ISO/IEC 27001 (ISMS)

This page gives you a general introduction to what an ISMS is.  The acronym stands for ‘Information Security Management System’.

An ISMS is a management process which addresses an organization’s information security, for the whole organization or a part of it, for single or multiple sites, as defined by the ISMS Scope.  The requirements for an ISMS enjoy global recognition and application, and are defined by international standards.

Other Zygma Resources

  • ISO and the ISMS Standards family
  • Questions You Should Ask


This page gives you a general introduction to what an ISMS is.  The acronym stands for ‘Information Security Management System’.

An ISMS is a management process which addresses an organization’s information security, for the whole organization or a part of it, for single or multiple sites, as defined by the ISMS Scope.  The requirements for an ISMS enjoy global recognition and application, and are defined by international standards.


Definition

The notion of an Information Security Management System (ISMS) was first mooted during the development of British Standard BS 7799, which began in 1987.  Follow this link for a development history of ISMS standards.  The definitions first given has changed little since, today being as follows:

“that part of the overall management system based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security”

and ‘information security’ is defined as: “preservation of confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved”.


Business benefits of an ISMS

Some people and organizations have a negative view of information security – they consider it to be a “grudge purchase”. The reality is that, intelligently applied, information security is a business enabler.

Through careful consideration of the value that various forms of information have to a business, by considering the risks to that information, the degree of reliance which the business has on it and the resources which enable the business to access and apply that information, in considering the controls required to mitigate the perceived risks and in understanding the consequences upon the business of those risks becoming manifest, a business and its management can gain control of their information security.  How they manage their information security and the measures they implement should reflect the value and sensitivity of both the information and the information processing resources they have and need.

An ISMS is intended to provide the framework for the achievement of all that. It can help your business to:

  • establish and apply information security policies consistently and in a fashion which is relevant to the business goals and related risks;
  • ensure that controls in place are sufficient to mitigate risk to an acceptable level, and that the controls applied do so cost-effectively;
  • enhance management oversight with greater involvement and visibility of risk controls;
  • enhance the business’ overall information security;
  • provide evidence of due diligence in the approach to regulatory (or other forms of) compliance and conformity;
  • convey greater assurance to stake-holders (management, investors, clients, …);
  • reduce costs such as insurance premiums, reduced audit requirements (e.g. from clients seeking assurances);
  • limit exposure and therefore liability;
  • gain competitive advantage;
  • provide a forum for continual review and improvement of the processes involved.

Internal Control Systems

ISO/IEC 27001 is a specification for building, operating, maintaining and improving an ISMS.  However, the security (or assurance) of its information resources is not management’s only concern.  They will have other interests and responsibilities which relate directly to the nature of the business they are in.  Therefore, an ISMS is just part of an organization’s internal control system.  Management establishes an internal control system to marshal the organization’s resources so as to best achieve their business objectives and manage the associated risks.  An ISMS can be regarded as that part of the internal management system (IMS) where information security/assurance is a concern.

Furthermore, the management principles upon which an ISMS relies can be applied to other aspects of the business, and the set of controls may also be extended to encompass other aspects of the IMS (although a certification would cover only the specific scope of ISO/IEC 27001 – nevertheless, the fact that the framework of the ISMS was certified would add confidence in its broader application).

The term ‘information assurance’ is gradually taking over from the term ‘information security’, to emphasize the inclusion of integrity (i.e. the characteristic that information must be not be changed without authorization and be sufficiently right for the purpose for which it is used at the time it is used). Additionally, ‘information security’ is increasingly referred-to as ‘cyber security’ (e.g. CS1), perhaps ISO/IEC 27001 will in future be titled ‘Cyber Security Management System – Requirements‘.

Specialized ISMS

The controls which are described in ISO/IEC 27002 are generic in the sense that they are not slanted towards any particular industry sector.  Nonetheless they are very extensive and cover all of the areas to which a business should give general consideration.  Some businesses will of course be subject to particular constraints or requirements, often imposed by external regulation, e.g. in the medical, health, financial, pharmaceutical sectors; equally a business may itself establish some very specific requirements.  In such cases there may be a need to add further controls to those set out in 27002 and further, included within the Statement of Applicability in ISO/IEC 27001: indeed, both standards actively encourage the inclusion of additional controls where these are felt to be necessary.

In recognizing this circumstance, approximately a decade ago Zygma developed a model for building into an ISMS the ability to map its controls (or a sub-set of them) into other standards and regulations.  This is described in one of our white-papers, as is an in-depth mapping of the Health Insurance Portability and Accountability Act (HIPAA) security standards against the requirements of 27001 (as itwas at the time of that paper). That model was submitted through the US representation to ISO/JTC 1/SC 27/WG 1 and is today realised as ISO/IEC 27009. Zygma remains well-placed to interprt your specific needs in terms of the generic ISMS requirments.