Establishing Information Security Management System
Information security is often wrongly understood to mean a set of technical measures taken with the aim to protect information systems (firewalls, antivirus solutions etc.). However, statistics show that most security incidents take place not because of technical limitations in the information system but because of the lack of quality and efficient management system that would encompass not only technical but also organizational and physical controls.
The most reliable set of recommendations and good practice examples in the field of information security management system implementation can be found in the ISO/IEC 27000 series of standards. The most relevant standards in the series are:
- ISO/IEC 27001:2005 – specifies the requirements for establishing a documented Information Security Management System (ISMS) and
- ISO/IEC 27002:2005 – establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization.
Generic nature of the ISO/IEC 27000 series of standards guarantees applicability to organizations of all shapes and sizes. It is precisely because of that generality that the ISO/IEC 27000 series of standards is applied in a big number of organizations that have recognized information security as a necessary precondition for realizing their business goals worldwide.
|Laying ISMS foundations||ISMS system scope|
|Risk assessment methodology definition||Risk assessment methodology|
|Information resources identification and assessment||Risk assessment report|
|Gap analysis (recording of the existing security controls)|
|Identification of vulnerability and threats|
|Risk reduction proposal compilation||Risk reduction proposal|
|Drawing up Statement of Applicability – SoA||Statement of Applicability|
|Implementation plan formulation (risk management plan)||Risk management plan|
|Establishing key processes and procedures||Processes, policies, procedures, rulebooks according to the customer’s needs|
|Compiling the documentation obligatory under ISO 27001||Document control procedure|
|Internal audit procedure|
|Preventive and corrective measures management procedure|