Implementing an Information Security Management System - The anatomy of an ISMS (Page 3 of 4 ) An ISMS can be a complex entity dealing with many variables. Its complexity will depend largely on the scale and nature of the owner organization, along with the volume, nature and variety of the information involved. However, the structure of any ISMS will contain certain common elements regardless of the scale. Close adherence to this structure during the planning phase will ensure that the ISMS will conform to best practice guidelines.
Scope
At the head of the ISMS is the statement of scope. This defines the logical and geographical boundaries of the ISMS: in other words, the people, places and information to which the ISMS will apply
Policy
The policy statement is the high level overview of precisely what the ISMS is seeking to achieve. It should define factors such as the criteria to be applied during risk assessment and the types of security breach the ISMS will seek to protect against. It should pay consideration to other policies within the organization which may have an impact on the ISMS. It also defines top level roles and responsibilities, such as who, at management level, has approved the policy, and who is responsible for the maintenance and implementation of the ISMS.
Risk assessment
Risk assessment lies at the heart of the ISMS and will almost always form the largest section of its content. Accurate assessment provides a focus for the implementation of security controls and strategies, and ensures that these controls and strategies are correctly prioritized and cost effective.
The first step in risk assessment is to assess the value of the organization's information assets as accurately as possible. This valuation must consider not just the information's raw financial worth, but hidden values such as the potential cost of legal action, or damage to the organization's reputation, that could result from loss or compromise.
Valuation is followed by the identification of threats, vulnerabilities, and the potential impact of disruption. This will help to establish clear priorities for the ISMS, leading to an accurate determination of the various risks, and appropriate controls and strategies for managing them. The assessed risks should be compared to the acceptable risk levels determined in the policy document to establish a hierarchy of priorities.
Some additional factors that must be taken into account during this process are the nature of the organization and its information, and the physical security environment within which the information is kept.
Risk handling strategies
All identified risks must be addressed in one of four possible ways.
First, security controls can be implemented to manage the risk. A vast number of possible controls is outlined in ISO/IEC 27002, the security management code of practice. Any controls that are implemented should be recorded in a document known as the Statement of Applicability, along with the justifications for the selection of the particular control, and information tracking back to the risk assessment documentation that outlined the requirement for it.
Second, the risk can simply be accepted. If the decision is made to live with a certain risk, the grounds for the decision must be documented, along with justification for it in terms of the policy and criteria for identifying acceptable risks.
Third, the risk may be eliminated entirely. How this can be achieved will depend on the specific risk, but examples would be the replacement of a vulnerable application with a secure alternative, or the relocation of vulnerable physical assets to a more secure site.
Fourth, responsibility for the risk can be transferred to another organization. This is typically done by taking out insurance, or outsourcing services to do with management of the vulnerable information. In such a case, the external organization must accept responsibility for the risks they are undertaking, having been made fully aware of the implications.
Whichever risk management strategy is selected, the residual risk must be reassessed after implementation to confirm that it is now below the acceptability threshold. On completion, the risk handling assessment must be fully documented, noting a detailed plan of action to address each identified risk, the priorities and timescales for completion of the necessary actions, and the individuals or teams responsible for implementation.
Management processes
The final element in the ISMS structure is the identification of the management processes that underpin and maintain the system. These will typically include things like resourcing of the project, an auditing schedule to verify that the system is working correctly, the process of management review which the system will undergo, and improvement procedures to be overseen at management level.
Next: Implementation >>
More Server Administration Articles
More By Bruce Coker |
