Are you wondering about how an information security management system or otherwise known as ‘ISMS’ will impact your business? Let’s have a look at this collectively.
ISMS is the primary outcome of ISO 27001 implementation. So, What is ISMS? An ISMS is an organised approach to managing sensitive business information so that it remains secure. It includes people, processes and IT systems by applying a risk management process to prevent and counteract interruptions to business activities. It helps small, medium and large enterprises in any sector to keep information assets secure and protects critical business processes from the effects of information security incidents, disasters and major failures of information systems and ensures the timely resumption of normal operations.
ISO 27001 fundamentally describes how to develop the ISMS. The ISMS represent a set of policies, procedures, and various controls that set the rules of information security in an Enterprise. Based on risk assessment results and the requirements of interested parties, the kind of control for information security will be implemented in an Enterprise. A combination of different types of the controls is required to treat each risk that is identified.
So what are these various controls for each risk? Let’s take an analogy. A salesperson in an organisation leaves the company asset of iPad frequently in his car, thus increases the chances of getting it stolen. In this scenario, what measures you approach to decrease the risk to the information that iPad carries? You may have to apply some controls to protect the information in case if it is stolen. First of all, there would be a procedure that defines that you cannot leave the iPad in the car; also, you can protect the iPad with a password, so if it gets stolen it will be harder for someone to access the information. Also, you encrypt the information on the iPad this is an even higher level of protecting your information. Furthermore, you may ask the salesperson to sign a statement that he is obliged to pay all the damage that can occur if such an incident happens. Above all, you must educate and make the salesperson aware that there are such risks if he leaves the iPad in the car.
It might sound simple to protect the information on iPad, but the problem is when an organisation has hundreds of laptops, dozens of servers, a multitude of databases, many employees, etc. It would be cumbersome and a nightmare to administer related controls and measures with so much sensitive information in many different assets at different locations. With the constant threat of malware and remote hacking incidents, organisations need to be prepared to control the impact of these threats.
Managing complicated security systems
The best way to manage these entire information assets is to set clear security processes and responsibilities, which is called a process approach in ISO management standards in ISO 27001, but also in ISO 9001, ISO 20000, and others.
A process approach is crucial for making this connection between responsibilities and technical controls only if you know who has to do what and when then you arrive foundation for security controls to work.
Hence, what is the summary of the above points? First of all, information security controls are not only technical and tactical IT-related controls. They are a combination of different types of controls such as organisational control, HR control, IT control, etc. For example, documenting a procedure is an organisational control, implementing a software tool to analyse and monitor is an IT control, and training people is a human resources control.
Secondly, without a framework, information security becomes uncontrollable. ISO 27001 gives this framework where you can build up your ISMS, which means developing a set of information security rules, responsibilities, and controls, and then you’ll be able to manage such a complex system.
Finally, an ISMS is all about several security processes tied up together the better these processes are defined, and interrelated, the fewer incidents occur.
Anitech consulting provides consulting services and can assist organisations on how to implement and audit an information security management system in compliance to the specific requirements of ISO/IEC 27001. Contact us for a quote.