Escolar Documentos
Profissional Documentos
Cultura Documentos
Management Systems
Certifying
Information Security
Management Systems
by Fiona Pattinson CISSP, CSDP
July 2007
A brief discussion of the role of an lish the controls that we need, monitor pro-
information security management gression, and improve the system - taking
system (ISMS). preventive and corrective actions and identify-
ing areas for improvement. Study of manage-
A management system describes the people, ment systems has shown that there are several
processes and technologies used to focus and common elements including policy, planning,
manage the activities of an organization. Each implementation and operation, performance
organization builds a unique system that is assessment, improvement, and management
supportive of the goals of that organization. review.
The system will reflect different disciplines
depending on the values and culture of the An information security management system
organization. So, we see systems defined with (ISMS) is focused on managing information
very different areas of focus such as enterprise security within an organization, a topic that is
management, environment, health, safety, of growing concern to many organizations as
quality, web content, personnel, risk and many they deal with the challenges presented in the
other topics; and with different emphasis on information society including evolving infor-
security factors such as the well-known triad mation security and privacy legislation (see the
of confidentiality, integrity, availability, or on table below), published guidelines (OECD,
topics such as privacy or product assurance. Cyber security), and threats natural (fire,
flood, earthquake, tornados) or human intro-
Even though each organization builds a unique duced (viruses, SPAM, privacy, hacking,
system, the management systems have several industrial espionage).
common elements, and are based around an
improvement cycle. One most often used is In an ISMS the information protected includes
based on W. Edwards Deming's famous Plan not just that residing in electronic format on
Do Check Act (PDCA) cycle. This cycle computer or network, but includes paper-based
guides us as we plan the action of what needs information and extends as far as intellectual
to be done and how best to go about it, estab- property. A properly implemented ISMS can
1In his book “Out of the Crisis” Dr. Deming attributes the PDCA cycle to Walter Shewart.
Establish context
Risk Assessment
Identify risks
Communicate risks
Analyze risks
assurance
Yes
Treat risks
Yes
Risk
Management:
BS 7799-3
Risk
Metrics:
Management:
ISO 27004
ISO 27005
(Est 2007)
(Est 2007)
Implementation Disaster
Guidance: Recovery:
ISO 27003 ISO 2700
(Est 2007) (Est 2007)
System
Certification:
ISO 27099
(Est 2007)
ISMS:
ISMS:
ISO/IEC 27001 ISMS:
ISMS: BS 7799-2
ISMS: Est 2006 ISO/IEC 27001
BS 7799-2 Est 2005
BS 7799-2 (adopted by ISO (Est 2012)
2002 (References ISO
Note draft was ISO (improved)
17799:2005)
24742)
TODAY
PD 3004: Guide to the implementation and ISO/IEC TR 13335-3 Guidelines for the Man-
auditing of BS 7799 controls. Available from agement of IT Security - Techniques for the
BSI management of IT security
PD 3005: Guide on the selection of BS 7799 ISO/IEC TR 13335-4 Guidelines for the Man-
controls. Available from BSI agement of IT Security - Selection of safe-
guards
NIST SP 800-30: Risk management guide for
information technology systems. National ISO 19011:2002 Guidelines on quality and/or
Institute of Standards and Technology (NIST), environmental management systems auditing
2002.
"Out of the Crisis", W Edwards Deming, MIT Support and associated organizations
1989
The ISMS International User Group: http://
F. Pattinson and W. Fabritius "Certifying your www.xisec.com
Organizations ISMS," ISSA Journal no. 10,
2004. ANAB American National Accreditation
Board