Information Security Management

An Information Security Management System (ISMS) is, as the name suggests, a set of policies concerned with information security management. 

The key concept of ISMS is for an organization to design, implement and maintain a coherent suite of processes and systems for effectively managing information accessibility, thus ensuring the confidentiality, integrity and availability of information assets and minimizing information security risks.

As with all management processes, an ISMS must remain effective and efficient in the long term, adapting to changes in the internal organization and external environment. ISO/IEC 27001 therefore incorporates the typical "Plan-Do-Check-Act" (PDCA) Deming approach to continuous improvement:

The Plan phase is about designing the ISMS, assessing the information security risks and selecting appropriate controls.
The Do phase involves implementing and operating the controls.
The Check phase's objective is to review and evaluate the performance, efficiency and effectiveness of the ISMS.
In the Act phase, changes are made, where necessary, to bring the ISMS back to peak performance.

 

ISO27001:2005 Information Security Management Standard

Compliance to ISO/IEC 27001:2005 is increasingly being seen as the preferred method. Reference to the standard now appears in many invitations to tender (ITT) documents, and is a pre-requisite in certain sectors (e.g. government, NHS).

The standard is based around the Plan Do Check Act (PDCA) model. In line with the PDCA model, an organisation is asked to establish, implement & operate, monitor & review and maintain & improve an Information Security Management System.

Demonstrating compliance to the standard will involve setting policies (e.g. clear desk policy, access policy, information classification policy), implementing processes (e.g. formal starters/leavers process, authorisation process for application access) and conducting reviews and internal audits in line with other ISO standards.

While many of the controls are IT specific, this is simply due to the fact that IT is key to all business. ISO27001 should not be thought of as an IT standard. An organisation seeking to implement an Information Security Management System needs to show that it is embedded in the culture, and that all employees are aware of their responsibilities in maintaining information security.

Information Security Management Consultancy

While many of the requirements of the ISO27001:2005 standard are self explanatory, employing Consultancy52 can assist in many different ways

  • Full implementation of an Information Security Management System, including writing policies, procedures and processes necessary to demonstrate compliance, scheduling and performing internal audits, training of employees and assistance during any formal third party certification audit if required.
  • Implementation guidance can be provided.  We can support your own implementation team from telephone assistance to onsite mentoring.
  • Internal Audits . Consultancy52 can provide an auditing service as a one off project or as part of an ongoing maintenance plan.
  • Information Security Training.  Training packages including management representative training, internal audit courses, Introduction to Information Security etc can be provided on or off site.