Information Security Management Systems (ISMS)
ISO 27001:2013 and management system based on this standard?
ISO 27001:2013 is an internationally agreed-upon set of best practices in regards to ensuring adequate controls that address requirements including confidentiality, integrity, and availability of ‘information’ pertaining to customers, employees, business partners, regulators, and society at large.
Who can use ISO 27001:2013?
Any company for which the security of the information is critical that at least one of its stakeholders requires it to demonstrate how securely this information is handled, managed, and distributed.
Why an ISMS based on ISO 27001:2013 is important?
The design and implementation of an organization’s ISMS are influenced by the needs and objectives of the organization, the security requirements, the business processes employed, and the size and structure of the organization. The design and operation of an ISMS needs to reflect the interests and information security requirements of all of the organization’s stakeholders including customers, suppliers, business partners, shareholders and other relevant third parties.
In an interconnected world, information and related processes, systems, and networks constitute critical business assets. Organizations and their information systems and networks face security threats from a wide range of sources, including computer-assisted fraud, espionage, sabotage, vandalism, fire and flood. Damage to information systems and networks caused by malicious code, computer hacking, and denial of service attacks have become more common, more ambitious, and increasingly sophisticated.
An ISMS is equally important regardless of whether you are in the public or private sector. The interconnection of public and private networks and the sharing of information assets increase the difficulty of controlling access to and handling of information. When organizations adopt the ISMS family of standards, the ability to apply consistently and mutually-recognizable information security principles can be demonstrated to business partners and other interested parties.
Information security is often thought of as a technical solution; however, the information security that can be achieved through technical means is limited and can be ineffective without being supported by top management and having policies and procedures in place. Integrating security into a functionally complete information system can be difficult and costly. As an example, access controls, which can be technical (logical), physical, administrative (managerial), or a combination, provide a means to ensure that access to information assets is authorized and/or restricted depending on the business requirements.
The successful development and implementation of an ISMS are important for the protection of information assets in order for an organization to:
a) be assured of being adequately protected against threats to information assets on a continual basis;
b) identifying and assessing information security risks, selecting and applying suitable controls, and monitoring and improving their effectiveness;
c) continually improve its control environment; and
d) effectively achieve legal and regulatory compliance.
Critical factors for the successful implementation of ISMS
There are many factors for the successful implementation of an ISMS to allow an organization to meet its business objectives. These include as follows;
a) information security ‘policy and objectives’ are aligned with business objectives;
b) organizational culture is taken into account while developing and implementing the ISMS;
c) visible top management commitment and as a result, support from all levels of management;
d) an understanding of information protection requirements;
e) an effective awareness and training program;
f) effectiveness of the process for the reporting and investigation of any information security-related incident;
g) an effective business continuity management approach;
h) monitoring, measurement, analysis, and evaluation process.
The Process (Development &/or Implementation of ISMS against ISO 27001:2013)
Gap Analysis against ISO 27001:2013
- Business Excellence' team will conduct an initial assessment/gap analysis according to the scope of services with reference to the STANDARD including office as well as sites
- A comprehensive written report will be presented to the Top Management on the status of the compliance against standard’ requirements in order to know as to what are the gaps
Awareness Training on ISO 27001:2013
- Business Excellence's team will provide awareness training to the key process owners and relevant staff, on the requirements of the standard
- Further to this, they'll explain how these requirements apply to their business
Documentation against ISO 27001:2013
Business Excellence' team will provide full assistance for the development of documentation according to the requirements
These documents will be of different types at different levels (in the order of importance) including policies, manual, system element procedures, and associated 'forms' including RACI matrix, process maps, risks & opportunities register, KPI’s, etc
Implementation of Documented Management Systems against ISO 27001:2013
Business Excellence' team will extend its full support in regards to the implementation of the aforementioned documented management systems in letter and spirit
This may include SWOT analysis, process mapping, setting objectives & targets, development of RACI matrices, training need analysis, internal audit, corrective action including root cause analysis, management review meeting etc
Internal Audit against ISO 27001:2013
- Finally, an internal audit by the 'Business Excellence' team will be performed before third-party arrives
- The detailed report of which shall be submitted to the management and will help rectify the non-conformities & concerns
- However, management to ensure rectification of the identified concerns within the time frame, as agreed
Review &/or Assessment by the Certification Body
- The selected third party to review documentation including records
- Lastly, conduct an onsite audit
Closing-out of Non-conformities
- Consequent upon the independent review and assessment by the relevant authority, the corrective action plan to be developed for each of the non-conformities
- Business Excellence to provide guidance to implement the corrective action plan
Key Deliverables (Development &/or Implementation of ISMS against ISO 27001:2013)
Gap Analysis Report against ISO 27001:2013
To evaluate the existing systems to ascertain as to what is in compliance and what're the gaps and submitting a comprehensive report to the client
Documentation Kit against ISO 27001:2013
The templates for documents of all types (at all levels) including policies, manuals, system element procedures, work instructions, RACI matrices, forms, process maps, checklist, registers, etc.
Training on ISO 27001:2013
On the requirements of the international standard and how these apply in the context of the business
Review of Documentation (against ISO 27001:2013) and Associated Records
- Business Excellence' team will review each & every provided document prior to finalization
- However, after review by us; the client shall also review these documents prior to approval
Support for Implementation of Documented Management Systems
Business Excellence's team will extend its full support in regards to the implementation of the documented management systems in letter & spirit. This may include SWOT analysis, process mapping, risk assessment, objectives and targets, RACI matrices, training need analysis & training plan, internal audit, corrective action, management review etc
Internal Audit against ISO 27001:2013
Finally, an internal audit by Business Excellence' team will be performed before the third-party assessment and a detailed report of this shall be submitted to the management in order to help rectify the non-conformities & concerns
Third Party Audit by Certification Body against ISO 27001:2013
The management systems documentation including records shall be submitted to an independent certification body for its review of the suitability of documentation and on-site audit.
Business Excellence' team shall help develop and implement corrective actions to closeout findings consequent upon 3'rd party review &/or assessment till approval of the management systems and issue of the certificate