What is ISMS

The fundamentals of Information Security are explained in detail on the various section of the website and I would advise you to read these sections in detail to get a good understanding of the work involved in developing a good Information Security Management System or ISMS.

Information Security can be complex and confusing subject and to make sense of it you need to organise yourself. The obvious way to do this is by developing an ISMS. A good ISMS work has a framework to understand and priorities your requirements.

A good ISMS should cover all the relevant areas required to meet your business information security objectives, how it will work and who is responsible for the process and sub-processes involved in delivering your Information Security Management System.

The goal of Information Security dept should be to effectively and efficiently protect the organizations information assets by proactive risk management; using best practice controls and delivered by skilled, respected and talented people. In particular a good ISM should focus on managing risks related to four key organization requirements for information:

Managing Risks

A good risk management process and approach should be maintained and businesses and IT service suppliers supported in conducting assessments of information assets and new IT developments. Risks should be collected in a central repository and consolidated in risk profiles to support management decisions regarding mitigation or acceptance.

Defining Controls

An IT control framework should be developed consisting of control objectives as well as implementation standards and guidelines based on relevant industry standards (i.e. COBIT, ISO27001/), compliance requirements from internal policies (i.e. Code of Conduct) and external regulations (i.e. Sarbanes Oxley) that have implications in IT. The organisation should be supported in selecting controls based on risk and advice should be given on implementation.

Monitoring Compliance

A single IT compliance approach should be developed, taking into account requirements from internal and external auditors. Evidence should be collected collected around the design and operational effectiveness of controls and consolidated into relevant compliance reports for multiple stakeholders. Where possible IT audits are planned, findings discussed with the auditors, actions defined and assigned to the appropriate action parties.

Managing Incidents & Surveillance

An incident management process should be developed to analyse and monitor incidents (i.e. failure of controls). This will help the organization investigate the incident and learn about the causes and to take remedial actions. Where possible automated tools should be used to survey controls for vulnerabilities. Incident and vulnerability data is consolidated and reported to update the risk register and profiles.

Search The Web

Contact Us | Terms of Use | Disclaimer | Privacy Statement
Copyright © 2009 Information Security. All Rights Reserved.

Owned by Bee Ltd Sponsors Globalisation News

Wordpress Seo Plugin