The standard attempts to provide requirements for establishing, implementing, maintaining and continually improving an information security management system. The standard is designed to be used by internal and external parties to assess the organisation’s ability to meet its own information security requirements. The standards does not attempt to order the requirements by their importance, they are simply numbered for reference purposes. It is intended to provide requirements for the assessment and treatment of information security risks which are generic and are intended to be applicable to all organisations regardless of type, size or nature.
When developing an information security management system it is important to understand the organisation’s internal and external issues (ISO 31000:2009. Clause 5.3) along with the needs of interested parties, which might include legal and regulatory requirements and contractual obligations. It is also important to determine the boundaries and applicability of the information security management system, based on the above. It is important to consider interfaces and dependencies that are performed between other organisations. The organisational scope should be enviable in a detailed documentation.
Management is a key part of ensuring that the information security management system will be successful. By ensuring that the security policy and objectives are established and that they match with the organisation’s strategic direction as well as tight integration between the organisation and the information security requirements. The standard goes on to state, that management should communicate the importance of the security management requirements as well as provide adequate resources to achieve the intended outcomes. Management should also promote the continual improvement and support to other related management roles to ensure effectiveness of the information security management system.
Along with appropriate commitment to leadership, there should also be documented policies that are distributed to interested parties. The policies should be appropriate to the organisation, including the security objectives or provide a framework for setting security objectives. Again, these polices should include commitment to continual improvement and to satisfy applicable security requirements.
Finally, management should assign roles for responsibility of ensuring the information security management system, a) conforms to the security requirements and b) able to report on the performance of the system back to management.
When determining the risks and opportunities organisations should consider the organisational scope as well as the needs and exception of interested parties. By including this in the planning, it will ensure that the information security system will achieve its unintended outcomes, hopefully prevent or reduce undesired effect and be able to support continual improvement. The organisation should plan any actions which will address the risks and opportunities, a long with how to integrate, implement and evaluate the actions with in the security management system.
It is recommended to establish and maintain and information security risk criteria, which includes risk acceptance and criteria for preforming risk assessments. This ensures that repeated risk assessments produce consistent and valid comparable results. The risk assessment should be able to identify, analyse and evaluate security risks:
Identify : Its recommended to identify risks based on loss of confidentiality, integrity, and availability (CIA). Remember to keep within the organisational scope. It is important to identify owners of the risks.
Analyse : By assessing the potential consequences which would be results from the risks identified above, it is then possible to assess the realistic likelihood of the occurrence and determine a level of risk to the organisation.
Evaluate : Based on the results of the risk analysis it is then possible to order the risks in a way that can allow for adequate treatment to take place, which will reduce the likelihood or prevent the security risk from happening.
Part of the planning should include a treatment process which will select appropriate risk treatment options for analysed risks. These controls are dependent on the risk identified and the organisation’s evaluation, and can be sourced from a variety of sources which best suit the organisation. It is recommended to produce a ‘statement of applicability’ which details the controls and justification based. From this it is possible to produce a treatment plan which can be sent to the risk owners for approval.
Finally it is wise to produce information security objectives which can be applied at relevant functions and levels. It must be consistent with security policy and take into account information from the security requirements and risk assessment/treatment. When planning the security objectives it is important to detail:
- What will be done
- What resources will be required
- Who is responsible
- When it will be completed
- How the results will be evaluated
There are five main pillar when it comes to supporting the development of an information security management system.
Resources : The organisation should identify what resources are needed and ensure that enough is provided.
Competence : Should determine the necessary competence of persons who will work on the system. May be required to take actions such as additional training.
Awareness : Persons should be aware of the organisations security policies, and their contributions to the effectiveness of the system. They must also be aware of the negative consequences for not conforming with the security requirements.
Communication : The organisation should decide on what should be communicated both internally and externally and who with. This should be also be accompanied with when communication should take place and by what process.
Documented Information : All policies and processes should be documented. The amount depends on the organisation and its type of activities. When updating or creating documentation it should have appropriate identification and description. There should also be a standard distribution format (paper, digital) along with a review and approval for suitability and adequacy.
Documentation should also be available when needed and is protected from loss of confidentiality, improper use or loss of integrity. Version control and access right should be applied, and the ability to distribute/revoke should be in place.
The organisation shall plan, implement and control the processes needed to meet in the security requirements and to implement actions identified in the risk treatment. Documentation and processes should be continuously reassessed and validated after any planned (or unplanned) changes to the system. It is important to also access any outsources processes and determine control measures.
The organisation should be able to evaluate the performance of the system system. It will need to have a clear understanding of what should be monitored and how it plans to measure the results. To ensure continuous development of the system, it is important the they evaluation is reproducible and considered valid, also the results should be documented and stored for future use. Monitoring and measuring of the system should be assigned and scheduled at intervals which the organisation deems appropriate, including reviewing the results.
Internal audit of the system should be performed in a similar vain, ensuing that it conforms to organisation requirements and that is effectively implemented and maintained. An audit program should define the audit criteria and scope, frequency, methods, and responsibilities. Importantly, identify select auditors which can conduct impartial and objective audits which will be reported to relevant management.
Management should review the security management system at planed intervals where key persons are able to report any issues and feedback from the results of the monitoring and audit processes, as well as from risk assessment and treatment. Actions generated from these meetings should be reviewed at the start and end of each session.
When a nonconformity occurs the organisation should be able to take actions which can control the consequences. It would then evaluate the effectiveness of the actions taken and and determine if similar nonconformities exists, or could potentially occur. As a result it may be needed to update the information security management system to reflect this event. Continual improvement is required of the security system and should actively be updated and evaluated to ensure successful operation.