What is an Information Security Management System (ISMS)?

August 21, 2017

4 min read

6
compliance-council-image

Organisations today are vulnerable to a wide array of threats, but information security is emerging as one of the most pressing. In fact, a Ponemon Institute study found that the average cost of data breaches targeted at companies amounts to $4 million. However, you can go a long way to avoid the financial and reputational risk associated with data breaches by implementing an Information Security Management System (ISMS).

1. What is an Information Security Management System (ISMS)?

An information security management system is a structured and systematic approach to managing company information. It provides businesses with a framework to manage information security and other IT related risks, with wide-ranging controls to keep data secure from diverse security threats.

An ISMS uses a risk management process that comprises organisational structures, people, policies, processes and IT systems. An organisation's objectives determine ISMS implementation, the size and structure of security requirements, and the procedures employed

2. Do You Need an Information Security Management System?

A global increase in data breaches has caused heightened information security concerns across all industries. Considering the significant financial and legal damages caused by breaches, all businesses with valuable information should consider implementing an information security management system

3. Who is Responsible for ISMS in Your Business?

An ISMS is often developed by a team established by IT stakeholders, comprising board members, managers, and IT staff. The team is tasked with designing, implementing and maintaining a set of policies that comply with ISO 27001, the international standard for information security management systems. A compliant ISMS should become an integral part of your company's culture that functions to maintain strong information security across the organisation.

4. ISO 27001 - Information Security Management Standard

ISO 27001 is a category of international standards developed by ISO and International Electrotechnical Commission (IEC). It outlines the criteria that businesses can follow to maintain the security of their information assets. ISO 27001 is designed around the PCDA, Plan – Do – Check – Act model:

  • Plan – The ISMS team should define the organisation's problem and collect data to establish security vulnerabilities.
  • Do – The team should develop and implement a solution and establish controls to gauge how effective the solution is.
  • Check – Using your control measurement, perform a comparison before you implemented the solution and after.
  • Act – Document the results of your solution and make notes of changes to be implemented during the next PCDA cycle.

5. What is Annex A within ISO 27001?

Annex A within ISO 27001 is a section that outlines information security controls that an organisation should consider for applicability and then implement based on the selected treatment options for the risks within the information security risk assessment. Annex A comprises of 14 security domains, 35 control objectives, and 114 security controls. The security domains are:

  • Information Security Policies
  • Organisation of Information Security
  • Human resource security
  • Asset Management
  • Access Control
  • Cryptography
  • Physical and environmental security
  • Operations Security
  • Communications security
  • Systems Acquisition, Development, and Maintenance
  • Supplier relationships
  • Information Security Incident Management
  • Information security aspects of Business Continuity Management
  • Compliance

6. What are the Benefits of Being ISO 27001 Certified?

  • Provides a structured system of managing information security in an organisation. There is a clear chain of data handling that provides a monitoring and reporting model for management review.
  • Provides an independent appraisal of your organisation's conformity to the best practices recommended by ISMS experts.
  • Provides evidence and assurance that your organisation has complied with international standards.
  • Enhances information security governance within your organisation.
  • Enhances your organisation's reputation and global standing.
  • It provides a common purpose with a common set of goals and structured system of protecting organisational data.
  • Establishes a complete IT Security Management Framework that enables your team to ensure information security compliance throughout to prevent any risks.

There is no doubt that organisations face considerable threats to their information systems. Any company that values their information needs a robust Information Security Management System. To learn more about the security threats facing Australian businesses, download our eGuide below:

compliance-council-image

Read Next

image

ISO 27001 vs NIST Cybersecurity Framework

Read more
image

ISO 27001: 6-Step Guide to Risk assessment and treatment

Read more
ASD's Essential 8

ASD's Essential 8

Read more

Sign up for our newsletter

Stay Ahead: Subscribe for the Latest Compliance Insights and Updates.

Select your preferences:

We care about the protection of your data. Read ourPrivacy Policy.