An Information Security Management System (ISMS) consists of a management framework through which an organization identifies, analyzes, and addresses information security risks. ISMSs are not based on servers or security devices. Instead, an ISMS consists of a set of practices that are systematically applied by an organization to ensure continuous improvement in information security. ISMSs provide conceptual models that guide organizations in planning, implementing, governing, and evaluating information security programs.
ISMSs are a natural extension of the use of popular business models, such as Total Quality Management (TQM) and Control Objectives for Information and Related Technologies (COBIT), into the realm of cybersecurity.
An ISMS is a systematic, multi-layered approach to cybersecurity. The approach includes people, processes, technologies, and the cultures in which they interact in a process of risk management.
An ISMS often incorporates the “plan-do-check-act” framework, known as the Deming cycle, from TQM. It is seen as an elaboration on the process component of the People-Process-Technology-Culture model of organizational capability, as shown in the figure.
The image shows a general model for organizational capability. The diagram on the left side of the image depicts the People, Process, Technology, Culture model. The four components of the model are shown in a ring with Capability at the centre. There are arrows pointing both ways between all of the components. The Process component is expanded out into another graphic on the right side of the image. In the expanded view, the four steps in the plan-do-check-act framework are shown in a clockwise circle surrounding the text: Develop, Improve, Maintain, ISMS.
A General Model for Organizational Capability
ISO is the International Organization for Standardization. ISO’s voluntary standards are internationally accepted and facilitate business conducted between nations.
ISO partnered with the International Electrotechnical Commission (IEC) to develop the ISO/IEC 27000 series of specifications for ISMSs, as shown in the table.
|ISO/IEC 27000||Information security management systems – Overview and vocabulary – Introduction to the standards family, overview of ISMS, essential vocabulary.|
|ISO/IEC 27001||Information security management systems – Requirements – Provides an overview of ISMS and the essentials of ISMS processes and procedures.|
|ISO/IEC 27003||Information security management system implementation guidance – Critical factors necessary for successful design and implementation of ISMS.|
|ISO/IEC 27004||Information security management – Monitoring, measurement, analysis and evaluation – Discussion of metrics and measurement procedures to assess the effectiveness of ISMS implementation.|
|ISO/IEC 27005||Information security risk management – Supports the implementation of ISMS based on a risk-centred management approach.|
The ISO 27001 certification is a global, industry-wide specification for an ISMS. The figure illustrates the relationship of actions stipulated by the standard with the plan-do-check-act cycle.
In the figure, the four steps in the plan-do-check-act framework are shown in a clockwise circle surrounding the text: Develop, Improve, Maintain, ISMS.
ISO 27001 ISMS Plan-Do-Check-Act Cycle
- Understand relevant business objectives
- Define scope of activities
- Access and manage support
- Assess and define risk
- Perform asset management and vulnerability assessment
ISO-27001 certification means an organization’s security policies and procedures have been independently verified to provide a systematic and proactive approach for effectively managing security risks to confidential customer information.
NIST Cybersecurity Framework
NIST is very effective in the area of cybersecurity, as we have seen in this module. More NIST standards will be discussed later in the course.
NIST has also developed the Cybersecurity framework which is similar to the ISO/IEC 27000 standards. The NIST framework is a set of standards designed to integrate existing standards, guidelines, and practices to help better manage and reduce cybersecurity risk. The framework was first issued in February 2014 and continues to undergo development.
The framework core consists of a set of activities suggested to achieve specific cybersecurity outcomes, and references examples of guidance to achieve those outcomes. The core functions, which are defined in the table, are split into major categories and subcategories.
|IDENTIFY||Develop an organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.|
|PROTECT||Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.|
|DETECT||Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.|
|RESPOND||Develop and implement the appropriate activities to act on a detected cybersecurity event.|
|RECOVER||Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.|
The major categories provide an understanding of the types of activities and outcomes related to each function, as shown in the next table.
|Core Function||Outcome Categories|
Organizations of many types are using the Framework in a number of ways. Many have found it helpful in raising awareness and communicating with stakeholders within their organization, including executive leadership. The Framework is also improving communications across organizations, allowing cybersecurity expectations to be shared with business partners, suppliers, and among sectors. By mapping the Framework to current cybersecurity management approaches, organizations are learning and showing how they match up with the Framework’s standards, guidelines, and best practices. Some parties are using the Framework to reconcile internal policy with legislation, regulation, and industry best practice. The Framework also is being used as a strategic planning tool to assess risks and current practices.