An Information Security Management System (ISMS) describes and demonstrates your organisation’s approach to information security and privacy. It helps identify and address the threats and opportunities around your valuable information and any related assets. That protects your organisation from security breaches and shields it from disruption if and when they do happen.
It contains policies, procedures and controls that are designed to meet the three objectives of information security:
To achieve ISO 27001 compliance or certification, you need a fully functioning ISMS that meets the standard’s requirements. It will define your organisation’s information assets, then cover off all the:
Secures your information in all forms – ISMS helps protect all forms of information, including digital, paper-based, intellectual property, company secrets, data on devices and in the cloud, hard copies and personal information.
Increase your attack resilience – Implementing and maintaining an ISMS will significantly increase the organisation’s resilience to cyber attacks.
Reduce information security costs – Due to the risk assessment and analysis approach of an ISMS, organisations can reduce costs spent on indiscriminately adding layers of defensive technology that might not work.
Respond to evolving security threats – Constantly adapting to changes both in the environment and inside the organisation, an ISMS reduces the threat of continually evolving risks.
Improve company culture – The Standard’s holistic approach covers the whole organisation, not just IT, and encompasses people, processes and technology. This enables employees to readily understand risks and embrace security controls as part of their everyday working practices.
Offers organisation wide protection – ISMS protects your entire organisation from technology-based risks and other, more common threats, such as poorly informed staff or ineffective procedures.
Provides a central framework – ISMS provides a framework for keeping your organisation’s information safe and managing it all in one place.
Protects confidentiality of data – ISMS offers a set of policies, procedures, technical and physical controls to protect the confidentiality, availability and integrity of information.
Most organisations either follow a plan-do-check-act process or study the ISO 27001 international security standard which effectively details the requirements for an ISMS. Below are five steps to illustrate how an ISMS should be implemented:
ISMS was built to address risks that have been identified, but the threat landscape is constantly evolving. Therefore, regularly monitor the risks the organisation can face to ensure that your defences are adequate. This also includes vulnerability scans and other tools that can automatically spot new risks. Rigorous tests on a regular basis must be performed.
To remain compliant, ISO 27001 risk assessment must be completed at least once a year or when there is a substantial change made to the organisation.
The policies and processes written during the initial implementation will have been created specifically for the way your organisation operated at that time. However, as operations evolve, it is important documentation is taken account. For example is there a significant change in the way you perform certain actions? Have you undertaken new activities involving sensitive data? Has the physical premises changed in any way? If the answer to any of those questions is yes, then you must amend your documentation accordingly.
An internal audit provides a comprehensive review of the effectiveness of your ISMS. Alongside a risk assessment and a documentation review, it will help you assess the status of your ISO 27001 compliance. Part of the initial certification process, an internal audit would have been done which just needs to be updated.
Remedying vulnerabilities will take time and resources, which requires board-level approval, therefore keeping senior management informed of both activities maintaining the ISMS and the benefits that it has brought.
Involving stakeholders in the review process, ensures opportunities for improvement or necessary changes that must be made are discussed. There is no requirement for how often the management review should take place, but it should be at least once a year and ideally every six months.
Regular monitoring the effectiveness of the organisations ISMS, where corrective actions should be performed to prevent weaknesses from spilling over into major problems. Some of these changes could be minor tweaks to processes and policies, or the addition of a new tool.
One of the key principles of ISO 27001 is that effective information security is everybody’s responsibility. Compliance should not be left to the IT department or managers. Anyone in the organisation that handles sensitive data plays a role in the organisation’s security. They must understand their obligations for protecting sensitive information and appreciate the stakes involved.