Information security management systems

What is an Information Security Management System (ISMS)?

An Information Security Management System (ISMS) consists of the policies, procedures, guidelines, and associated resources and activities, collectively managed by an organization, in the pursuit of protecting its information assets. An ISMS is a systematic approach for  stablishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization’s information security to achieve business objectives. It is based upon a risk assessment and the organization’s risk acceptance levels designed to effectively treat and manage risks. Analysing requirements for the protection of information assets and applying appropriate controls to ensure the protection of these information assets, as required, contributes to the successful implementation of an ISMS. The following fundamental principles also contribute to the successful implementation of an ISMS:

a) awareness of the need for information security;

b) assignment of responsibility for information security;

c) incorporating management commitment and the interests of stakeholders;

d) enhancing societal values;

e) risk assessments determining appropriate controls to reach acceptable levels of risk;

f) security incorporated as an essential element of information networks and systems;

g) active prevention and detection of information security incidents;

h) ensuring a comprehensive approach to information security management; and

i) continual reassessment of information security and making of modifications as appropriate.

Why an ISMS is important?

Risks associated with an organization’s information assets need to be addressed. Achieving information security requires the management of risk, and encompasses risks from physical, human and technology related threats associated with all forms of information within or used by the organization. The adoption of an ISMS is expected to be a strategic decision for an  organization.

The design and implementation of an organization’s ISMS is influenced by the needs and objectives of the organization, security requirements, the business processes employed and the size and structure of the organization. The design and operation of an ISMS needs to reflect the interests and information security requirements of all of the organization’s stakeholders including customers, suppliers, business partners, shareholders and other relevant third parties.

An ISMS is important to both public and private sector businesses. In any industry, an ISMS is an enabler that supports e-business and is essential for risk management activities. The interconnection of public and private networks and the sharing of information assets increases the difficulty of controlling access to and handling of information. In addition, the distribution of mobile storage devices containing information assets can weaken the effectiveness of traditional controls. When organizations adopt the ISMS family of standards the ability to apply consistent and mutually-recognizable information security principles can be demonstrated to business partners and other interested parties.

Benefits of the ISMS family of standards

The benefits of implementing an ISMS will primarily result from a reduction in information security risks (i.e. reducing the probability of, and/or impact caused by, information security incidents). Specifically, benefits realized for an organization to achieve sustainable success from the adoption of the ISMS family of standards include:

  1. a structured framework supporting the process of specifying, implementing, operating and maintaining a comprehensive, cost-effective, value creating, integrated and aligned ISMS that meets the organization’s needs across different operations and sites;
  2. assistance for management in consistently managing and operating in a responsible manner their approach towards information security management, within the context of corporate risk management and governance, including educating and training business and system owners on the holistic management of information security;
  3. promotion of globally-accepted good information security practices in a non-prescriptive manner, giving organizations the latitude to adopt and improve relevant controls that suit their specific circumstances and to maintain them in the face of internal and external changes;
  4. provision of a common language and conceptual basis for information security, making it easier to place confidence in business partners with a compliant ISMS, especially if they require certification against ISO/IEC 27001 by an accredited certification body;
  5. increase in stakeholder trust in the organization;
  6. satisfying societal needs and expectations; and
  7. more effective economic management of information security investments.


ISMS family of standards

The ISMS family of standards consists of inter-related standards, already published or under development, and contains a number of significant structural components. These components are focused upon normative standards describing ISMS requirements (ISO/IEC 27001) and certification body requirements (ISO/IEC 27006) for those certifying conformity with ISO/IEC 27001. Other standards provide guidance for various aspects of an ISMS implementation, addressing a generic process, controlrelated guidelines as well as sector-specific guidance.
Relationships between the ISMS family of standards are illustrated in figure below:


