ISMS Information Security Management System
ISMS Information Security Management System
ISMS is short for Information Security Management System. ISMS is a documented system to provide security for information and data in your company. ISMS is a vital management concept in today's information intensive businesses. The goal of ISMS is to eliminate possible loss or destruction of information.
What is ISMS?
ISMS or Information Security Management System is a management system based on a systematic business risk approach. ISMS is a system designed to establish, implement, operate, monitor, review, maintain, and improve information security. It is an organizational approach to information security. ISMS is a documented system certifying that:
- Information assets in your company are described and secured,
- Information security risks are managed and mitigated,
- Security policies together with their ownerships and guarantees are in place,
- Adherence to security measures is inspected periodically.
ISMS can be implemented as a specific information system that deals with a particular business area, or it can be implemented as an all-encompassing system involving the whole organization.
In any case, ISMS usually involves resources spanning from the management to the regular employees.
Picture: Components of an Information Security Management System (ISMS)
How does ISMS perceive "information security"?
We talk about information security, someone might ask "What is information security in ISMS?", and so we need to address this topic at least slightly. Information security is the protection of information to ensure the following:
Confidentiality: Confidentiality means that information is accessible to those authorized to access it only.
Integrity: Integrity means that information is accurate and complete and that information is not modified without authorization.
Availability: Availability means that information is accessible to authorized users when required.
ISMS and ISO standards
Information and information technologies are often the key to the success of a business, and businesses make decisions about how to make these important assets more secure and less vulnerable to attacks and disasters. Dealing with information security in corporations calls for a systemic and complex approach. ISO norms ISO/IEC 27001 and ISO/IEC 27002 make the job of making your information more secure easier.Both standards are closely related, but each of them plays a slightly different role. ISO 27002 provides a detailed steps or a list of security measures which can be used when building an ISMS. ISO 27001 talks about how to implement, monitor, maintain, and continually improve an ISMS Information Security Management System. ISO 27001 is also the standard that governs ISMS certification.
Why do I need to have ISMS?
Implementing sound ISMS in your company is not free and can take many months; however, it can also bring many valuable benefits.
- If information is the key asset that is needed in your business then ISMS helps to protect your business case,
- ISMS delivered via ISO standards is compatible with others in the market,
- Company management is always involved in the security and always has access to information,
- Your partners view you as more reliable, credible, and trustworthy,
- ISMS certification opens doors to new business (for example better competitive position in the EU market),
- Information and data sources are utilized more efficiently,
- ISMS makes your investments into information security more efficient,
- ISMS brings the importance of information security to your employees and makes them more involved in your business,
- ISMS changes the culture in your company (brings responsibility and accountability).
ISMS is not only a mechanism or a system to improve the security of your data and information; it also leads to more effective utilization of your information and better competitive position in the market.
Does ISMS apply to small businesses too?
Yes, ISMS should be implemented regardless of the size of your organization. It can be used in a large international organization with thousands of employee as well as in a small business with 10 employees. ISMS is described in the ISO norm 27001. The size of your business only determines the interpretation and extent to which recommendations given by the standard are implemented.
Where do I get more information?
You can find more details about ISMS on the next page which talks about ISO/IEC 27001:2005.
The following guide explains common IT security audit findings: Top 10 Risk and Security Audit Findings