Implementation Of Information Security Manageme...
Implementation Of Information Security Manageme...
In this article we would like to share our experience with defining and implementing an Information Security Management System based on ISO/IEC 27001 requirements as a way to improve information security in an organisation and meet the new regulatory requirements.
Implementing an information security management system based on the ISO/IEC 27001 standard is voluntary. In this perspective, it is the organisation that decides whether to implement a management system compliant with ISO/IEC 27001 requirements.
Obtaining this certification is an indirect proof that the organisation meets the mandatory regulatory requirements imposed by the legal system. For instance in the European Union, including in Poland, it is already possible to point out which organisations are or will be required to have a subset of an information security system in place. These include:
People in the organisation who are assigned to defined roles, and responsible for the maintenance and achievement of the security objectives of the organisation. These activities are carried out as part of a Management System, which includes policies, processes, procedures, instructions and information describing the information security management system.
When defining and implementing an Information Security Management System, it is a good idea to seek the support of an information security consultant or build/utilise competencies within the organisation and purchase a ready-made know-how package containing ISO/IEC 27001 documents templates as a starting point for the implementation. For each of these options, the following ISMS implementation steps can be identified.
Setting the objectives is an iterative process and hence requires annual updates. The information security system objectives should be determined by the top management, and reflect the business and regulatory needs of the organisation.
Contrary to the public opinion, which dates back to experiences with the ISO 9001 standards, ISO/IEC 27001 is well-grounded in the reality and technical requirements of information security. This is why the organisation should, in the first place, choose those security measures and requirements set out in the standard that directly affect it. The standard defines the processes that should make up the Management System of the organisation as well as the security measures that the organisation should implement to ensure information security. The results of these actions provide a basis for the subsequent steps of the implementation.
At this stage of implementation, the executive support has been secured, objectives have been set, assets have been evaluated, the risk analysis results are already available, and the risk management plan is in place. As a result, the remaining elements of the Information Security Management System can be defined and security measures can be implemented in the organisation. Usually this is an iterative process where the following ISMS components are defined:
Before commencing the certification of the information security management system it should already work in the organisation. Ideally, a fully defined system will have been implemented and maintained in the organisation for at least a month or two prior to the start of the certification audit, providing the time for conducting the necessary training, carrying out a management system review, implementing the required security measures, and adjusting the risk analysis and risk management plan. During this period, the first actions set out in the infrastructure maintenance and security management plan should be carried out as well.
The implementation of an information security management system in a company is confirmed by a certificate of compliance with the ISO/IEC 27001 standard. The certification requires completing a certification audit conducted by a body certifying management system. The certification audit has two phases. Phase I usua