What is the information security management system

Why an information security management system?

An information security management system - ISMS for short - helps to ensure the security of information in the company and, above all, to continuously improve it in a structured and managed manner.

It is not a question of technically implementing an externally specified level of security. It is much more about identifying your own security level as a basis. The protective measures of a successfully implemented ISMS are based on this.

Since then, reports about security gaps in software and hardware components as well as security incidents of large corporations have increasingly come into the focus of the media and of public interest. Against this background, we also perceive an increasing demand in discussions with our customers for ways to improve information security in our own organizations.

However, the ISMS is not just about technical security. In addition to IT security, the information security management system also considers the organizational measures and, above all, the path to good information security.

How do you introduce an ISMS in the company?

A successfully implemented ISMS consists of several components. Of course, this also includes the formal part with specification documents and guidelines. However, it becomes really interesting at the latest when it comes to active implementation. Started with the identification of the company values, the risk analysis….
This article is intended to give you an overview of the steps involved in introducing an information security management system.

Not just an IT task!

A few years ago, information security was slipped on administrators or IT departments as part of their responsibility, but it has now become a top priority.

It is clear to those responsible: You have to take a holistic view of the topic. All members of an organization, from the boss to the clerk, have to live information security. This is the only way to implement it! But how exactly do you go about it? Where do you start to establish the topic in your own organization? Are there guidelines or standards that you can use as a guide?

Information security guidelines and standards

Yes, there is, namely the ISO 27000 standard family, for example. This is part of the well-known series of international ISO standards. Because this approach is our favorite among management systems for information security, we will briefly explain its structure below.

In addition to the international approach, there is also a “German” approach to IT-Grundschutz according to the BSI (Federal Office for Information Security). An ISMS based on IT-Grundschutz can also be certified according to ISO 27001. This may make sense in some places, but is usually more time-consuming to implement than the international risk-based approach.

For authorities, ISIS12 is very often recommended as a procedure for implementing an information security management system. Based on our own experience, we of course offer this approach to our customers at their request.
Our recommendation, however, is instead of the ISIS12 approach, a "stripped down" ISO 27001 ISMS. That is, as an implementation approach, we recommend using the project plan as described below. However, in some places the implementation and documentation can be shortened if certification is not sought.

The ISO 27000 standard family

The 27001 standard family is a series of information security standards. In the meantime, more than 30 documents describe binding requirements or give general recommendations for the implementation of the core content. Part of this standard family is the normative standard for an ISMS, ISO 27001. You can also be certified according to this. This is about the introduction, implementation, maintenance and constant improvement of an information security management system. The standard specifies specific guidelines and requirements. These must be implemented in a binding manner in order to operate a certified ISMS.

In general, the ISO 27000 family of standards consists of normative and informative standards. The normative standards ISO 27001, ISO 27006 and ISO 27009 are binding specifications and requirements that must be implemented for certification. The informative standards, on the other hand, are more of a recommendation. They consist of general guidelines and non-binding proposals for the implementation of the normative standards for information security.

Reasons for ISO 27001 certification

The reasons for certification are quite different. There are organizations that strive for certification of their own accord. They want to signal to the outside world that information security is important to them.

This is exactly how it happens that certification is a mandatory requirement for a business relationship. However, do not see this case as a necessary evil to maintain a business relationship. Here, too, your own organization definitely benefits!

For example, certification can represent a competitive advantage over other market participants. But you can also score points with customers with certified information security. From our experience, customer audits in the area of ​​IT / information security are significantly reduced with a certificate.

In addition, existing risks come to light on the way to the certificate. The management system offers the chance to become aware of them and to defuse them. Ideally, before they could fall on your feet. The upcoming certification will also ensure that business-critical values ​​are dealt with more consciously. Last but not least, this - in combination with the safety-conscious actions and behavior of employees as well as risk-minimizing measures - leads to increased profitability in the long term.

