What Is an Information Security Management System (ISMS) & How Should It Be Implemented?
Posted by on September 20, 2018
Chuck Darst is a Senior Product Marketing Manager for Cherwell Software. Chuck has over ten years of IT Service Management (ITSM) industry experience and over 20 years in a variety of IT Operations Management (ITOM) roles with a focus on machine learning, automation, compliance, and IT security.
Imagine for a moment that you have a specific mobile phone that you use for work. On it, you've stored credit card information to help you pay for things, banking information so you can review your finances, the important details of the clients that you work for, login information for the services that you subscribe to, and lots of proprietary data pertaining to the innermost workings of your business.
If, like most people, you bring your cell phone everywhere with you, there's a chance it might be lost or stolen at some point. If that situation occurs, what happens to the information stored on the device? How do you protect your own privacy and information security? What about securing the information of your clients?
The answer to all of these questions is to establish an Information Security Management System (ISMS)—a set of policies, procedures, and protocols designed to secure sensitive information at your business and prevent it from either being destroyed or falling into the wrong hands. This article discusses ISMS in detail—we'll talk about what they are, the history of information security, and some best practices for implementing ISMS to protect critical data at your organization.
What Is an ISMS?
An ISMS is a set of controls that an organization implements to protect its own informational assets and other information assets for which it is responsible. Organizations that design and implement their own ISMS will find ways to reduce the likelihood of a data breach occurring, ways to limit their liability when a data breach does occur, and other ways to mitigate the impact of any data security issues. Here are some of the key elements that make up an effective ISMS:
An ISMS Is a System of Managing Data Security
An established ISMS governs the policies, procedures, processes, and workflows that are chosen to help protect an organization’s data security. Once the policies have been set by the organization, they must be implemented and operated throughout the organization to realize their benefits. The organization governs the policies with the PDCA (Plan, Do, Check, Act) cycle, regularly revisiting the procedures and adjusting them as needed.
While there are no official documentation requirements for the ISMS, it is common practice to document the policies and procedures for the process-approach administration of the ISMS, as well as any policies, procedures, processes, workflows, or controls implemented to further the company’s data security objectives.
Not All Data Are Treated Equally by the ISMS
The ISMS describes how data should be protected by the organization, but it does not have to treat all organizational data the exact same way. Organizations create, record, and exchange many different types of data each day. We mentioned a few types above—financial records for the company, login details and information for services that the organization uses, client and customer profiles and information, and corporate credit cards and banking details. There are also emails, reports, inventory data, facilities data, service records for equipment, etc.
Not all organizational data has to be under the same level of security, and there are financial and productivity costs associated with protecting certain types of data. For example, if the organization requires two-factor authentication for email logins, an employee might lose an extra two minutes of productivity each time they check their email. Is it worth it? That's up to organization leaders to decide through their own risk assessments.
Compliance with ISMS Is Crucial for Successful Implementation
Creating an ISMS and storing it in a folder somewhere ultimately does nothing to improve information security at your organization—it is the effective implementation of the policies and the integration of information security into your organizational culture that protects you from data breaches. While the establishment and maintenance of the ISMS is an important first step, training employees on the ISMS and building compliance into daily processes and activities at your organization is a priority if you wish to adequately secure your data.
An ISMS Is Dynamic, Not Static
The ISMS is a living system that is constantly changing—it is dynamic, not static. In ISO 27001, an information security standard, the PDCA cycle is applied to ISMS systems. Companies should establish the ISMS (plan), implement and operate the ISMS (do), monitor and review the ISMS (check), and maintain and improve the ISMS (act). The ISMS should be reviewed and updated regularly to reflect a changing information security environment and new best practices for data security.
An Effective ISMS Is Risk-based
It is important to understand that protecting your organizational data from security breaches in an absolute sense is probably impossible. A thief or a hacker with enough time and resources will most likely eventually find a way to penetrate the security measures that you implement. A cyber attack against an unsophisticated security system might take a single person just a few hours to complete, while a heavily secured server might take weeks to access for a team of trained security experts.
Organizations must perform a risk assessment that determines which assets need to be most heavily protected, and effectively allocate resources towards the protection of those assets. A risk-based ISMS accounts for the relative risk of different types of informational assets when allocating resources towards asset protection.
Why Should Organizations Protect Their Data?
Now that we have a detailed understanding of ISMS, we need to understand and appreciate why it is so important that organizations protect their data by establishing an ISMS. Here are the most important reasons why organizations should establish an ISMS to help protect their data:
ISMS Helps You Manage Data Security at Scale
Returning to our original example of a business cell phone that could be lost or stolen, it would be relatively easy to protect a single device from falling into the wrong hands, but what happens when your organization has 100 employees with 85 desktop computers, 20 laptop computers, 40 mobile phones, a server room, and a cloud-based repository for all of your crucial documents? At this point, you need to manage information security at scale because there is a high volume of data and a big network. A single device with an improperly configured, out-of-date anti-virus program could become a vulnerability that compromises the network. An ISMS provides controls that help secure each endpoint against malicious attacks, protecting the system as a whole.
Data Breaches Are Enormously Expensive
If you have never experienced a data breach where a lot of customers had their data stolen, you should know that they are incredibly expensive when they happen. The 2017 Cost of Data Breach Study, conducted by the Ponemon Institute with sponsorship from IBM, determined that the average cost of a data breach in 2017 was $3.62 million. You may have heard about the Equifax data breach that resulted in a 20 percent decline in their stock prices and 30+ class-action lawsuits filed against the company within a month. Internet giant Yahoo was also hit by a major security breach that compromised the account information of all their 3 billion users—the fallout from that included $35 million in federal fines, an $80 million legal settlement, and a $350 million reduction in its acquisition value.
