Information security management system (ISMS) – part of the overall management system, based on the use of business risk assessment methods for the development, implementation, operation, monitoring, analysis, support, and improve information security.
Management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources.
Currently, a standard that defines the requirements for the construction of ISMS is the ISO / IEC 27001-2013.
ISO 27001 is not technical, and administrative in nature and aims to introduce processes to ensure a proper level of information security company. ISMS is based on risk assessment and analysis procedure of integrated indicators of security key information assets and the selection of measures to minimize the risks to an acceptable residual level.
Carrying out a complex of measures on building an information security management system in accordance with the requirements of ISO 27001, will allow to solve the following tasks:
- Improved security. The standard was developed taking into account the best international practices of information security.
- Control. The standard provides for the construction of cyclic and controlled process of information security.
- Cost Optimization. ISMS can optimize and justify the cost of information security.
- Risks. The reduction of the financial risks associated with information security, through the identification, assessment and take adequate protective measures.
- Attractiveness. Increased the company’s attractiveness to domestic and foreign markets (competitive advantages).
- Confidence. Increasing the confidence of shareholders, customers, partners and counterparties.
- Reputation. Increasing the level of goodwill by the ISMS certification, demonstrating a high level of maturity of the company.
The complex of works on construction of ISMS includes the following works:
- definition of the field of action of the ISMS;
- preliminary audit for compliance with ISO 27001:
- collection of baseline data about business processes, departments, information and telecommunication infrastructure, methods and means of information security;
- analysis of the existing organizational and administrative documentation, which regulates the issues of information security;
- assessment of the current level of compliance with the requirements of ISO 27001;
3. risk assessment:
- development of risk assessment methodologies;
- inventory and classification of assets;
- formation of threats map;
- analysis and risk assessment;
- develop risk treatment plan;
4. Developing procedures and documentation ISMS:
- development of information security management processes;
- development processes of information security;
- develop a set of organizational and administrative documentation, which regulates the issues of information security;
- develop programs to improve on governance and information security awareness;
5. implementation of procedures and documentation for ISMS:
- implementation of information security management processes;
- introduction of processes of information security;
- training and awareness of employees in the field of information security;
6. pilot operation of the ISMS;
7. certification audit and issue of an international:
- interaction with the certification authority;
- consulting support in passing the certification audit.
Result of work is company’s ISMS that meets the requirements of ISO 27001 standard.