First, ISMS stands for Information Security Management System. It is a viable term that continues to be applicable today.
While the ISMS has been around for a while, its process gained recognition when its activities outlines in International Standard Organization document, ISO-27001:2005. This particular standard is actually a specification and its clauses, four through eight, are considered mandatory — something that must be done. The latest version of this standard, ISO-27001:2013, has morphed a bit. But let’s take a high-level look at the ISMS process activities — they are foundational to managing any security program.
Have an independent analysis carried out in which each business process is analyzed for its requirements regarding confidentiality, integrity and availability (or continuity); the results identify the Service Level Requirements for security.
The Service Level Requirements are provided to Service Level Management to compare with the Service Catalogue that shows the security measures that are always provided: the basic level of security, often called the security baseline. Customer may set additional requirements that exceed the security baseline as offered in the Service Catalogue; this may result in additional costs.
Service Level Management works with the Customer to develop a Service Level Agreement (SLA) that contains measurable Key Performance Indicators (KPI) and performance criteria.
Planning is used to establish the Information Security Management System (ISMS) policy, objectives, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with an organization’s overall policies and objectives.
Implement and operate the Information Security Management System (ISMS) policy, controls, processes and procedures.
The Control activity organizes and directs the Information Security Management System (ISMS) process itself. This includes the organization of the management framework for information security.
Assess and, where applicable, measure process performance against Information Security Management System (ISMS) policy, objectives and practical experience and report the results to management for review.
Take corrective and preventive actions, based on the results of the Information Security Management System (ISMS) audit and management review or other relevant information, to achieve continual improvement of the Information Security Management System (ISMS).
Reporting supports the control activities and reports Key Performance Indicator (KPI) measurements required by the Service Level Agreement (SLA) to Customer Management.
Continual Process Improvement
This ISMS process flow chart above, follows a (Plan, Do, Check, and Act) model. Each activity is broken down into smaller process activities.
Tuning the ISMS Process Model
You have other notable authoritative documents that exist today, such as, the NIST Cybersecurity Framework.
The Framework Core consists of five concurrent and continuous Functions—Identify, Protect, Detect, Respond, Recover. When considered together, these five Functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk.
These five Functions, easily map to the ISMS process activities mentioned above. These five Functions high-light the importance of endpoint detection and response. I should point out that the Framework begins by high-lighting the importance of Risk Management with “Identify”, essentially the (1.0 Define) activities mention previously in the ISMS. All the other Functions easily map as well.
What is coming next?
If you are wanting a little Trusted Advisory mentoring, reach out to me and I will try to help when and where I can. I have helped literally hundreds of companies over my professional career. I can easily help expedite and shorten the time it takes to align your business. I have created severalservices to help my Client’s align their ISMS with their business needs. Even a simple 2-3 day workshop can help your organization get on the right track.
You can also check out my comprehensive online curriculum vitae at (www.irlansyah1com).
I am a highly respected information security management system (ISMS) professional, who is vendor independent, and an award winning published author, with 20+ years of qualified industry experience; possessing a vast range of industry and vendor specific certifications that demonstrate executive and operational management skills, as well as, actual hands-on technical proficiency. I am an expert in ISMS benchmarking and improving its processes, security control objects, and security controls.
By the way, people often ask me where I find all the time to do the things that I do.
My response, “If I can find the time when I am so busy, then why can’t you?”
The behavior: Drive and Initiative!
Remember: There are the talkers in life… and then there are the doers. Actions always speak louder than words. I make things happen and get the job done!