ISO/IEC 27001 Information Security Management System (ISMS)

Information Security Management Systems

Protecting your Information Assets

ISO/IEC 27001 is the world’s leading standard for information security management systems (ISMS). It provides organisations with a framework for managing their information security risks and ensuring the confidentiality, integrity, and availability of their information assets.

What does an ISMS achieve for your organisation?

The degree of complexity in the design and development of an ISO/IEC 27001 Information Security Management System will vary based on your operational context and environment, but it is essential for organisations that want to protect their information assets, and those of their people, customers and other parties that rely on them. There are a number of benefits to developing and implementing an ISMS, and achieving ISO 27001 certification, including:

Increased customer confidence: Your organisation will be perceived as trustworthy in the protection of confidential customer assets when provided to you.

Reduced risk of data breaches: You’ll spend less time having to respond to incidents and other events that impact your operations and performance.

Improved compliance with regulations: It is expected that the costs of regulatory non-compliance in this area will only increase.

Enhanced operational efficiency: The establishment of specified processes and controls will ensure that you’re not wasting time and precious resources to manage your information.

Increased employee awareness of information security: Your people will have a better understanding of the role that they play in protecting your information assets and operations, and how to contribute to ongoing improvement of your ISMS.

What is involved in developing an Information Security Management System?

Developing your ISMS involves a sequence of activities that follow the Plan-Do-Check-Act cycle, which is common to ISO management system standards:

Define the organisational context, and ISMS scope: Before you do anything, clearly identify and define the scope of your planned ISMS, including locations, functions, external providers and information types.

Establish high-level policies and processes for the ISMS: The highest-level document for your ISMS is the Information Security Policy, which sets out your commitments and the intent of the ISMS. You will also develop and document your Risk Management Methodology to guide the assessment of information security risks.

Identify information assets, and assess information security risks: You will identify the organisation’s information assets, and assess the potential impacts on these from threats and vulnerabilities should you experience a security breach.

Select and plan your information security controls: Annex A of ISO/IEC 27001 provides a suite of 93 controls that you can choose from in the development of your information security controls, which are captured in your Statement of Applicability. These are categorised as; organisational controls (37), people controls (8), physical controls (14), and technological controls (34).

Develop information security policies and processes for your controls: With your information security controls selected, your Risk Treatment Plan will outline the control-specific policies, procedures and plans necessary to support their implementation. Guidance for the development of the 93 Annex A controls is provided in ISO/IEC 27002 (Information security, cybersecurity and privacy protection – Information security controls).

Implement your information security controls: With your policies and processes now ready, the next step is to prioritise and implement these on the basis of the degree of risk that they will mitigate.

Review and improve your ISMS: You will need to regularly review your ISMS to ensure that it is still effective in mitigating the organisation’s information security risks. The ISMS will also need to be improved as new risks and threats emerge (nothing ever stays the same).

Like to read more? Have a look at our blog post that discusses ISO/IEC 27001, and how to approach your ISMS project. If you are interested in learning more about developing an ISO/IEC 27001 Information Management System, or how to achieve certification, please contact DBell Consulting today.