An Information Security Management System (ISMS) defines rules and methods to ensure information security in a company or organization. The ISMS is process-oriented and follows a top-down approach starting from the company management.
What is an Information Security Management System (ISMS)?
The abbreviation ISMS stands for Information Security Management System. The German term for ISMS is Management System for Information Security. Within the ISMS, rules, procedures, measures and tools are defined with which information security can be managed, controlled, ensured and optimized. Risks caused by IT should become identifiable and controllable.
Since the Information Security Management System is the responsibility of the company’s management, it uses a top-down approach to enforce IT security. The establishment and adoption of security policies is done by top management, while the actual development of details and implementation can be delegated to other executives or employees. IT and data protection officers can be appointed in this context.
The Information Security Management System is standardized in the ISO/IEC 2700x series of standards. Important components of the standard series are ISO 27001 (certification requirements) and ISO 27003 (development and implementation of the ISMS). DIN NIA-01-27 IT Security Procedures is responsible for the German part of the standardization work. Essential for an ISMS is the implementation in all areas and levels of the organization.
Necessary steps for the implementation of an ISMS
The planning, implementation, and maintenance of the ISMS can be divided into individual process steps. In the first step, it is necessary to define what the information security management system should do and which values and information are to be protected. Both the scope and the boundaries of the ISMS must be clearly defined.
Then, the risks within the scope of the ISMS must be identified and classified. Criteria for this can be legal requirements or compliance guidelines. The result is an assessment of which risks are acceptable and which must be excluded. It must be clearly recognizable which effects can result from the individual risks. The consequences that occur as a result of the loss of confidentiality, integrity, and availability must be taken into account. Also part of the risk assessment is the probabilities of occurrence of the risks.
Based on this risk assessment, suitable measures can be selected and implemented to avoid the risks. The measures adopted and implemented are to be reviewed and optimized in a continuous process. If deficiencies or new risks are identified, the complete ISMS process must be run through again from the beginning.
The role of an IT security officer in the ISMS
One task within the ISMS is the appointment of an IT security officer. This officer is integrated into the ISMS process and works closely with IT managers on tasks such as selecting new IT components and applications.
Within the company, he or she is the contact person for all questions relating to IT security. The Executive Board or top management appoints the IT security officer. He or she reports directly to the Board of Management and submits regular reports to it. He is provided with his own financial budget to carry out his duties.
The Information Security Management System and the BSI’s IT baseline protection
The IT-Grundschutz catalogs of the BSI (German Federal Office for Information Security) provide a concept for implementing an ISMS. BSI Standard 100-1 offers assistance in the introduction, implementation, and maintenance of an information security management system and are adapted to the ISO/IEC 27001 standard.
For German authorities, IT-Grundschutz represents a kind of standard for information security. The main objectives of IT-Grundschutz are confidentiality, integrity, and availability of information.
The Information Security Management System and data protection
Since personal data does not enjoy a special status within the ISMS and all data to be protected is treated equally in principle, an information security management system does not necessarily have to include data protection in the company.
While it helps to protect data in general, it does not guarantee the security of the processing of all personal data. For this reason, an information security system does not replace a data protection management system. Suitable additional measures must be defined and implemented in order to meet data protection requirements. Furthermore, an additional data protection officer must be appointed.