Overview of ISMS

This post is my snippet of Wikipedia article about ISMS.

The governing principle behind an ISMS is that an organization should design, implement and maintain a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk.

PDCA (ISO/IEC 27001:2005):
  • The Plan phase is about designing the ISMS, assessing information security risks and selecting appropriate controls.
  • The Do phase involves implementing and operating the controls.
  • The Check phase objective is to review and evaluate the performance (efficiency and effectiveness) of the ISMS.
  • In the Act phase, changes are made where necessary to bring the ISMS back to peak performance.

  • information technology security administrators should expect to devote approximately one-third of their time addressing technical aspects. The remaining two-thirds should be spent developing policies and procedures, performing security reviews and analyzing risk, addressing contingency planning and promoting security awareness
  • security depends on people more than on technology
  • employees are a far greater threat to information security than outsiders
  • security is like a chain. It is only as strong as its weakest link
  • the degree of security depends on three factors:
    • the risk you are willing to take
    • the functionality of the system
    • the costs you are prepared to pay
  • security is not a status or a snapshot, but a running process.

Security administration is a management issue, and not a purely technical issue.

Critical factors of ISMS:
  • Confidentiality: Protecting information from unauthorized parties.
  • Integrity: Protecting information from modifying from unauthorized users.
  • Availability: Making the information available to authorized users.

CIA leads to:

  • business continuity
  • minimization of damages and losses
  • competitive edge
  • profitability and cash-flow
  • respected organization image
  • legal compliance

The development of an ISMS framework entails the following six steps:

  • Definition of security policy
  • Definition of ISMS scope
  • Risk assessment (as part of risk management)
  • Risk management
  • Selection of appropriate controls
  • Statement of applicability


Share this!

Author: Mo Moghaddas

Yet another full-time traveler, casually [angel] investing in hopes and ideas solving problems or making life easier, landscape photographing as a hobby, and enthusiastic about Blockchain/Cryptocurrency. Internet citizen, building and breaking Network Architectures by day, and passionate about what may happen #in_future :-)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.