What is ISMS?
ISMS stand for Information Security Management System, as we can see it’s a combination of four words. So, before going in depth about ISMS we need to understand these words.
Information , according to Wikipedia “Information is a sequence of symbols that can be interpreted as a message”. Let’s try to make it simpler, information is a collection of data which will help us in taking decisions or identifying something. For e.g.: – If I give you 3 words i.e., “Mr. A”, “train” and “7:30 am”, what information you can derive from this. Let’s consider three situations which can be derived from these words:-
1. Mr. A has to catch a train at 7:30 am.
2. Mr. A missed 7:30am train.
3. Mr. A will not travel by 7:30 am train, etc.,
We can easily figure out, if I would share any one of the above possibilities instead of just mentioning 3 words then it will be easy to identify someone or make a decision.
Security means safeguarding information which is valuable. Always remember for any company people (which mean us are most important). That doesn’t mean that in ISMS we will talk only about securing us but it’s also involves securing people, process (both IT and Non-IT) and technology.
We can now define information security as safeguarding information which is valuable to any organization. There is triad of information security as shown in Fig.1 and define below:-
1. Confidentiality:- Only the legitimate user have access to information.
2. Integrity:- Only Legitimate user can make changes in any information.
3. Availability: – Information should be available for legitimate user when needed.
Management is the task of achieving any objective in the most effective and efficient way.
System is an approach to perform an overall activity or duty or solving a problem.
We can define ISMS as a management system to secure information from unauthorized disclosure or manipulation in most effective and efficient way so, as to achieve business objective or goal.
One point to remember is that information security is not all about IT security. It involves both the IT and Non-IT Security as well as can be implemented on soft and hard copy information.
What is ISO 27001?
Although every company is taking due care to safeguard all the information within their organization but there is not formulated set of procedure to do so before October 2005. In 2005, International Organization for Standardization and International Electrotechnical Commission published the ISO 27001 which is a part of ISO 27000 family of standards. Its full name is ISO/IEC 27001:2005 – Information technology — Security techniques — Information security management systems — Requirements. ISO 27001 require the management to perform the following activities:-
1. Thoroughly scrutinizing the organization’s information security risks, considering the threats, vulnerabilities, and impact
2. Designing and implementing a complete and lucid collection of information security controls to encounter risks.
3. To ensure the continual improvement in the system for enhancing information security.
ISO 27001 is a standard which talk about continual improvement with the help of the cycle mention in the Fig. 2
ISO 27001 has 11 Domains and 133 controls. All the controls are well explained in ISO 27002.
Who does ISO27001 apply to?
Any organization (small or big) can comply with ISO 27001 especially where there is a flow or storage of critical information either in soft copy or hard copy. The best part of ISO 27001 is that it’s not stringent like some of other security standards hence it’s not mandatory for any organization to comply with all the 133 controls. But it’s also doesn’t mean that you will select the controls depending about your feasibility and convenience. For any exclusion you have to justify it with proper reasoning.
ISO 27001 Benefits
1. An advantage over competitors.
2. A framework for complying with all the legal and regulatory requirements.
3. A continual improvement process, hence reducing security incident.
4. Pro-active process.