Information Security Management Systems Standard
Information Security Management Systems Standard
PSC Staff has direct experience in the readiness and assessment of important international standards, including:
- ISO 27001/2 establishes the model for implementing an Information Security Management System
- ISO 9000 Quality Management
- ISO 9564 Personal Identification Number (PIN) Management and Security
PSC will assist clients in implementing these standards and, if required, prepare for the certification process.
About ISO 27001/2
Companies normally have written and implemented a number of information security controls as they grow. Unfortunately, these controls are not usually organized around a common framework or structure and can be disorganized; contradictory between departments; incomplete; insecure; and, lack management oversight.
This “ad hoc” approach to security management leaves critical gaps in operational security controls and only addresses certain aspects of IT or data protection. Leaving non-IT information assets (such as trade secrets, information held by individuals and proprietary knowledge) less well protected.
ISO 27001 defines a common framework for management of policies and procedures by establishing an Information Security Management System (ISMS); selecting appropriate security controls to operate in that ISMS and implementing such controls. This process encompasses the entire organization using risk management techniques and asset management to deliver a common, consistent; adaptable and maintainable security profile that reduces the organizations risk to security issues, regardless of source.
PSC Solution
PSC can help clients establish their ISMS and select appropriate controls. PSC will:
- Plan - establish the management system
- Do - assist with implementation and operation of the system
- Check - assist with the monitoring process and internal audits
- Act - assist with the improvement process
PSC will scope the ISMS with the client setting the boundaries for the system, then a risk assessment based on the ISO 27001 management requirements will be performed to identify risks; evaluate them and select the appropriate risk treatment. Based on the risk assessment, control objectives and appropriate procedures will be decided with the client and implemented.
The above assessment is performed with respect to the relevant sections of the ISO 27001 management standard and utilizing industry best practices for the controls and procedures. The actual security controls selected as appropriate will depend on the security risks disclosed during the assessment. The risk assessment will be conducted using a combination of interview and observation (of both current practices and documented processes), as follows:
- Understanding of the client’s business model and future plans
- Evaluation of assets (both tangible and intangible)
- Evaluation of risks to those assets within the framework of the client’s business model
- Development of policies and procedures to mitigate the risks
- Development of the statement of applicability
- Design an ISMS for future governance to ensure that planning; implementation; maintenance and responsiveness security controls are designed within the capabilities of the client
PSC will then assist the client with the implementation of the ISMS including:
- Documenting all the control objectives and procedures
- Assisting client in the initial implementation of controls
- Concepts of using the documentation set and appropriate records management for audits
- Training and awareness for employees
- Incident management
- Operations management
Once the ISMS is in place, PSC will assist client in the day to day management of the system and the ability to update and improve it over time. This will include:
- Monitoring and review processes
- Conducting internal audits and reviewing results
- Management review of ISMS
- Management and treatment of non-conformities using corrective action processes and implementing/testing the process for continuous improvements
ISO 9000 and ISO 9564
PSC will assist clients with the implementation of both these standards including the management framework and scope; risk assessment; documentation (including all policies and procedures); internal assessments; preparation for certification and continuous improvement planning.