The ISO / IEC 27001 standard

Everything clear so far? Then on to the essentials. The ISO / IEC 27001 standard deals with the introduction, implementation, maintenance and continuous improvement of an ISMS. The ISMS is seen as a holistic system for managing information security. Seen globally, it is part of the entire management system of an organization. This also includes, for example, quality management according to ISO 9000, environmental management according to ISO 14000 or financial management, knowledge management and many more. The exact context of an organization is also taken into account in the ISMS.

Plan-Do-Check-Act

The so-called PDCA cycle is characteristic of the ISMS, even if this is no longer explicitly mentioned in the new versions of the standards. PDCA stands for Plan-Do-Check-Act. The individual phases of this procedural model are run through again and again one after the other. The aim is to achieve a steady improvement of the system in the long term.

Introduction of an ISMS according to ISO 27001

If an organization decides to install a management system for information security, it is absolutely important that the management level is united and fully committed to the introduction. The first step should be, for example, the determination of a project manager who plans and leads the implementation. Above all, however, management must make sufficient resources available. Resources include personnel as well as monetary means or time. Time that those responsible need to implement the upcoming steps. Money that may be necessary to implement the technical requirements (e.g. document control). And of course staff. After all, somebody has to carry out the introduction and implementation of the system.

Project plan for the introduction of ISMS

The project manager should present the planning of the necessary resources and the timing in a project plan for a better overview and plannability. Below is an exemplary project plan. The individual phases are then explained. This project plan is designed for one year. Depending on your organization, you are free to choose when to start and get certified. Since the management system should have run through at least one cycle before certification, we recommend a project duration of approx. One year for the introduction in medium-sized companies.

Define targets

In order to be able to assess the effectiveness of the system after a successful implementation, it is important to define suitable targets at the beginning. No review is possible without targets. Your goals should also reflect your level of security. This is especially important when it comes to the concrete implementation of measures.

The corresponding goals are to be determined in the planning stage. High-level goals are agreed for the management system itself. Further goals can be derived from this, which you break down to subordinate levels.

For example, if one of your high-level goals is to avoid failures of the central IT systems, you can break them down. Your IT manager receives the annual target to operate important systems (which you have to name) with a maximum downtime of 2 hours at a time. You also need to specify how often such a failure can occur. It makes sense that the specification should only apply to defined operating times. So if you don't work at night, a 4-hour downtime does not bother you and should therefore not be included in the reporting. Depending on the organizational structure, the IT manager can distribute his targets even further among his employees.

It is important to agree on goals at these points where you consider them to be important for your company.

Policies, processes and procedures

The guideline, often anchored in a manual (which is not an obligation), is at the top of the hierarchy. It formulates the general goals of the ISMS. It has a more formal character and is issued by the management itself to all members of the organization.

Processes

The processes are in the hierarchy below the manual. There is a process manager and process team for each process. Roles and activities are defined at this level. With the help of the processes, inputs are converted into concrete results.

If you have already implemented a functioning quality management system according to ISO 9001, the processes are not new to you. As with QMS, for example, the ISMS has the processes for

  • Management review
  • Review / audits
  • Risk management

For this reason, the integration of a new ISMS into an existing QMS has many advantages. Most of the processes / procedures already exist and do not have to be "reinvented". They hang "only“Includes the requirements of the information security management system in the existing documentation.

Procedure

The procedures are arranged one level lower. They define the way in which a process is carried out. At the process level, roles were still mentioned in abstract terms. Here, a specific employee or team in a role can already use a specific procedure as part of a process step.

Our practical experience shows that the terms procedures and processes are interpreted differently. What is defined as a process in one company is a procedure in another. That is why I do not want to go into it any further at this point.

In the presentation of the project plan you will find projects, procedures and roles summarized under “Concepts”. The following graphic once again clarifies the hierarchy of these artifacts.

