ISMS (Information Security Management System) and ISO 27001

Introduction

Twitter, Marriott, and Zoom are a few famous names that have popped up in 2020 due to security breaches. Organizations have been frantically trying to implement a security framework to establish discipline related to information security. This is where the ISMS (Information Security Management System) come into picture.

An ISMS is a systematic approach consisting of processes, technology and people that helps you protect and manage your organization’s information through effective risk management. It ensures compliance with the three pillars of cyber security; confidentiality, integrity and availability.

How does ISO 27001 fit in?

ISO 27001 is the international standard that provides the specification for best-practice ISMS and covers the compliance requirements. Adhering to the standard assists organizations to have a structured approach towards cyber security.

How can a ISO 27001 benefit you?

Secure your information in all its forms: An ISMS helps protect all forms of information, whether digital, paper-based or in the Cloud.

Increase your attack resilience: Implementing and maintaining an ISMS will significantly increase your organization’s resilience to cyber attacks. 

Manage all your information in one place: An ISMS provides a central framework for keeping your organization’s information safe and managing it all in one place. 

Respond to evolving security threats: Constantly adapting to changes both in the environment and inside the organization, an ISMS reduces the threat of continually evolving risks. 

Reduce costs associated with information security: Thanks to the risk assessment and analysis approach of an ISMS, organizations can reduce costs spent on indiscriminately adding layers of defensive technology that might not work. 

Protect the confidentiality, availability and integrity of your data: An ISMS offers a set of policies, procedures, technical and physical controls to protect the confidentiality, availability and integrity of your information. 

Improve company culture: An ISMS’s holistic approach covers the whole organization, not just IT. This enables employees to readily understand risks and embrace security controls as part of their everyday working practices.

According to ISO 27001, ISMS implementation follows a Plan-Do-Check-Act (PCDA) model for continuous improvement in ISMS processes:

• Plan. Identify the problems and collect useful information to evaluate security risk . Define the policies and processes that can be used to address problem root causes. Develop methods to establish continuous improvement in information security management capabilities.
• Do. Implement the devised security policies and procedures. The implementation follows the ISO standards, but actual implementation is based on the resources available to your company.
• Check. Monitor the effectiveness of ISMS policies and controls. Evaluate tangible outcomes as well as behavioral aspects associated with the ISM processes.
• Act. Focus on continuous improvement. Document the results, share knowledge, and use a feedback loop to address future iterations of the PCDA model implementation of ISMS policies and controls.

ISMS security controls span multiple domains of information security as specified in the ISO 27001 standard. The catalog contains practical guidelines with the following objectives:

1. Information security policies
2. Organization of information security
3. Asset Management
4. Human Resource Security
5. Physical and environmental security
6. Communications and operations management
7. Access control
8. Information system acquisition, development, and maintenance
9. Information security and incident management
10. Business continuity management.
11. Compliance
12. Cryptography
13. Supplier relationships