An ISMS is a systematic approach
to managing sensitive company information so that it remains secure. It encompasses people, processes and IT systems. The British Standards Institute (BSI) originally published a code of practice for these systems, which has now been adopted internationally as ISO/IEC 27001:2005. There are several aspects to the standard, which can broadly be categorised into the management system itself (the ISMS) and the Control Objectives (categorised into 12 key groups). Put simply:
- the ISMS defines the information security framework (in terms of an Information Security Policy, Threat and Risk Assessment, Statement of Applicability , Information Asset Register and procedures/calendar for ongoing updates, monitoring and auditing)
- the Control Objectives define the specific information security aspects assessed and managed; including information classification, access rules, physical and environmental security, IT network security, backup, user access, and business continuity management).
- Formal compliance to the standard can be obtained, this can be costly to maintain ongoing. Conformance to the standard is a simpler option, however does not provide the accreditation required by some organisations.
Where Do I Start?
If you are just starting out, here are three key steps:
- Develop an information security policy and identify your organization’s key information assets. Purchase the standards, ISO/IEC 27002:2005 (previously named ISO/IEC 17799:2005) and ISO/IEC 27001:2005 to help you do this.
- Carry out a threat and risk assessment and build your ISMS. Assign responsibilities and train key staff to ensure its successful implementation.
- Once your management system is fully implemented you can register for ISO/IEC 27001:2005 certification/compliance with the relevant accreditation body.