Perry Johnson Registrars, Inc.
Standards

What is an Information Security Management System?

Commitment to quality

What is an Information Security Management System?

From internal emails to sales materials to financial statements, organizations of all sizes from all industries deal with large amounts of information each day. To an organization like yours, this information is a competitive advantage – it’s how you solve problems, land big clients, and grab your share of the market. The goal of an Information Security Management System (ISMS) is to protect the information that differentiates your business, both online and in person.

Principles of an Information Security Management System

While the implementation of an ISMS will vary from organization to organization, there are underlying principles that all ISMS must abide by in order to be effective at protecting an organization’s information assets. These principles – a few of which are mentioned below – will help guide you on the road ISO/IEC 27001 certification.

The first step in successfully implementing an ISMS is making key stakeholders aware of the need for information security. Without buy-in from the people who will implement, oversee, or maintain an ISMS, it will be difficult to achieve and maintain the level of diligence needed to create and maintain a certified ISMS.

In order for an organization’s ISMS to be effective, it must analyze the security needs of each information asset and apply appropriate controls to keep those assets safe. Not all information assets need the same controls, and there is no silver bullet for information security. Information comes in all shapes and sizes, as do the controls that will keep your information safe.

Implementing an ISMS is not a project with a fixed length. To keep an organization safe from threats to your information, an ISMS must continually grow and evolve to meet the rapidly changing technical landscape. Therefore, continual reassessment of an Information Security Management System is a must. By frequently testing and assessing an ISMS, an organization will know whether their information is still protected or if modifications need to be made.

These are just a few of the principles that guide the implementation of an Information Security Management System. For more information, contact PJR at (248) 358-3388 or pjr@pjr.com to talk to the experts.

Information Security is a Management Function

While there are many technical aspects of creating an Information Security Management System, a large portion of an ISMS falls in the realm of management.

One of the weakest links in the information security change is an employee – the person who accesses or controls critical information everyday. An ISMS must include policies and processes that protect an organization from data misuse by employees. These policies must have the backing and oversight of management in order to be effective.

In addition to formal policy and process changes, management must also change the culture of an organization to reflect the value it places on information security. This is no easy task, but it is critical to the effective implementation of an ISMS.

Information Security Management is a process

Just as organizations adapt to changing business environments, so must Information Security Management Systems adapt to changing technological advances and new organizational information. In order to adapt to these changing conditions, ISO/IEC 27001 takes a process approach to an ISMS by utilizing the Plan-Do-Check-Act methodology.