Difference between revisions 572549831 and 579049172 on enwiki

[[File:Risk Management Elements.jpg|thumb|Plan-Do-Check-Act Cycle]]
[[File:Isms framework.jpg|thumb|ENISA: Risk Management and Isms activities]]
An '''information security management system'''<ref>{{cite web|title=Security management system’s usability key to easy adoption|url=http://www.sourcesecurity.com/news/articles/co-4108-ga.8554.html|publisher=sourcesecurity.com|accessdate=22 August 2013}}</ref>  (ISMS) is a set of policies concerned with [[information securi(contracted; show full)
* The '''Do''' phase involves implementing and operating the controls.
* The '''Check''' phase objective is to review and evaluate the performance (efficiency and effectiveness) of the ISMS.
* In the '''Act''' phase, changes are made where necessary to bring the ISMS back to peak performance.

⏎
[[ISO/IEC 27001:2005]] is a risk based information security standard, which means that organizations need to have a risk management process in place. The Figure 2 illustrates how risk management fits into the [[PDCA]] model given above.<ref>{{cite journal|last=Humphreys|first=Edward|title=Information security management system standards|journal=Datenschutz und Datensicherheit - DuD|date=8 March 2011|year=2011|volume=35|issue=1|pages=7–11|doi=10.1007/s11623-011-0004-3}}</ref> ⏎
⏎
However, the latest standard, [[ISO/IEC 27001:2013]], does not use this cycle.

Another competing ISMS is [[Information Security Forum]]'s ''[[Standard of Good Practice]]'' (SOGP). It is more [[best practice]]-based as it comes from ISF's industry experiences.

(contracted; show full)

Under these circumstances the development and implementation of a separate and independent management process namely an Information Security Management System is the one and only alternative.<ref name=ENISAFULL/>

The development of an ISMS framework
 based on [[ISO/IEC 27001:2005]] entails the following six steps:<ref name=ENISAFULL/>
# Definition of security policy,
# Definition of ISMS scope,
# Risk assessment (as part of risk management),
# Risk management,
# Selection of appropriate [[security control|controls]] and
# Statement of applicability

== Critical success factors for ISMS ==
To be effective, the ISMS must:<ref name=ENISAFULL/>
* have the continuous, unshakeable and visible support and commitment of the organization’s top management;
* be managed centrally, based on a common strategy and policy across the entire organization;
* be an integral part of the overall management of the organization related to and reflecting the organization’s approach to risk management, the control objectives and controls and the degree of assurance required;
* have security objectives and activities be based on business objectives and requirements and led by business management;
* undertake only necessary tasks and avoiding over-control and waste of valuable resources;
* fully comply with the organization philosophy and mindset by providing a system that instead of preventing people from doing what they are employed to do, it will enable them to do it in control and demonstrate their fulfilled accountabilities;
* be based on continuous training and awareness of staff and avoid the use of disciplinary measures and “police” or “military” practices;
* be a never ending process;

== Dynamic issues in ISMS ==
There are three main problems leads to uncertainty in information security management systems (ISMS):<ref>{{cite journal|last=Abbas|first=Haider|coauthors=Magnusson, Christer; Yngstrom, Louise; Hemani, Ahmed|title=Addressing dynamic issues in information security management|journal=Information Management & Computer Security|date=1 January 2011|year=2011|volume=19|issue=1|pages=5–24|doi=10.1108/09685221111115836|accessdate=26 October 2013}}</ref> 
* '''Dynamically changing security requirements of an organization'''
Rapid technological development raises new security concerns for organizations. The existing security measures and requirements become obsolete as new vulnerabilities arise with the development in technology. To overcome this issue, the ISMS should organize and manage dynamically changing requirements and keep the system up-to-date.
* '''Externalities caused by a security system'''
Externality is an economic concept for the effects borne by the party that is not directly involved in a transaction. Externalities could be positive or negative. The ISMS deployed in an organization may also cause externalities for other interacting systems. Externalities caused by the ISMS are uncertain and cannot be predetermined before the ISMS is deployed. The internalization of externalities caused by the ISMS is needed in order to benefit internalizing organizations and interacting partners by protecting them from vulnerable ISMS behaviors. 
* '''Obsolete evaluation of security concerns'''
The evaluations of security concerns used in ISMS become obsolete as the technology progresses and new threats and vulnerabilities arise. The need of continues security evaluation for organizational products, services, methods and technology is essential for maintain an effective ISMS. The evaluated security concerns need to be re-evaluated. A continuous security evaluation mechanism of ISMS within the organization is a critical need to achieve information security objectives. The re-evaluation process is tied with dynamic security requirement management process discussed above.⏎
⏎
== See also ==
{{Portal|Computer security}}
* [[Asset (computing)]]
* [[Attack (computing)]]
* [[CERT Coordination Center|CERT]]
* [[COBIT]]
* [[ENISA]]
* [[Enterprise architecture]]
* [[FISMA]]
* [[Information security management]]
* [[IT governance]]
* [[ITIL]]
* [[IT risk]]
* [[ISO 9001]]
* [[ISO/IEC 27001]]
* [[ISO/IEC 27002]]
* [[ISO/IEC 27004]]
* [[ISO/IEC 27005]]
* [[NIST]]
* [[PDCA]]
* [[Security control]]
* [[Security information and event management]]
* [[Threat (computer)]]
* [[Vulnerability (computing)]]
* [[WARP (information security)]]
* [[TRAC (ISMS)]]

== Notes and references ==
<references/>


[[Category:Data security]]