“Fundamentals of constructing an ISMS”
By Biljana Cerin and the CISOHandbook.com Team
ISMS (Information Security Management System) as outlined within ISO 27001:2005 international standard is not merely a set of documents. It is a methodology for the development of a living information security management system for the assessment and management of information risk associated within an organization. Though this description may sound like a perfect solution to security managers, the undertaking is not without hardship and challenges. The amount of time, energy, resources, and political capital necessary to successfully implement an ISMS is fairly substantial. In other words, this effort should not be taken half-heartedly or lightly since a number of “important” people will have skin in the game.
So, if you only want a set of policies and procedures to be used as proof of regulatory compliance (for pacifying your auditors) then don't waste yours, or anyone else's time attempting to fulfill ISO 27001:2005 requirements. On the other hand, if you are truly interested in developing a lifecycle for information security management and want to do it as quickly and effectively as possible (bypassing the endless discussions on philosophy or explaining yourself to countless individuals) then read on…this series of articles is for you!
For those of you who were brave enough to make it through the first two paragraphs, I will attempt to provide you with experience-based shortcuts to fast track your ISMS initiative. In addition, these articles will address some of the steps that will make conditions conducive within your organization to a successful implementation. So without any additional fanfare, let’s begin!
Step 1 – Get the Full Perspective
“If you know the enemy and know yourself you need not fear the results of a hundred battles”
- SunTzu, The Art of War
First and foremost I would recommend that you take a Lead Auditor Course for ISO 27001:2005. Yes, it comes with the exam at the end, so what? Passing that exam doesn't make you a Lead Auditor (Sorry to all the credential hounds). There are a number of additional steps on the road to becoming a certified ISMS LA. But that is not the intent behind taking the course. The true objective is to provide you with an overview of the entire system from the perspective of an auditor. This is valuable since an auditor is interested in quantifying the affectivity of controls in meeting their design objectives. In other words, it will help you by providing an overall view plus the tools for evaluating the validity of the controls that are implemented.
Now, don't be surprised if the course instructor or ISO 27001:2005 Lead Auditor proclaims: "I am not an IT person." That is Okay! For that matter, you don't need to be an IT person to successfully implement an ISO 27001:2005 ISMS. The reason for this is that...drum roll… ISO 27001:2005 ISMS IS NOT ABOUT IT SECURITY!
This subtlety is often lost on those who are newly acquainted with the concept of an ISMS. It is not unusual for me to hear statements such as: "We want good IT security, so we decided to implement ISO 27001:2005." This is a common misconception. There is a lot more to managing the security of information than implementing IT security controls. So if ISO 27001:2005 is not an IT security solution what is it?
An ISMS is a set of requirements for information security management. It is all about people, their responsibilities, authorities, and processes that will ensure constant information security risk assessment and management. All information security controls, including IT security controls, are derived from the importance of information for executing the business processes and the associated risks to which this information is exposed. The importance of information is determined from the business, legal and compliance requirements. But is IT systems security enough for satisfying all these requirements? Absolutely not! An IT professional can certainly speak to the technical security controls, but may not have the tools or perspective to anticipate the impact to business processes if something happens to the confidentiality, integrity, or availability of information. This is where an ISMS fits in by providing a means of bridging the gap between IT and business.
This article focused on establishing a definition of what an ISMS is…and what it is not. In the next article, I’ll address step two in the process: Building your reference material library and your network.
I hope that you found this information useful and look forward to hearing your opinions on the topic. Please provide any comments for this article here.
Srdacan pozdrav (Warm-hearted Regards)
Note from the Editors:
This is the first in a series on how to build an Information Security Management System from Biljana Cerin, CISM, CISA, PMP, CBCP. She is a Senior Information Security Consultant for S&T; an IT solutions and services provider with more than 3100 employees world-wide. She is also an expert in the design, development and implementation of ISMS (Information Security Management Systems) programs as specified within ISO 27001:2005. Aside from her day job of spreading the ISMS gospel, Biljana also serves as a business continuity management consultant for major financial institutions in Eastern Europe. We have long suspected that she is somehow related to the Energizer Bunny due to the fact she seems to always be available to answer our questions regardless of the time in which we make the request. (Keep in mind that we are calling from Newport Beach California and she resides in Zagreb Croatia…9 hours differential…spooky)
Ron Collette and Mike Gentile