Information Security Management System

1. Purpose

To keep customer data safe and secure by protecting it from leaks, loss, breaches, and to show customers that their information is handled responsibly.

2. ISMS Team

The team managing the Information Security Management System at your organisation should be composed of:

Chief Information Security Officer (CISO): Person responsible for leading and managing the organisation's information security program, ensuring compliance with ISO 27001 by identifying risks, implementing controls, and maintaining the ISMS.

3.Information Security Management System Overview

1. Documenting a detailed ISMS policy

  • Establish the organisation's goals and vision for implementing an Information Security Management System.
  • Define the scope for the organisation's ISMS program.
  • Specify what parts of the operations are covered under the ISMS scope.
  • Identify and document interested parties (internal and external) and their expectations from ISMS.
  • Clearly define roles and responsibilities within the organisation.

2. Creating Statement of Applicability

  • Obtain a copy of the ISMS Statement of Applicability.
  • Identify and list all applicable clauses for your business environment.
  • For each control, provide a justification for its inclusion or exclusion in the SoA.
  • Assign ownership for each applicable control.
  • Tag and link all relevant supporting documentation for each control.

3.Document Policies and Procedures

  • Prepare documented policies and procedures for all applicable clauses
  • Ensure documentation accurately reflects actual operations.

4.Risk Management

  • Identify potential risks associated with your current information security structure.
  • Determine the control required to be in place to avoid the risks or mitigate their impact.

5.Implementation of Controls

  • List itemDetermine the controls required to address the applicable clauses identified in the Statement of Applicability covering the following aspects.

Organisational

  • Establishing adequate governance structure around security in the organization involving people, assets and information.
  • Managing different phases of the asset management of different types without getting security compromised.
  • Managing access to information to avoid unauthorised access.
  • Ensuring third party vendors meet the information security expectations during business operations.
  • Plans and readiness to keep business running or recover quickly when disruptions happen.

Physical:

  • Managing and restricting physical access to organization premises
  • Securing facilities against environmental risks such as fire, flooding or power failures
  • Ensuring that organizational equipment and assets are used securely and protected from loss, theft, or damage
  • Ensuring secure use of equipments / assets

People

  • Security controls from the human resource and people management perspective
  • Educating staff and raising information security awareness
  • Promoting secure remote working practices
  • Processes for detecting, reporting, and responding to security events

Technology

  • Mechanism for identifying, authenticating users for ensuring secured access.
  • Protecting network infrastructure from attacks and threats.
  • Securing data while capturing, processing, storing, transmitting and discarding.
  • Developing applications and systems considering the security aspect.
  • Ensuring changes to systems are managed securely and in a controlled way to avoid their impact.

6. Management Review

  • Set a cadence for Management Review across to gauge overall robustness of the ISMS program
  • Determine effectiveness of the implemented controls.
  • Identify key vulnerabilities or bottlenecks to figure out a solution. 
Discard
Save
Draft

Previous Page

Left

Next Page

Right
Review Changes ← Back to Content
Message Status Space Raised By Last update on