Information Security Management System - ISMS
‘Information is an ASSET which, like other important business assets, has VALUE to an organization and consequently needs to be SUITABLY protected’ “Information Security Management System is that part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security’ ISMS always follows Plan-Do-Check-Act methodology.
- The Plan phase is about designing the ISMS, assessing information security risks and selecting appropriate controls.
- The Do phase involves implementing and operating the controls.
- The Check phase objective is to review and evaluate the performance (efficiency and effectiveness) of the ISMS.
- In the Act phase, changes are made where necessary to bring the ISMS back to peak performance
An information security management system (ISMS) is a set of policies and procedures for systematically managing an organization's sensitive data. The goal of an ISMS is to minimize risk and ensure business continuity by pro-actively limiting the impact of a security breach.
An ISMS typically addresses employee behavior and processes as well as data and technology. It can be targeted towards a particular type of data, such as customer data, or it can be implemented in a comprehensive way that becomes part of the company's culture.
ISO 27001 is a specification for creating an ISMS. It does not mandate specific actions, but includes suggestions for documentation, internal audits, continual improvement, and corrective and preventive action.
- Adopted PDCA ( PLAN – DO – CHECK – ACT ) Model
- Adopted a Process Approach
- Identify – Manage Activities – Function Effectively
- Stress On Continual Process Improvements
- Scope covers Information Security not only IT Security
- Focused on People, Process, Technology
- Resistance to intentional acts designed to cause harm or damage to the Organization.
- Combination of Management Controls, Operational Controls and Technical Control.
- Overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve Information security.
- Independent framework that will take account of all legal and regulatory requirements.
- Gives the ability to demonstrate and independently assure the internal controls of a company (corporate governance)
- Proves senior management commitment to the security of business information and customer information
- Helps provide a competitive edge to the company
- Formalizes, and independently verifies, Information Security processes, procedures and documentation
- Independently verifies that risks to the company are properly identified and managed
- Helps to identify and meet contractual and regulatory requirements
- Demonstrates to customers that security of their information is taken seriously
ISO 27001 ISMS design tips for your organization
ISO 27001 has become a standard to establish and maintain information security systems in enterprises. In this context, the thing to remember is that ISO 27001 is an open standard which lays down broad building blocks for establishing a management system. As a result, ISO 27001 information security management system (ISMS) guidelines leave it to the organization to decide how to shape it as per the organization's requirements.
Risk assessment framework
Once the organization obtains management buy-in and defines the scope of an ISO 27001 ISMS, the biggest challenge is to develop a risk assessment methodology addressing its business and environment. The ISO 27001 standard doesn't prescribe the methodology, and leaves the designers (of the program or framework) with a lot of questions. An ISO 27001 ISMS designer should have a good understanding of the different kinds of risk assessment methodologies. A lot of designers with an engineering background use the failure mode effect analysis (FMEA) method, while others use software pushed by vendors. What you need to keep in mind is that what worked for Company X may not necessarily work for you. Also remember that you are dealing with information, hence you must think of scenarios which may affect the information's confidentiality, integrity and availability. It's very important to keep the organization's culture, decision-making style and people in mind while designing the risk assessment process (integral to ISO 27001 ISMS design). This framework will help you to identify the risks to your critical information assets.
Statement of applicability and risk treatment plan
Based on this risk assessment, the organization will need to prepare a statement of applicability and a risk treatment plan. ISO 27001 broadly mentions 11 security domains, 33 control objectives and 133 security controls which can be utilized for this purpose. Before selecting any control, you must undertake a cost-benefit analysis of the value of the control and the value of the information asset. The 11 security domains of ISO 27001 are not mandatory; however, if you don't want to put any security control then you must mention the reasons for exclusion in your statement of applicability. After this, the next step is ISO 27001 ISMS design.
Once all the controls are selected you must develop an ISO 27001 ISMS implementation program which involves setting up of policies, procedures and guidelines, and deploying security controls to mitigate the identified risks. Many ISO 27001 ISMS designers feel that it's best that the security controls are centrally managed. This may be true for the technological controls, but a central monitoring team will not be able to do justice for the controls on people and business processes (which are scattered).
A common mistake made by security personnel when crafting an ISO 27001 ISMS strategy is to try and convince the management that increased security spending means greater security. Organizations often use some sort of metric to justify security spending. This approach may be valid for some technological solutions, but not for business processes and people-related risks.
Review and corrective action
The security team should review whether the implemented security controls provide the desired results as well as address threats and vulnerabilities. If the controls are part of ISO 27001 ISMS are not successfully addressing risks, then you must analyze the reasons and take corrective action.
Key challenges of ISMS implementation.
