What is an information security management system (ISMS)? Why you should implement one in your organisation
What is an information security management system?
Information is a highly valuable asset to any business that can take many types of forms, such as digital data files, paper material or employee knowledge. Therefore, information security is vital. Before going into further detail, readers should clearly understand the meaning of information security, defined by ‘preservation of confidentiality, integrity and availability of information’. But, what exactly does this mean? Confidentiality, integrity and availability, also known as CIA, are information properties defined as follows:
- Confidentiality – information is not disclosed to unauthorised parties or individuals.
- Integrity – information is accurate and complete
- Availability – information is accessible and ready to be used by authorised individuals when required
How can an organisation enhance its information security?
In our experience, every organisation is different with precise needs and goals. However, all of them have risks affecting the CIA of information and, as a consequence, affecting their information security. A strategic organisation decision to be done is the adoption of a systematic approach to manage and keep information assets secure, including people, policies, processes and IT systems by applying a risk management process and taking into account all defined controls of an organisation. In other words, organisation can enhance their information security risks and controls by implementing an Information Security Management System (ISMS).
What are ISO/IEC 27001 and ISO/IEC 27002 standards?
The ISO/IEC 27001 standard, published by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC), is designed to provide an universal model for implementing, managing and maintaining an ISMS; it includes requirements for assessing and treating information security risks, it is applicable to all organisations, regardless of type, size or industry, and it can be certified. ISMS requirements include:
- Context of the organisation (clause 4)
- Leadership (clause 5)
- Planning (clause 6)
- Support (clause 7)
- Operation (clause 8)
- Performance evaluation (clause 9)
- Improvement (clause 10)
At this point, readers may be wondering ‘how can my organisation do that?’ and here is where both standards are linked. Annex A of the ISO/IEC 27001 standard contains a list of controls that are further explained and structured in the ISO/IEC 27002 standard.
The third edition of the ISO/IEC 27002 standard, published on the 15th of February 2022, set out general information security controls, including implementation guidance, that every organisation can consider for treating their information security risks. These controls have been organised in four subjects:
- Organisational controls
- People controls
- Physical controls
- Technological controls
Additionally, this new edition has introduced the concept of attributes per each control, which are highly tailored to your organisations needs and they would help you to create several insights of your information security controls, for example by the use of customised dashboards useful when presenting information security details.
The key difference between ISO/IEC 27002:2013 (second edition) and ISO/IEC 27002:2022 (third edition) in a nutshell
- ISO/IEC 27002:2022 cancels and replaces the ISO/IEC 27002:2013
- Different title, enhancing the wording ‘information security controls’ as a general concept in its latest edition
- Introduction of controls’ categorisation and implementation of attributes for helping organisations to produce a clear information security outlook and posture
- Simplification of information security controls. The previous edition had 114 controls organised in 14 domains. However, the new edition has 93 controls in total organised in 4 topics. After conducting a reconciliation between both standards, the ISO/IEC 27002:2022 covers:
- 11 new controls to better align with current information security threats
- 24 controls have been merged and simplified from the previous edition; and
- 58 controls remain with the same title but they have been thoroughly revised to ensure that they are consistent with the rest of the information security controls
Benefits of ISO/IEC 27001
- Competitive advantage and increased business resilience. ISO/IEC 27001 certification helps to demonstrate good security practices and provides a marketing edge over your competitors.
- Increased reliability and security of systems and information. Protect the confidentiality, integrity and availability of information through a risk management process.
- Improved management processes and integration with corporate risk strategies. Build a culture of information security by integrating with the organisation’s policies, processes and procedures.
- Protect and enhance your reputation. Commitment to information security management at all levels of the organisation ensures that the necessary steps to prevent and react to information security risks are being taken.
- Comply with business, legal, contractual and regulatory requirements. Encourage efficient security cost management, compliance with relevant laws and regulations, and a comfortable level of interoperability across your organisation.
Source of information
ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements
ISO/IEC 27002:2013 Information technology — Security techniques — Code of practice for information security controls
ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection — Information security controls
Get in touch
Please get in touch using the contact form below or visit IT Assurance.