Implementing an Information Security Management System By: Bruce Coker An information security management system (ISMS) is a formal, controlled set of processes and procedures dealing with the management of information security within an organization. The implementation of an ISMS is a key step that any organization in possession of valuable information assets should consider. This article offers an overview of the implementation process, and explains the benefits of an ISMS. 1Why implement an ISMS? An ISMS offers a number of significant benefits to both the organization and its customers. a. It ensures suitable security controls are in place: The intensive risk assessment and other processes involved in implementing the ISMS help to verify that any security controls and strategies are appropriate, cost effective, and prioritized to address the core security needs of the organization. It demonstrates a commitment to security best practice: The existence of an ISMS is a powerful demonstration to an organization's customers of its commitment to information security. Customers can be confident that an ISMS-compliant organization understands and implements industry best practice. Certification of the ISMS provides independent and unbiased evidence of this compliance. It ensures compliance with third party obligations: Many organizations will have external responsibilities with regard to the data in their possession. These may concern privacy, intellectual data ownership, or, in an increasingly regulatory environment, legal issues. An ISMS can greatly assist an organization in the fulfillment of such requirements. b. c. 2 Planning your ISMS The thoroughness of the planning phase is vital to the ultimate effectiveness of the ISMS itself. A realistic and detailed plan should be prepared and agreed to, against which performance should be measured at every step of the implementation. This will ensure the process remains on track and that the ISMS ultimately addresses the required issues. The plan should also be open to review and reassessment in the light of experience. This will help ensure it retains the flexibility needed to meet the continuously changing requirements of most organizations. It is essential to ensure management involvement and commitment at, or preferably before, the planning phase. This will be critical for later success, as decision makers will be implicated not only in financing the ISMS but will play a key ongoing role in its implementation. The involvement of management from an early stage will help to ensure that adequate resources are made available for the development of the ISMS. It will also help to involve all related departments in the ISMS process. It is a common misconception that information security is the sole preserve of the IT department, whereas in fact it usually has implications throughout an organization. For example, HR departments will often have a critical role in spreading awareness of the ISMS, while those responsible for the physical security of the building will be involved with issues such as physical access control and the relocation of assets. At a more fundamental level, every individual who uses the IT infrastructure will be affected in some way by the ISMS. Knowledge may already exist within an organization that has relevance to ISMS implementation. For example, there may be an existing quality management system (QMS). Where this is the case, relevant skills, knowledge and experience should be leveraged to ease the implementation process and reduce its cost. The final major aspect of the planning phase is getting to grips with the standards and processes involved. This will involve the new system's owners familiarizing themselves with documentation such as the International Organization for Standardization's ISO/IEC 27000 series, and the Information Security Forum's Standard of Good Practice. If certification is the goal, consultation with a variety of certifying bodies leading to the identification of one with whom the applicant organization will work is highly desirable, as is strong familiarity with the technical and procedural requirements for certification. 3 The anatomy of an ISMS An ISMS can be a complex entity dealing with many variables. Its complexity will depend largely on the scale and nature of the owner organization, along with the volume, nature and variety of the information involved. However, the structure of any ISMS will contain certain common elements regardless of the scale. Close adherence to this structure during the planning phase will ensure that the ISMS will conform to best practice guidelines. a. Scope: At the head of the ISMS is the statement of scope. This defines the logical and geographical boundaries of the ISMS: in other words, the people, places and information to which the ISMS will apply Policy: The policy statement is the high level overview of precisely what the ISMS is seeking to achieve. It should define factors such as the criteria to be applied during risk assessment and the types of security breach the ISMS will seek to protect against. It should pay consideration to other policies within the organization which may have an impact on the ISMS. It also defines top level roles and responsibilities, such as who, at management level, has approved the policy, and who is responsible for the maintenance and implementation of the ISMS. Risk assessment: Risk assessment lies at the heart of the ISMS and will almost always form the largest section of its content. Accurate assessment provides a focus for the implementation of security controls and strategies, and ensures