Information Security Management System - Need For A ISMS

Need For A ISMS

Security experts say and statistics confirm that:

• information technology security administrators should expect to devote approximately one-third of their time addressing technical aspects. The remaining two-thirds should be spent developing policies and procedures, performing security reviews and analyzing risk, addressing contingency planning and promoting security awareness;
• security depends on people more than on technology;
• employees are a far greater threat to information security than outsiders;
• security is like a chain. It is as strong as its weakest link;
• the degree of security depends on three factors: the risk you are willing to take, the functionality of the system and the costs you are prepared to pay;
• security is not a status or a snapshot, but a running process.

These facts inevitably lead to the conclusion that security administration is a management issue, and not a purely technical issue.

The establishment, maintenance and continuous update of an ISMS provide a strong indication that a company is using a systematic approach for the identification, assessment and management of information security risks. Furthermore such a company will be capable of successfully addressing information confidentiality, integrity and availability requirements which in turn have implications for:

• business continuity;
• minimization of damages and losses;
• competitive edge;
• profitability and cash-flow;
• respected organization image;
• legal compliance

The chief objective of information security management is to implement the appropriate measurements in order to eliminate or minimize the impact that various security related threats and vulnerabilities might have on an organization. In doing so, information security management will enable implementing the desirable qualitative characteristics of the services offered by the organization (i.e. availability of services, preservation of data confidentiality and integrity etc.).

Large organizations or organizations such as banks and financial institutes, telecommunication operators, hospital and health institutes and public or governmental bodies have many reasons for addressing information security very seriously. Legal and regulatory requirements which aim at protecting sensitive or personal data as well as general public security requirements impel them to devote the utmost attention and priority to information security risks.

Under these circumstances the development and implementation of a separate and independent management process namely an Information Security Management System is the one and only alternative.

The development of an ISMS framework entails the following six steps:

1. Definition of security policy,
2. Definition of ISMS scope,
3. Risk assessment (as part of risk management),
4. Risk management,
5. Selection of appropriate controls and
6. Statement of applicability