Information Security Management Systems (ISMS)
ISO 27001:2013 and management system based on this standard?
ISO 27001:2013 is an internationally agreed-upon set of best practices in regards to ensuring adequate controls that address requirements including confidentiality, integrity, and availability of ‘information’ pertaining to customers, employees, business partners, regulators, and society at large.
Who can use ISO 27001:2013?
Any company for which the security of the information is critical that at least one of its stakeholders requires it to demonstrate how securely this information is handled, managed, and distributed.
Why an ISMS based on ISO 27001:2013 is important?
The design and implementation of an organization’s ISMS are influenced by the needs and objectives of the organization, the security requirements, the business processes employed, and the size and structure of the organization. The design and operation of an ISMS needs to reflect the interests and information security requirements of all of the organization’s stakeholders including customers, suppliers, business partners, shareholders and other relevant third parties.
In an interconnected world, information and related processes, systems, and networks constitute critical business assets. Organizations and their information systems and networks face security threats from a wide range of sources, including computer-assisted fraud, espionage, sabotage, vandalism, fire and flood. Damage to information systems and networks caused by malicious code, computer hacking, and denial of service attacks have become more common, more ambitious, and increasingly sophisticated.
An ISMS is equally important regardless of whether you are in the public or private sector. The interconnection of public and private networks and the sharing of information assets increase the difficulty of controlling access to and handling of information. When organizations adopt the ISMS family of standards, the ability to apply consistently and mutually-recognizable information security principles can be demonstrated to business partners and other interested parties.
Information security is often thought of as a technical solution; however, the information security that can be achieved through technical means is limited and can be ineffective without being supported by top management and having policies and procedures in place. Integrating security into a functionally complete information system can be difficult and costly. As an example, access controls, which can be technical (logical), physical, administrative (managerial), or a combination, provide a means to ensure that access to information assets is authorized and/or restricted depending on the business requirements.
The successful development and implementation of an ISMS are important for the protection of information assets in order for an organization to:
a) be assured of being adequately protected against threats to information assets on a continual basis;
b) identifying and assessing information security risks, selecting and applying suitable controls, and monitoring and improving their effectiveness;
c) continually improve its control environment; and
d) effectively achieve legal and regulatory compliance.
Critical factors for the successful implementation of ISMS
There are many factors for the successful implementation of an ISMS to allow an organization to meet its business objectives. These include as follows;
a) information security ‘policy and objectives’ are aligned with business objectives;
b) organizational culture is taken into account while developing and implementing the ISMS;
c) visible top management commitment and as a result, support from all levels of management;
d) an understanding of information protection requirements;
e) an effective awareness and training program;
f) effectiveness of the process for the reporting and investigation of any information security-related incident;
g) an effective business continuity management approach;
h) monitoring, measurement, analysis, and evaluation process.