Standards describing an overview and terminology

BAS ISO/IEC 27000 - Information technology - Security techniques - Information security management systems - Overview and vocabulary
This International Standard describes the fundamentals of information security management systems, which form the subject of the ISMS family of standards, and defines related terms.
Standards specifying requirements
BAS ISO/IEC 27001 - Information technology - Security techniques - Information security management systems - Requirements
ISO/IEC 27001 provides normative requirements for the development and operation of an ISMS, including a set of controls for the control and mitigation of the risks associated with the information assets which the organization seeks to protect by operating its ISMS.
BAS ISO/IEC 27006 - Information technology - Security techniques - Requirements for bodies providing audit and certification of information security management systems
ISO/IEC 27006 supplements ISO/IEC 17021 in providing the requirements by which certification organizations are accredited, thus permitting these organizations to provide compliance certifications consistently against the requirements set forth in ISO/IEC 27001.
Standards describing general guidelines
BAS ISO/IEC 27002 - Information technology - Security techniques - Code of practice for information security controls
ISO/IEC 27002 provides guidance on the implementation of information security controls.
BAS ISO/IEC 27003 - Information technology - Security techniques - Information security management system implementation guidance
ISO/IEC 27003 provides a process oriented approach to the successful implementation of the ISMS in accordance with ISO/IEC 27001.
BAS ISO/IEC 27004 - Information technology - Security techniques - Information security management - Measurement
ISO/IEC 27004 provides a measurement framework allowing an assessment of ISMS effectiveness to be measured in accordance with ISO/IEC 27001.
BAS ISO/IEC 27005 - Information technology - Security techniques - Information security risk management
ISO/IEC 27005 provides guidance on implementing a process oriented risk management approach to assist in satisfactorily implementing and fulfilling the information security risk management requirements of ISO/IEC 27001.
BAS ISO/IEC 27007 - Information technology - Security techniques - Guidelines for information security management systems auditing
ISO/IEC 27007 will provide guidance to organizations needing to conduct internal or external audits of an ISMS or to manage an ISMS audit programme against the requirements specified in ISO/IEC 27001.
BAS ISO/IEC TR 27008 - Information technology - Security techniques - Guidelines for auditors on information security controls
This Technical Report provides a focus on reviews of information security controls, including checking of technical compliance, against an information security implementation standard.
BAS ISO/IEC 27013 - Information technology - Security techniques - Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000‑1
This International Standard provides organizations with a better understanding of the characteristics, similarities and differences of ISO/IEC 27001 and ISO/IEC 20000-1 to assist in the planning of an integrated management system that conforms to both International Standards.
BAS ISO/IEC 27014  - Information technology - Security techniques - Governance of information security
This International Standard will provide guidance on principles and processes for the governance of information security, by which organizations can evaluate, direct and monitor the management of information security.
BAS ISO/IEC TR 27016  - Information technology - Security techniques - Information security management – Organizational economics
This Technical Report will provide a methodology allowing organizations to better understand economically how to more accurately value their identified information assets, value the potential risks to those information assets, appreciate the value that information protection controls deliver to these information assets, and determine the optimum level of resources to be applied in securing these information assets.

Standards describing sector-specific guidelines

BAS ISO/IEC 27010 - Information technology - Security techniques - Information security management for inter-sector and inter-organizational communications
This International Standard is applicable to all forms of exchange and sharing of sensitive information, both public and private, nationally and internationally, within the same industry or market sector or between sectors.
BAS ISO/IEC 27011 - Information technology - Security techniques - Information security management guidelines for telecommunications organizations based on ISO/IEC 27002
ISO/IEC 27011 allows telecommunications organizations to meet baseline information security management requirements of confidentiality, integrity, availability and any other relevant security property.
BAS ISO/IEC TR 27015 - Information technology - Security techniques - Information security management guidelines for financial services
This Technical Report provides guidelines in addition to the guidance given in the ISO/IEC 27000 family of standards for initiating, implementing, maintaining, and improving information security within organizations providing financial services.
ISO/IEC 27017 (planned to be adopted as BAS standard) - Information technology - Security techniques - Code of practice for information security controls based on ISO/IEC 27002 for cloud services
This International Standard provides controls and implementation guidance for both cloud service providers and cloud service customers.
BAS ISO/IEC 27018 - Information technology - Security techniques - Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
This International Standard is applicable to organizations, including public and private companies, government entities and not-for-profit organizations, which provide information processing services as PII processors via cloud computing under contract to other organizations.
BAS ISO/IEC TR 27019 - Information technology - Security techniques - Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry
In addition to the security objectives and measures that are set forth in ISO/IEC 27002, this Technical Report provides guidelines for systems used by energy utilities and energy suppliers.
BAS ISO 27799 - Health informatics - Information security management in health using ISO/IEC 27002
ISO 27799 provides health organizations with an adaptation of the ISO/IEC 27002 guidelines unique to their industry sector.