Overview of ISMS

PDCA (ISOIEC 270012005)

This post is my snippet of Wikipedia article about ISMS.

The governing principle behind an ISMS is that an organization should design, implement and maintain a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk.

PDCA (ISO/IEC 27001:2005):
  • The Plan phase is about designing the ISMS, assessing information security risks and selecting appropriate controls.
  • The Do phase involves implementing and operating the controls.
  • The Check phase objective is to review and evaluate the performance (efficiency and effectiveness) of the ISMS.
  • In the Act phase, changes are made where necessary to bring the ISMS back to peak performance.

  • information technology security administrators should expect to devote approximately one-third of their time addressing technical aspects. The remaining two-thirds should be spent developing policies and procedures, performing security reviews and analyzing risk, addressing contingency planning and promoting security awareness
  • security depends on people more than on technology
  • employees are a far greater threat to information security than outsiders
  • security is like a chain. It is only as strong as its weakest link
  • the degree of security depends on three factors:
    • the risk you are willing to take
    • the functionality of the system
    • the costs you are prepared to pay
  • security is not a status or a snapshot, but a running process.

Security administration is a management issue, and not a purely technical issue.

Critical factors of ISMS:
  • Confidentiality: Protecting information from unauthorized parties.
  • Integrity: Protecting information from modifying from unauthorized users.
  • Availability: Making the information available to authorized users.

CIA leads to:

  • business continuity
  • minimization of damages and losses
  • competitive edge
  • profitability and cash-flow
  • respected organization image
  • legal compliance

The development of an ISMS framework entails the following six steps:

  • Definition of security policy
  • Definition of ISMS scope
  • Risk assessment (as part of risk management)
  • Risk management
  • Selection of appropriate controls
  • Statement of applicability

 

Share this!

Author: Mo Moghaddas

Building zeeg.me to give users more time back and make scheduling a pleasant experience.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.