One of the basic problems that most organizations face is to understand requirements of the ISO 27001 standard. Besides, choosing a wrong implementation partner can lead to several problems in the design of the framework of, approach to, and actual implementation of an ISO 27001 ISMS.
The cultural change which the implementation of an ISO 27001 ISMS brings with it is also a major issue. Security teams often spend a lot more time managing people-related issues than process, technological or functional issues during the ISO 27001 ISMS implementation.
Many organizations go in for certification immediately after the implementation of an ISO 27001 ISMS. However, when the business returns to normal, the momentum is lost, and the organization starts striking a balance between functionality and security. This often happens due to an impractical solution devised by the team designing ISO 27001 ISMS. People start disconnecting themselves from the initiative, and look at the situation as 'them against us.' Processes are not followed, and are bypassed. Business reasons are cited, and the exception list starts getting populated. Eventually, these exceptions become the policy, and the entire ISO 27001 initiative is lost in spirit..
Essential ingredients for ISMS implementation success
Today, every organization’s business is automated, digitized and on-line, leading to data confidentiality, integrity and availability emerging as key concerns. According to Version’s 2010 Data Breach Investigation Report, malware and hacking are the top two threats, contributing to 38% and 40% respectively of the data breaches. While there is no ‘silver bullet’ for systems security, a healthy and continually improving information security management system (ISMS) can go a long way in mitigating risks. For an ISMS to be successful within any organization, three key phases ought to be considered—design, implementation, and maintenance.
Important parameters for ISMS design
The ISMS design phase is extremely crucial as it can make or break the overall implementation. Key considerations while designing the ISMS include:
Setting business objectives – Security controls must be designed to support the ISMS’ business objectives and an upfront clarification of these – across the business – is vital.
Identifying information assets (such as electronic documents, hardware, software, paper and people) – Key information assets that support business processes should be prioritized for protection in the ISMS.
Securing organizational commitment – For an ISMS implementation to be successful, the project’s objectives need to be understood and endorsed throughout the organization. Cross-functional organizational participation and management engagement is important.
Developing an asset-based risk assessment and treatment plan – By prioritizing information assets and correlating against potential threats, an idea of the perceived risks can be developed during the ISMS design process.
Considering compliance requirements (legal/statutory/regulatory) and contractual agreements – External factors must be translated into the ISMS implementation’s design. Compliance requirements such as SOX (Sarbanes-Oxley) 404, HIPAA (Health Insurance Portability and Accountability Act), PCI DSS (Payment Card Industry Data Security Standard), GLBA (Gramm-Leach-Bliley Act), and DPA (Data Protection Act) are common these days and could become impossible to assimilate if not factored into the early stages of ISMS design.
Engaging third parties/partners – Entities involved in business processes need to be advised, monitored and controlled as part of ISMS design and implementation stages. Too often, security control implementation can be delayed thanks to third party ignorance.
Organizations also need to ensure that the efforts and costs involved in designing and implementing information security controls are commensurate with the value of the asset being protected. If not, the risk of ISMS failure increase
Drawbacks during ISMS implementation
Implementing ISMS is a tougher challenge than design, as it requires organizations to move from theory to practice and (perhaps more importantly) bridge the gap between flexibility and control. Best practices are not always the easiest practices, and organizations often face significant ISMS implementation challenges – for instance, when trying to implement security controls on legacy systems and unsupported platforms.
The question then is how to achieve the business objectives while maintaining business continuity during ISMS implementation. Organizations also need to develop a security exception process that evaluates the residual risk of not implementing a security control and also suggests alternative controls to reduce it to an acceptable level. This can only be done if the risk strategy has been properly assessed in the ISMS design phase.
The most common pitfalls of ISMS implementation can be summarized as follows:
- Lack of management support – Senior management support is of paramount importance for successful ISMS implementation.
- Organizational disengagement – Implementing ISMS is not just an information technology (IT) manager’s job, but the responsibility of the entire organization.
- Non-prioritization of tasks and milestones – Prioritizing tasks is a best practice while undertaking any big project and ISMS is no different. An organization must focus on the ‘low hanging fruits’ to ensure continuous focus and interest in the project, but must also keep the end goal in mind.
- Lack of status checks – It is essential to develop key security metrics and measure them regularly to ensure ongoing improvement.
- Unclear project management tenets – Best practice project management tools will help ensure ISMS project success.
- Disconnect from business processes – Project leads must ensure that the information security controls help, and do not hinder the functioning of the business they are trying to protect.
ISMS governance team
All the hard work done by an organization is meaningless if the ISMS is not maintained. An ISMS governance team can ensure that the potential impact of any changes to the business environment, IT infrastructure, and compliance landscape are considered against the organization’s security stature. Thus, the ISMS can be reassessed and if needed, updated, to support business goals. Sticking to the basics and following a few simple steps would help an organization streamline its ISMS implementation process.