Establishing Information Security Management System

Information security is often wrongly understood to mean a set of technical measures taken with the aim to protect information systems (firewalls, antivirus solutions etc.). However, statistics show that most security incidents take place not because of technical limitations in the information system but because of the lack of quality and efficient management system that would encompass not only technical but also organizational and physical controls.

The most reliable set of recommendations and good practice examples in the field of information security management system implementation can be found in the ISO/IEC 27000 series of standards. The most relevant standards in the series are:

  • ISO/IEC 27001:2005 – specifies the requirements for establishing a documented Information Security Management System (ISMS) and
  • ISO/IEC 27002:2005 – establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization.

Generic nature of the ISO/IEC 27000 series of standards guarantees applicability to organizations of all shapes and sizes. It is precisely because of that generality that the ISO/IEC 27000 series of standards is applied in a big number of organizations that have recognized information security as a necessary precondition for realizing their business goals worldwide.

Project phases Consignments
Laying ISMS foundations ISMS system scope
Security policy
Risk assessment methodology definition Risk assessment methodology
Information resources identification and assessment Risk assessment report
Gap analysis (recording of the existing security controls)
Identification of vulnerability and threats
Risk assessment
Risk reduction proposal compilation Risk reduction proposal
Drawing up Statement of Applicability – SoA Statement of Applicability
Implementation plan formulation (risk management plan) Risk management plan
Establishing key processes and procedures Processes, policies, procedures, rulebooks according to the customer’s needs
Compiling the documentation obligatory under ISO 27001 Document control procedure
Internal audit procedure
Preventive and corrective measures management procedure