On top of that, there are costs associated with notifying customers that their data was compromised, bringing in security experts to patch the vulnerabilities that led to the breach, and other penalties, fines, and compensatory payouts to those affected.
Organizations Can Gain Certification with ISO 27001
The International Standards Organization (ISO) is a global entity that publishes standards and best practices for organizations. In 2005, the ISO published a document formally known as ISO/IEC 27001:2005, which establishes the international standard for information security management systems. Organizations that build their ISMS in compliance with these latest information security standards can earn a certification that indicates to their customers and partners that they have established an appropriate system for securing their informational assets.
ISO 27001 certification provides a business advantage for organizations, allowing them to demonstrate their compliance with the most current best practices for information security management.
Related: Improve your visibility into GDPR management with our (GRC) Governance Risk And Compliance Management.
How to Implement ISMS at Your Organization
Organizations can benefit significantly from implementing an ISMS, achieving compliance with ISO 27001, and ensuring the security of their informational assets, but a thorough implementation and training process is required to derive the complete benefits of the ISMS. Here's how to start implementing ISMS at your organization:
Step One: Asset Identification and Valuation
The first step to implementing an ISMS is to identify the assets that must be protected and determine their relative value to the organization. Remember, a risk-based ISMS takes into account the relative importance of different types of data and devices and protects them accordingly. In this step, organizations collect data from documentation to identify business-critical IT assets and their relative importance to the organization.
Organizations must create a Statement of Sensitivity (SoS) that assigns a rating to each of its IT assets across three separate dimensions— confidentiality, integrity, and availability:
Confidentiality - ensuring that the information is exclusively accessible to authorized persons only
Integrity - ensuring that the information to be secured is accurate and complete, and that information and processing methods are safeguarded
Availability - ensuring that authorized persons have access to the protected information and assets when needed
Organizations must strike a balance between securing assets and making them accessible to authorized persons that may need the data to do their jobs.
Step Two: Conduct a Detailed Risk Assessment
Once asset identification and valuation have been completed and the organization has formulated an SoS, it's time to conduct a detailed risk assessment that will inform the production of the ISMS. A risk assessment analysis includes four important steps for determining how the IT asset should be protected:
- Threats - The organization should analyze the threats to the asset by documenting any unwanted events that could result in either deliberate or accidental misuse, loss, or damage of the assets.
- Vulnerabilities - Threats are a concrete description of what could happen, and vulnerabilities are a measure of how susceptible the IT asset could be to the threats identified in the first part of the analysis. This is where you start to differentiate between different types of assets—while a malicious software attack is a threat for servers, laptops, and phones, we might indicate here that phones are more vulnerable to the threat because they will be used remotely and might be connected to several external networks while servers will be kept in-house and monitored around the clock.
- Impact and Likelihood - The organization can now assess the likelihood of certain types of breaches occurring along with the magnitude of the potential damage that would result from each type of data breach. Organizations can use a cost-benefit analysis to help them target the most potentially damaging breaches with the most aggressive security measures.
- Mitigation - Finally, the organization proposes methods for minimizing the recognized threats, vulnerabilities, and impacts through policies and procedures in the ISMS.
Step Three: Establish the ISMS
Now that the organization has identified the assets to be protected and conducted a full risk assessment, it can proceed to write the actual policies and procedures that comprise the ISMS. Organizations should establish the ISMS in compliance with ISO 27001 if they wish to earn a certification for best practices in information security management.
Going back to our first example of the unsecured business phone, what steps could the organization take to ensure that information on the phone is adequately protected in case the phone is lost or stolen? Here are some sample policies that could be implemented to help mitigate the risk:
Lost or stolen phones must be reported to the IT department within eight hours. If you do not know where your phone is, contact IT immediately.
IT must have the capability to remotely track and wipe any phone owned by the company.
Company phones must be protected by a biological password that corresponds to the assignee—a fingerprint, retina scan, or facial recognition technology must be used to unlock the phone.
Company phones are issued with a secure waist holster, encouraging employees to avoid losing the asset by securing it to their person when not in use.
This set of policies and procedures would minimize the possibility of a data breach occurring due to a lost phone. The requirement of a biological password significantly increases the level of sophistication required to gain unauthorized access to the phone, the reporting requirements introduce additional accountability to the user of the phone, and IT is able to remove sensitive data from any phone that is reported missing.
See why large organizations depend on Cherwell’s Security Management. Learn more or request a demo.
An ISMS is a set of policies and procedures that establish how your company will protect its information assets from deliberate or accidental misuse, loss, or damage. Establishing an ISMS is an important step towards securing your organization's data assets and protecting yourself from the legal and financial implications of a data breach. Organizations can gain ISO 27001 certification by complying with the global standards for ISMS. Implementation of ISMS requires organizations to identify and evaluate their assets, conduct a risk assessment, and document the established policies and procedures. Training programs are required to ensure that employees are compliant with the ISMS when handling sensitive data.
The ISMS should be maintained and regularly reviewed, following the PDCA cycle, with a goal of continual improvement towards a risk-based ISMS that meets the data security needs of the organization.