The manual or the central ISMS documentation

As mentioned above, it is of absolute importance that the ISMS is lived by everyone without exception. In order to achieve the broadest possible acceptance, it is therefore important to involve the people involved at an early stage. A good opportunity for this is employee training. We recommend informing the employees about the introduction of the ISMS and presenting the manual. If other communication channels have established themselves in your company, these are of course also possible. Essentially, it is about taking employees with you on the way to the information security management system.
Note: A manual is not a mandatory document in the ISMS. From the history it is available in many companies that already have a management system. The ISMS can also be introduced without a manual. The internal specifications are then published in a different form (e.g. by a DMS or a wiki system, provided that this can meet the requirements of the documentation).

Organization-specific security issues can then be addressed in further communication to raise awareness. The ISMS manual can be viewed as both documentation and operating instructions. It follows a fixed structure. For each normative point of the standard, the specific handling within the organization is described. Terms are defined, expectations and responsibilities are clarified, areas of application are defined and goals are agreed. It is therefore also important that the manual is stored centrally and can be accessed by every member of the organization.

The structure of the manual can be based on the so-called high-level structure. Other ISO standards are also based on this structure. This makes it possible to integrate the manual into the organization's existing management systems with little effort.

Identify assets

In the next step, those responsible must ask themselves what exactly the information management system should protect. In relation to ISO 27001, one speaks of so-called assets. These are the values ​​of an organization. They are also called corporate values. You are valuable to the company. In addition to financial values, this can also be, for example, the value of intellectual property.

In order to determine what the ISMS is supposed to protect, it is therefore important to gain an overview of these assets. This can include information as well as software or hardware components. This also includes applications, but possibly also people and their qualifications, skills and experience. Or reputation and prestige. In particular, it concerns corporate values ​​that are important for the organization in terms of information security. It helps to consider the risk that arises for the organization if the confidentiality, availability and / or integrity of a company value were violated.

The Crown Jewels

According to the Federal Office for the Protection of the Constitution, around 5% of these company values ​​are business-critical in an organization. That is, the company's survival depends on it. These are the so-called Crown jewels. It is particularly important to protect these. To do this, of course, it is necessary to crystallize precisely these values ​​and become aware of them.

Identify risks

You now know your company values ​​and have above all identified the critical ones. In order to be able to assess the risk that exists for a value, several steps are necessary. Several threat scenarios can be run through for each value. This makes it possible to roughly determine the category of the amount of damage. The probability of a scenario occurring is also important. The risk is then the product of the amount of damage and the probability of occurrence. Each risk is then documented. Our article on risk analysis shows you how to do this.

Identify measures

To be sure that a measure is also appropriate, you need a defined level of security. This is the standard by which the protective mechanisms are based. The choice of measures can be done pragmatically. It does not necessarily have to be the most expensive or the most extensive solution. It is important that the measure is appropriate, corresponding to the security level. That means it has to reduce the risk. Seen in this way, in company A, the requirement to change passwords annually may be sufficient. Company B has much higher risks and requires employees to change their passwords every quarter.

The aim is therefore to reduce the existing risk to an acceptable level in relation to one's own company. For sensitive areas it may be enough to install a door with a higher protection class as the first step. Structural work can still be carried out during the next planned renovation. It is also possible to accept individual risks if a suitable measure would go beyond the scope of proportionality.

Create concepts for protective measures

Once the “crown jewels” have been identified, generic rules and guidelines must be drawn up. These state how the protection of values ​​can be implemented in concrete terms. In detail, the standard speaks here of guidelines, processes and procedures. The standard provides for a written formulation and storage in a medium appropriate for the purpose. Applied to the everyday life of an organization, this can mean that frequently changing process documentation may only be available in electronic form. Documents that rarely change, such as the information security manual, on the other hand, can also be made available to all employees in printed form.

Maintaining the ISMS

The guidelines, processes and procedures only add value if it is clearly agreed who is responsible for what. After defining the roles, it must be determined which individual or which team will assume the defined roles. But people who do not belong to a role are also part of the ISMS! For them, too, the standard calls for awareness-raising and training for information security issues. This can include external employees, for example.

