What is an Information Security Management System (ISMS)?
Introduction to ISMS
Perhaps you are aiming to learn more about ISMS, or perhaps you have been tasked with creating an ISMS for your organization and have no idea what the term even means. By the time you have finished reading this article, when someone asks you "What is an information security management system (ISMS)?", you will be able to confidently steer them in the right direction.
ISMS is a massive subject and often daunting, so this article will be a high-level overview of the basics to help you get started. Beyond here, you can delve further into ISMS sub-topics as required.
ISMS Definition / ISMS Meaning
The acronym "ISMS" refers to an Information Security Management System. The ISMS meaning could be defined as a well-documented set of controls that describes how you are managing risks within your environment.
An effective ISMS will protect the Confidentiality, Integrity, and Availability of an organization's assets.
ISO 27001 and ISO 27002
Many people will have heard about ISO 27001, at least in passing, but there are two different components that you should be aware of that work hand-in-hand to deliver an overall ISMS strategy. In fact, if you are interested in learning more, there are more than a dozen different ISO Standards which are in some way related to an ISMS, you can read about them all in ISMS ISO Standards – summarised list.
ISO 27001 is the internationally recognized standard that provides a detailed overview of all the requirements of an Information Security Management System. The current version is ISO 27001:2022, which replaced ISO 27001:2013 and introduced significant improvements including a reorganized control structure.
ISO 27001 works alongside ISO 27002. ISO 27002:2022 lists 93 suggested controls organized into four categories (Organizational, People, Physical, and Technical) that can be implemented by an organization to help meet the requirements of the ISO 27001 Standard.
There is nothing preventing you from building an Information Security Management System following the requirements set out in ISO 27001 even if you don't plan on becoming ISO 27001 certified, However, if you do want that certificate and the assurance that your systems are operating as mandated by the standard, then external independent auditors must be engaged to perform reviews for your organization.
ISMS Risks and ISMS Controls
There are two cornerstones to the ISMS that must be understood: Risks and Controls.
ISMS Risks are the potential threats to your organization. These are the things that may harm your business if they come to fruition. When we talk about ISMS risks, we aren't just referring to external threats in the form of cyber attackers, but also risks such as unapproved technical changes being implemented on production systems or backup tapes being disposed of without their data being properly sanitized.
Defining the ISMS risks in your organization is an important step, as if you haven't captured the risk, then you are likely to miss out on effectively mitigating that risk.
After determining a comprehensive list of ISMS risks, we then need to work out how to treat them. Read about identifying risks in detail in ISMS Risk Assessment.
The key tool that we use to manage those risks is ISMS Controls. Controls are where we document the steps we are going to take to ensure that those ISMS risks are effectively managed, so that the risk level is deemed acceptable to the organization. Remember those unapproved technical changes? Let's put in place a formalized Change Management ISMS Control. For those old backup tapes that were sent off without being wiped, we'll put in place a control detailing how we will ensure that asset disposal is effectively handled to protect our valuable information.
That's ISMS risks and ISMS controls in a nutshell.
ISMS Metrics / ISMS Measures
You know your ISMS risks and have chosen to put ISMS controls in place, so now you can consider the job done, right? Not so fast. You need to measure.
In the same way that a business doesn't know if it is profitable without running reports, we don't know if an Information Security Management System is effective unless we are measuring results.
ISMS Metrics, also referred to as ISMS Measures, are used to measure the effectiveness of ISMS Controls. Let's imagine that you have established an ISMS Control, part of which is to patch all Microsoft Windows servers each month; there should be ISMS metrics in place to monitor that the ISMS control is running. Your metric might be taking a snapshot of all Windows servers in your environment on the last day of the month and confirming that the patching has been completed. This would be a proactive ISMS metric.
Or consider phishing, one of the biggest cyber entry points into networks for cybercriminals today; there could be an ISMS metric looking at the number of phishing incidents in your organization. This would be a reactive ISMS metric.
A combination of both proactive metrics (things you are doing) and reactive metrics (results) often delivers the best results.
ISMS Cycle
We have gone over some of the major components of an ISMS; now we need to bring them all together.
The Plan, Do, Check, Act model works well for an ISMS. The steps are straightforward; you are likely already doing something very similar in other parts of your business.
- Plan: Document what you are going to do in your ISMS.
- Do: Complete the activities that you have documented.
- Check: Review your Metrics. Review your Assets. Review your Risks. Confirm if the activities you are performing are delivering the desired results.
- Act: Determine if you need to adjust your ISMS and then go back to Step 1. Repeat.
Plan, Do, Check, Act is a constant cycle. You are never "finished" with your ISMS; it is a living, breathing system.
Conclusion
An Information Security Management System (ISMS) is relatively straightforward. Having read and understood this article, you now likely have a better understanding of how an ISMS operates than most people in your organization.
Are you confused with some of the terminology used in this article? If so, check out the ISMS list with definitions.