What is an Information Security Management System (ISMS) according to ISO 27001?
If you’ve started an ISO 27001 implementation, you’ve surely come up with the term Information Security Management System or ISMS. Pretty vague term, isn’t it? And yet, the ISMS is the main “product” of ISO 27001 implementation. So, what exactly is an ISMS?
ISO 27001 basically describes how to develop the ISMS – you can consider this ISMS to be a systematic approach for managing and protecting a company’s information. The ISMS represent a set of policies, procedures, and various other controls that set the information security rules in an organization. As mentioned in the article The basic logic of ISO 27001: How does information security work, what kind of control for information security will be implemented in a company is decided based on the results of the risk assessment and on the requirements of interested parties. For each risk that needs to be treated, a combination of different types of controls will be implemented.
Several controls are needed for each risk
Let’s say you leave your laptop frequently in your car, so chances are, sooner or later, the laptop will get stolen. So, what can you do to decrease the risk to your information? So, you have to apply some controls. First of all, you can write a procedure that defines that you cannot leave the laptop in the car; also, you can protect your laptop with a password, so if it gets stolen it will be more difficult for someone to access your information. Also, you can encrypt your disks – this is an even higher level of protecting your information, but also you can ask your employees to sign a statement where they oblige to pay all the damage that can occur if such an incident happens, but also you have to train and make your employees aware that there are such risks if they leave their laptops in their cars.
Now, protecting this laptop might sound simple, but the problem is when you have hundreds of laptops, dozens of servers, a multitude of databases, many employees, etc. With so much sensitive information in so many different assets, very quickly you would produce a huge number of safeguards that wouldn’t be related, and therefore would be very difficult to manage.
Managing complex security systems
The only way to manage all these safeguards is to set clear security processes and responsibilities. This is called a process approach in ISO management standards – in ISO 27001, but also in ISO 9001, ISO 20000, and others. If we take ISO 9001 as an analogy, the idea is the following: you cannot expect to produce a high-quality car only by performing a quality check at the end of the production line – what is needed is to design a production process that has included the quality philosophy in every step, in every detail – from selecting only high-quality suppliers, to training the employees, to dealing effectively with the non-conforming products.
Similarly, a process approach is crucial for making this connection between responsibilities and technical controls – only if you know who has to do what and when, will you have a foundation for enabling your security controls to work.
The point of the ISMS
So, what can we learn from these points? First of all, information security controls are not only technical, IT-related controls. They are a combination of different types of controls: documenting a procedure is an organizational control, implementing a software tool is an IT control, and training people is a human resources control. See also: Information security or IT security?
Secondly, without some kind of a framework, information security becomes unmanageable – this is where ISO 27001 comes in – when you build up your ISMS, which means developing a set of information security rules, responsibilities, and controls, then you’ll be able to manage such a complex system.
Finally, an ISMS is nothing else but several security processes all tied up together – the better these processes are defined, and the better these processes are interrelated, the fewer incidents you will have.