Policies, processes and procedures have now been successfully rolled out. Now the standard demands that their implementation and compliance be recorded in a suitable form in the sense of binding force and accountability. In all cases, documentation within an ISMS should offer added value - not unpleasant and disproportionate additional work. In practice, “creating documentation” does not always trigger positive reactions. Often because the proportionality just mentioned is not given. However, this is less due to the norm than to the individual handling in an organization.

Our recommendation for documentation: Less is more!

The standard provides for document control for all documents created in this context. This is a system that clearly regulates the handling of documents. This includes information such as the storage location of a document or the name of the author of the document. Who checks it and who releases it?

Suitable metrics

In order to obtain comparable and meaningful results, it is important to record factors such as the measurement frequency, unit of measure, threshold values ​​or setpoint values ​​in a binding manner right from the start. The archiving period should also be determined in advance.

As far as the type of measurement method is concerned, the standard does not specify itself. The only requirement is that the method must deliver comparable and reproducible results at all times. Other questions to consider when choosing the right method are:

  • the target group for the measurement results
  • the level of detail of the measurement results
  • what exactly is measured in order to be able to measure the agreed goal
  • how many aspects should be monitored
  • the type of measurement (manual or automated).

Here it is important to pick out the relevant aspects. If there are too many monitored aspects, it is easy to overlook relevant measurements. Conversely, the monitoring of fewer aspects can easily result in the measurements not reflecting the actual state of the system or process.

The management review

The management of an organization also has a say when it comes to audits. In the so-called management review, the management checks the effectiveness of the information security management system. The review is based on defined criteria from ISO 27001. The improvements since the last management review are also assessed.

Audits

Last but not least, so-called audits are a suitable instrument for measuring the effectiveness of an ISMS. The purpose of the audits is to examine whether the processes and guidelines meet the standards required by the standard. A distinction is made between internal and external audits. In any case, this is a test of whether the normative requirements of ISO 27001 are actually being complied with. The only difference between the two cases is who takes on the role of the examiner. External audits are mostly, but not necessarily, used for certification. Internal audits of either self-assessment or preparation for an external audit.

Check effectiveness

Perhaps you already guessed it. Introducing and implementing an ISMS is by no means everything. In order to develop further as an organization in the area of ​​information security, a regular review of what is available is required. This takes place according to the aforementioned PDCA cycle. Risks are reassessed at regular intervals. New risks can be recorded and the effectiveness of the measures checked. The derivation of additional measures is intended to further reduce existing and new risks.

Even when choosing the measures, ISO 27001 does not let you down. In the normative Annex A of the standard, binding measures are specified as a minimum requirement. To what extent and to what extent your company implements these measures is of course based on your security level and therefore on the risk.

But it is not just the risks that are regularly checked using the PDCA method. All individual processes, procedures and measures are also subject to this cycle.

Implementation of a stripped-down information security management system

If you want to control and optimize the information security in your company, but do not want to implement the ISO 27001 requirements straight away, VdS Schadenverhütung GmbH offers an option.

With the guideline for a "Information security management system for small and medium-sized enterprises (SMEs)“The VDS has put together compact instructions. We can recommend this to you if you want to start off "small" first. A switch to an ISMS according to ISO 27001 is then possible at any time. Depending on the implementation of the VDS guideline, individual aspects of the ISMS can be adopted directly.

Would you like to introduce an information security management system according to ISO 27001?

You don't know how and where to start with the implementation of an ISMS according to ISO 27001?

Are you looking for competent support?

Contact us

Regina Stoiber has been a certified lead auditor for ISO 27001 for over 10 years. Initially for many years as the head of an ISMS in an international company, now as a company assistant in the implementation and operation of an ISMS. Together with a technically competent team, we will be happy to support you with the introduction and operation of your information security management system.

Since we also know the ISMS from the perspective of the company, a practical and, above all, practice-oriented implementation is important to us.

Arrange a non-binding initial consultation

You are also welcome to arrange a non-binding discussion with us.

Find out more about the ISMS in our webinar

In summary and, as always, practice-oriented, we will show you the most important points and a possible approach to implementing an ISMS.

<<< Zum Webinar! >>>

How helpful was the article?
Thanks!