Information security is first and foremost about protecting your corporate assets. In our mini-series, we explain terms, concepts and interesting facts about information security management in companies.
Part 1: The Basics
Part 3: Vulnerabilities, Threats, Risks
Part 4: Enterprise Risk Management
Implementation of an ISMS in the company
To improve their information security, more and more companies are striving to establish their own information security management system (ISMS). There may be different motivations for this, such as legal requirements (for example, by the IT Security Law), demands from customers or simply a self-imposed demand by the company for a high level of information security.
In companies, not only IT systems, but also all other assets of the company must be protected with regard to the protection goals of confidentiality, integrity and availability. Within an ISMS, rules, processes, measures and tools are defined with which information security can be managed, maintained, controlled and continuously improved throughout the company. Information security measures concern all processes, guidelines, procedures, practices or organisational structures that have a potential influence on information security risks.
Norms and best practices
The management of information security in the company can be carried out according to various specifications and best practices. The best known and most frequently used standard for information security management is ISO/IEC 27001:2013. An ISMS operated according to ISO 27001 can be certified by accredited companies.
The PDCA cycle
The structure of an ISMS according to ISO 27001 is based on a PDCA cycle:
PLAN – The organisational context and responsibilities are defined. Support for security policies and leadership commitment is ensured. In addition, an implementation plan is developed that sets out the risk assessment and treatment within the ISMS.
DO – The ISMS is implemented and put into practice in the company. Awareness of information security is built up among all employees through targeted company-wide communication and trainings.
CHECK – In order to continuously improve the ISMS, it is necessary to monitor its performance on an ongoing basis. Only through a precise analysis of the processes can targeted corrections be made. If necessary, this is supported by internal audits. Within the framework of risk management, risks are identified, analysed and then dealt with according to defined methodology.
ACT – Here, the measures for correcting and improving the ISMS are implemented and new strategic goals are set in order to continuously optimise the company's ISMS.
Measures (security controls) that must be implemented according to ISO 27001 are listed in the annex of the standard. Using the so-called "Statement of Applicability" (SoA), companies must first identify which measures required by the standard are applicable to their company. If, for example, a measure conflicts with the law applicable at the place of business, or if a company does not carry out an activity regulated by a measure, it is also exempt from implementing the corresponding measure.
Definition of the scope
When defining the scope, the boundary of the ISMS is defined in which it is applied. For this purpose, all relevant assets, processes, interfaces and internal and external stakeholders must be defined and documented.
Roles and responsibilities
Since information security affects all areas of a company and must therefore be implemented throughout the company, the ISMS is the responsibility of the top management. The Top management defines the desired security policy, security goals and the overarching security strategy. Initially, the top management provides security guidelines and delegates the tasks of specific elaboration to certain executives, such as the Information Security Officer (ISO). Only if the management fully supports the introduction of an ISMS such a project can be successfully implemented with all the necessary resources.
The ISO acts as the central contact person for information security in the company. Its task is to create the framework for the concrete design of the ISMS for employees of the different departments in the company. The ISO coordinates and monitors the implementation of tasks in the context of the ISMS and reports to the company management.
Guidelines and document control
ISO 27001 specifies that the requirements for the departments and the company as well as all processes concerning the ISMS must be documented. Usually, these requirements are based on the annex and consist of a superordinate guideline as well as more detailed documents that concretise certain aspects of the ISMS and are subordinate to the guideline.
Risk management
An essential part of successfully building an ISMS is risk management. Risks arise from threats acting on the vulnerabilities of an asset. If an attacker exploits a vulnerability, this can cause damage to the company, which is also known as an information security incident. This must be prevented in risk management. Therefore, it is necessary to identify, evaluate and subsequently deal with risks in the company.
If risks are recognised at an early stage, suitable measures can be developed in time to ensure the continuity of business processes and to reduce or avoid damage caused by information security incidents.
Monitoring and improvement
To determine whether the ISMS is functioning as intended, various methods are used to monitor and evaluate it. ISO 27001 provides three tools for monitoring the ISMS:
- System of key figures (KPIs)
Measurement of the ISMS status with the help of key figures
- Internal audits
Verification of the ISMS for conformity by an independent party
- Management Review
Review of the effectiveness of the ISMS by top management
Certifications
Companies can have certified their ISMS according to ISO/IEC 27001:2013 by an independent, external inspection body. In a multi-stage audit, the accredited certification body checks whether the ISMS in the company meets all the criteria of the standard and is operated in accordance with its specifications. Before an audit can take place, the ISMS in the company must have been in operation for at least three months and an internal audit and a management review must have already taken place. An independent audit with subsequent certification can minimise risks sustainably in information processing and strengthen trust among customers and users.