001.
ISO 27004
It provides guidelines to help organisations to evaluate the performance of information security and the efficiency of a management system in order to meet the requirements of the ISO/IEC 27001.
ISO 27005
This standard deals with the Information Security Risk Management. It tells how to define a risk and how to set up infrastructure to deal with those risks. It does not mention any specific method for risk management, it is upto the organisation to define the risks and come up with suitable solutions to manage the risk.
ISO 27006
It outlines the requirements to be met by the third parties like United Kingdom Accreditation Service, Certification Europe etc. who audit the Information Security Management Systems of different organisations.
ISO 27007
This standard details how an audit for an Information Security Management System should be carried out. This is a guide for third party auditors when performing such audits.
These are just a few standards mentioned to highlight the importance of ISMS and the role standards play in the establishment of the ISMS for a company. An organisation should carefully look at these documents and take complete advantage of these. It should also try to get itself ISO 27001 certified to show its customers as to how seriously they take the security of the organisation as a whole.
If you would like to be prepared you can contact us at info@rootfloe.com for a free consultation.
Shreyas is an Intern at Rootfloe and holds Masters degrees in Information Security from Royal Holloway University of London and Computer Networks from BMSCE Bengaluru.
