An Information Security Management System (ISMS) is essential to secure data from cybercriminals. It aims to use the most suitable information security controls to achieve top-level encryption of information. Given the current times, it is essential to have only authorised people and systems access data in an organisation.
In this blog, we will discuss the fundamentals of Information Security Management, its integration, and benefits, ISO27001, and its update ISO 27002: 2022. We will also guide you on the selection of security controls for your organisation and key parameters to take note of.
What is an Information Security Management System?
If we could trust people not to mess with our information and systems, then we could do without information security controls; everything from a password to the strongest forms of encryption. Unfortunately, however, we cannot, and controls are needed so that only authorised people and systems can access specific sets of information, which can be relied upon when required for legitimate purposes. This is achieved by implementing an information security management system under the guidance of experts.
That may sound simple enough, but there are thousands of different information security controls available in the world and no organisation, however large and complex, can use them all. Many controls also impact productivity, and the natural objective is to select the appropriate controls, but how and on what basis?
We can adopt a fixed set of controls, such as the 133 listed in the Cloud Security Alliance’s Cloud Control Matrix, but these are quite broad control domains, not specific control solutions and, regardless of the framework adopted, implementing all the controls, or control types, listed can sometimes amount to fixing a problem that does not exist.
In ISO 27001, Annex A provides a similar list of 114 information security controls and requires that some, not necessarily all, of them, are selected and implemented based on whether they are needed to reduce unacceptable risks to an acceptable level. This is what is referred to as a ‘risk-based approach’.
Risk Assessment and Treatment
The risk assessment and risk treatment processes required by ISO 27001 are the most important of a broader group of processes and sub-processes designed to ensure that the organisation implements, monitors and maintains the most appropriate set of information security controls. The other processes required by ISO 27001 are there to ensure that the risk assessment and risk treatment processes are continually effective.
The ISO27002: 2022 update has reduced 93 security controls that have to be referred to by businesses to achieve information security by implementing ISMS. The businesses certified with ISO 27001 certification will have to upgrade to ISO27002: 2022 in the near future.
ISO 27002: 2022 Update
The recently released ISO27002: 2022 update of ISO 27001 has 93 security controls, contrary to the 114 present in the latter. This standard emphasises information security, privacy protection, and cyber security for protecting businesses, their data, and employees. It has dropped the phrase ‘code of conduct and has new inclusions and improvisations of the security controls. Businesses have been given a two-year transition period to upgrade to the latest standard.
What is ISO 27001?
ISO/IEC 27001:2013 (ISO 27001) is an internationally recognised management system standard designed to help any organisation improve its demonstrable information security capabilities. While adopting a risk-based approach, the Standard can be applied to any business, regardless of its size and market sector. This is because information security risks, and the controls designed to prevent those risks from materialising, are generic. Threats apply equally to companies and systems irrespective of their size, and so do the controls intended to prevent those information security risks from reaching their target.
Relevance of confidentiality, integrity, and availability (CIA)?
When protecting information assets, we are protecting at least one of the three security attributes of confidentiality, integrity, and availability, or CIA as they are more commonly referred to. Let’s have a look at each one:
According to this security attribute, information is protected from unauthorised access by either the user or another system.
With this feature, we ensure that the accuracy and completeness of the information have been preserved.
In this element of security, we are certain that legitimate users and systems can access and use information, including how the information is used or processed when needed.
ISO 27001’s full title is ISO/IEC 27001:2013 Information technology – Security techniques – Information security management systems – Requirements, which is slightly misleading because information security isn’t about IT. Information assets include the information itself, whether digital, printed, or in any other form like voice, as well as everything that supports and enables its use and protection. It is understood that less than 40% of controls in Annex A of ISO 27001 are technical, the remaining are organisational and mostly under the control of the IT function.
Integrating an ISMS into an organisation
Just like anything else that an organisation does not have, or uses an ISMS, may feel like a challenging exercise to implement information security controls into its business. However, the selection, implementation, and maintenance of information security controls are often ‘business as usual activities’ and may already be carried out by individuals across the organisation. These existing activities can form the basis of the risk assessment and treatment processes that are central to the ISMS with the addition of any missing elements, such as documented procedures and monitoring of control performance.
In a similar way, major organisations without a systematic approach to information security do not review policies. Once written, it is assumed that those policies will be fit for purpose, and review typically happens only when a policy failure occurs. The planned maintenance concept exists in most fields of endeavour and making the move from reactive ‘only when broken’ policy review to proactive ‘planned maintenance’ policy review is very often not a big step.
An ISO 27001 ISMS can also be integrated with other ISO-based management systems such as ISO 22301 (business continuity management) and ISO 20000 (service management) with relative ease because the major process requirements are either the same or very similar. Implementing two management systems no longer requires twice the amount of investment. Processes such as management review, internal audit, and improvement can be made in common for both, capitalising on economies of effort in both design and operation.
What are the benefits of implementing an ISMS, if an organisation is already controlling and protecting its information?
Here are some of the benefits of implementing an ISMS, and how will it make a difference to a business:
Secure all types of information
With ISMS, businesses can secure all types of information including digital, hand-written and the one stored in the cloud. network
Strengthen resilience using an information security management system
With the Information Security Management System (ISMS), organisations can fill up security loopholes based on expert consultation and strategies. The implementation and maintenance of ISMS will help businesses in building system resilience to cyber-attacks.
Storing company data in one place
ISMS offers a central framework to store company information in one place in a structured way. It is therefore easy to locate. Also, access rights are assigned depending on your designation and type of information.
Reduction in Risk of threats
ISMS adapts to the changing internal and external environments of a business. It reduces the menace of evolving threats.
Reduces unwanted costs on information security
The Risk assessment and analysis approach followed by ISMS reduces unwanted costs incurred on additional information security layers. The ‘continual improvement’ model that underpins ISO management system standards means that the assessment and treatment of risks, and the other processes that make sure that those are conducted effectively, are carried out on a reiterative basis so that as threats and vulnerabilities change, the risk treatment plan is updated regularly, resulting in controls remaining fit for purpose.
Additionally, ‘top management has a regular assurance that all identifiable information security risks are appropriately managed. Although many directors may not be aware that they need to know this, they do!
Protects CIA of data
ISMS protects the confidentiality, availability, and integrity of information with the help of its policies, step-by-step procedures, and technical and physical controls.
Promotes awareness of information security risks to employees
All employees of a business are given expert guidance on security controls and possible information security threats. Hence, ISMS’s holistic plan of action trains employees and makes them capable of understanding security controls and risks. They can implement the measures taught on an individual level to further increase information security.
ISO 27001 provides a framework for organisations to control and influence the way information security risks are managed and how controls are implemented, managed, and improved. There are also many reputational, financial, strategic, and internal benefits from implementing an ISMS, such as increased customer confidence, greater business opportunities, tender advantages, and improved security awareness and ‘buy-in’ across all levels of the organisation.
With a recognised structure (ISO 27001 information security), senior managers and all employees are likely to support important activities, such as awareness-raising, competence assessment and policy compliance.
You can take a quick self-assessment test by clicking here.