Difference between revisions 579054359 and 579059252 on enwiki

[[File:Risk Management Elements.jpg|thumb|Plan-Do-Check-Act Cycle]]
[[File:Isms framework.jpg|thumb|ENISA: Risk Management and Isms activities]]
An '''information security management system'''<ref>{{cite web|title=Security management system’s usability key to easy adoption|url=http://www.sourcesecurity.com/news/articles/co-4108-ga.8554.html|publisher=sourcesecurity.com|accessdate=22 August 2013}}</ref>  (ISMS) is a set of policies concerned with [[information securi(contracted; show full)

However, the latest standard, [[ISO/IEC 27001:2013]], does not use this cycle.

Another competing ISMS is [[Information Security Forum]]'s ''[[Standard of Good Practice]]'' (SOGP). It is more [[best practice]]-based as it comes from ISF's industry experiences.<br />

Some other best known ISMSs include 
the [[Common Criteria]] (CC) international standard and the Trusted Computer SystemIT Security Evaluation Criteria (ITCSEC)<ref name=isms>{{cite journal|last=Jo|first=Heasuk|coauthors=Kim, Seungjoo; Won, Dongho|title=Advanced Information Security Management Evaluation System|journal=KSII Transactions on Internet and Information Systems|date=1 January 2011|year=2011|volume=5|issue=6|pages=1192–1213|doi=10.3837/tiis.2011.06.006}}</ref><br />

Some nations use their own ISMS, e.g., Department of Defense(DoD) Information Technology Security Certification and Accreditation Process (DITSCAP)  of USA, [[Department of Defense Information Assurance Certification and Accreditation Process]](DIACAP) of USA, [[Trusted Computer System Evaluation Criteria]] (TCSEC) of USA, IT Baseline Protection Manual (ITBPM)  of Germany, ISMS of Japan, Trusted Computer System Evaluation Criteria (TCSEC) of USA, ISMS of Korea, Information Security Check Service (ISCS) of Korea.<ref name=isms/>

Other frameworks such as [[COBIT]] and [[ITIL]] touch on security issues, but are mainly geared toward creating a governance framework for information and IT more generally. COBIT has a companion framework ''[[Risk IT]]'' dedicated to Information security.<br />

Below table illustrate the certification structure comparison of some best known ISMSs:<ref name=isms/><br />
{| class="wikitable"
|-
! !! '''BS 7799''' !! '''CC''' !! '''ITSEC'''
|-
| '''Operation Area''' || England || About 22 Countries|| European Countries
|-
| '''Basic Structure''' || - 6 Management phases<br /> - 11 Security domains<br /> - 139 Control objectives<br /> - 133 Security controls  || - 3 Parts<br /> - 11 Security functional requirements<br /> - 8 Assurance requirements || - 4 Phases<br /> - 6 Levels
|-
| '''Management Process'''|| 1- Define policy<br />2- Define scope<br />3- Assess risk<br />4- Manage risk<br />5- Select controls to be implemented and applied <br />6- Prepare a statement of applicability || 1- PP/ST introduction<br />2- Conformance claims<br /> 3- Security problem definition<br />4- Security objectives<br />5- Extended components definition<br />
6- Security requirements<br />7- TOE summary specification 
|| 1. Requirements<br />2- Architectural Design<br />3- Detailed Design<br />4- Implementation
|-
| '''Difference of Process'''|| Emphasis on managerial security || Emphasis on technical security || Emphasis on managerial security
|-
| '''Specification Control Point'''|| Provide best code of practice for information security management || Provide common set of requirements for the security functionality of IT products || Provide common set of requirements for the security functionality of IT products
|-
| '''Evaluation Method'''|| Use the PDAC model cycle || Follow each certification evaluation procedure || Follow commission of European communities
|}

There are a number of initiatives focused to the governance and organizational issues of securing information systems having in mind that it is business and organizational problem, not only a technical problem:
(contracted; show full)* [[WARP (information security)]]
* [[TRAC (ISMS)]]

== Notes and references ==
<references/>


[[Category:Data security]]