that these controls and strategies are correctly prioritized and cost effective. The first step in risk assessment is to assess the value of the organization's information assets as accurately as possible. This valuation must consider not just the information's raw financial worth, but hidden values such as the potential cost of legal action, or damage to the organization's reputation, that could result from loss or compromise. Valuation is followed by the identification of threats, vulnerabilities, and the potential impact of disruption. This will help to establish clear priorities for the ISMS, leading to an accurate determination of the various risks, and appropriate controls and strategies for managing them. The assessed risks should be compared to the acceptable risk levels determined in the policy document to establish a hierarchy of priorities. Some additional factors that must be taken into account during this process are the nature of the organization and its information, and the physical security environment within which the information is kept. b. c. d. Risk handling strategies: All identified risks must be addressed in one of four possible ways. First, security controls can be implemented to manage the risk. A vast number of possible controls is outlined in ISO/IEC 27002, the security management code of practice. Any controls that are implemented should be recorded in a document known as the Statement of Applicability, along with the justifications for the selection of the particular control, and information tracking back to the risk assessment documentation that outlined the requirement for it. Second, the risk can simply be accepted. If the decision is made to live with a certain risk, the grounds for the decision must be documented, along with justification for it in terms of the policy and criteria for identifying acceptable risks. Third, the risk may be eliminated entirely. How this can be achieved will depend on the specific risk, but examples would be the replacement of a vulnerable application with a secure alternative, or the relocation of vulnerable physical assets to a more secure site. Fourth, responsibility for the risk can be transferred to another organization. This is typically done by taking out insurance, or outsourcing services to do with management of the vulnerable information. In such a case, the external organization must accept responsibility for the risks they are undertaking, having been made fully aware of the implications. Whichever risk management strategy is selected, the residual risk must be reassessed after implementation to confirm that it is now below the acceptability threshold. On completion, the risk handling assessment must be fully documented, noting a detailed plan of action to address each identified risk, the priorities and timescales for completion of the necessary actions, and the individuals or teams responsible for implementation. e. Management processes: The final element in the ISMS structure is the identification of the management processes that underpin and maintain the system. These will typically include things like resourcing of the project, an auditing schedule to verify that the system is working correctly, the process of management review which the system will undergo, and improvement procedures to be overseen at management level. 4 Implementation Once the planning and structuring phases have been completed successfully, implementation is primarily a matter of setting in train the required actions, and monitoring them to ensure they are being carried out as specified. Since the responsible teams and individuals will have been identified, all parties should understand their roles and be in a state of readiness to move forward when the time for implementation arrives. To support this, a second strand to implementation is often the provision of training and awareness programs to bring people up to speed with the implications of the ISMS. This will include validating and distributing documentation relating to the project, conducting sessions to make people aware of their responsibilities, and any technical training required to ensure the successful implementation of specific aspects of the system, for example a migration to new software or the development of a new firewall. 5 Certification In many cases, certification will be a key goal of the ISMS. When this is so, the selection of an appropriate certifying body becomes a decision of key importance. Close integration is necessary between the organization seeking certification and the one providing it. The applicant organization must be prepared to expose its inner workings to the assessors, including potentially sensitive data and every aspect of how it conducts its business. It must, therefore, be able to establish a strong relationship of trust with the certifying body. For this reason it is recommended that as many potential certification candidates as practical are considered. Certification in itself doesn't require any steps other than those necessary to implement the ISMS. When implementation is complete, assessors will thoroughly examine the system against the ISO/IEC 27001 standard. The certification process consists of the following six steps: 1. Primary audit, during which the assessors will thoroughly examine all the ISMS documentation. 2. Actions and modifications resulting from the primary audit. 3. Secondary audit. This is carried out on site, and involves a thorough examination of the implementation of the documented ISMS. 4. Post-audit corrections. 5. Issuing of certification. 6. Follow up to ensure continued compliance.