Introduction
In this tutorial we will cover The Information Security Management System.
You will learn what ISO 27001 ISMS is and how to implement it.
Table of contents
Information Security Management System (ISMS)
An information security management system is a combination of policies, processes, systems and people that ensure the confidentiality, integrity and availability of data.
ISO 27001 is a risk-based system. It’s a system based on understanding what the risks are to you and your organisation and then implementing controls to mitigate those risks.
The management system element itself is about how you organise yourself, how you manage and how you deliver the information security management.
Implementation Options
Write it yourself
To write a management system yourself you would require some knowledge and some experience. The approach you would take would be
- purchase a copy of the standard
- review all of the ISO 27001 clauses that make up the standard
- work out what the documentation is that you require
- create that documentation
Buy a Toolkit
If you purchase an ISO 27001 Toolkit you will get all of the mandatory documents, training, support and knowledge as well as a proven management system based on best practice to fast track your implementation.
Engage a consultant
Consultants are a great option to create a bespoke management system when cost is not an issue.
Best practice for an Information Security Management System
The best practices for an information security are:
Business needs
Understanding business needs, you want to make sure your information security management system meets the needs of the business.
Policies
Policies are statements of what you do and communicate what is expected. You will implement policies that are specific to your organisation. Policies are a foundation stone of an effective management system.
Training
You will train people and ensure that you educate them and implement a culture of information security.
Secure Devices
You are going to secure devices and technology.
Backup
You are going to make sure that you put in backups. You will back up a lot and test that you can recover from back up.
Continual Improvement
Your management system will continually improve. Continual improvement is baked into the standard. Your information security management system has to have the ability to continue to improve and there are a number of steps and processes in future blogs that will go through that.
Audit
You’re going to continually audit and audit is going to be part of your life.
The management system has built into it internal audit.
You are going to be continually naval gazing and reviewing yourself and doing your internal audits against the standard ISO 27001 and against the annex a controls.
The process of internal audit is ongoing and you’re going to get externally audited a lot.
Design for audit
Design your management system how I have the toolkit. You want to create documents that you are asked for on a regular basis.
It is a misconception that by having ISO 27001 certification third party questionnaires and external audits will end. They won’t.
When you build your management system build it in a way that is effective and efficient for you to manage but also for you to respond to third party questionnaires and to those third party audits. It’s going to make your life so much easier.