How to implement an Information Security Management System

Looking at the regulatory changes within the European Union and worldwide in the area of ICT infrastructure protection in companies and in individual countries, we have noticed significantly growing requirements for information security management. This has been reflected in the requirements set out in new standards and regulations, such as the ISO/IEC 27001 information security management standard, the Personal Data Protection Regulation (EU) 2016/679 and the new cyber-security directive (EU) 2016/1148. At the same time, the problem of cybercrime has been addressed in mass culture (in books like “Blackout” and in films, e.g. “The Fast and the Furious 8”, “Live Free or Die Hard”).

In this article we would like to share our experience with defining and implementing an Information Security Management System based on ISO/IEC 27001 requirements as a way to improve information security in an organisation and meet the new regulatory requirements.

What companies should manage their information security?

Implementing an information security management system based on the ISO/IEC 27001 standard is voluntary. In this perspective, it is the organisation that decides whether to implement a management system compliant with ISO/IEC 27001 requirements.

Obtaining this certification is an indirect proof that the organisation meets the mandatory regulatory requirements imposed by the legal system. For instance in the European Union, including in Poland, it is already possible to point out which organisations are or will be required to have a subset of an information security system in place. These include:

• Operators of essential services¹ – e.g. electricity, oil and gas undertakings, distribution system operators, industrial system operators, entities from the air and railway transportation sector, banking sector, health care, drinking water suppliers,
• Suppliers of selected digital services,
• Entities processing personal datae².

Organisations increasingly decide to implement an Information Security Management System due to industry-specific requirements or in order to build the trust of their customers.

What is an Information Security Management System?

ISO/IEC 27000 defines an Information Security Management System (ISMS) as

a framework of policies, procedures, guidelines and associated resources and activities jointly managed by an organisation to protect its information assets.

As security mainly depends on people 🙂 this definition can be paraphrased as follows:

People in the organisation who are assigned to defined roles, and responsible for the maintenance and achievement of the security objectives of the organisation. These activities are carried out as part of a Management System, which includes policies, processes, procedures, instructions and information describing the information security management system.

A management system is defined as a framework of related elements within the organisation, implemented policies, specified objectives, and processes to achieve them. Also note that companies increasingly use integrated management systems, for instance by combining ISO/IEC 27001 information protection requirements with the business continuity management system defined in ISO 22301 or with other standards, such as ISO 13485.

Defining an Information Security Management System

When defining and implementing an Information Security Management System, it is a good idea to seek the support of an information security consultant or build/utilise competencies within the organisation and purchase a ready-made know-how package containing ISO/IEC 27001 documents templates as a starting point for the implementation. For each of these options, the following ISMS implementation steps can be identified.

Step 1. Secure executive support and set the objectives

Making a decision to implement an ISMS compliant with ISO/IEC 27001 should always start with getting the involvement / confirmation of the organisation’s top management. This group decides the allocation of resources and budget for defining and maintaining the management system, sets its objectives, and communicates and supervises it in the organisation.

Setting the objectives is an iterative process and hence requires annual updates. The information security system objectives should be determined by the top management, and reflect the business and regulatory needs of the organisation.

Step 2. Define the scope of the system

Contrary to the public opinion, which dates back to experiences with the ISO 9001 standards, ISO/IEC 27001 is well-grounded in the reality and technical requirements of information security. This is why the organisation should, in the first place, choose those security measures and requirements set out in the standard that directly affect it. The standard defines the processes that should make up the Management System of the organisation as well as the security measures that the organisation should implement to ensure information security. The results of these actions provide a basis for the subsequent steps of the implementation.

Step 3. Evaluate assets and analyse the risk

The next step is to evaluate information processing assets and carry out a risk analysis for them. What is asset evaluation? It is a systematic review, which results in a description of the information processing assets in the organisation.

Some of asset categories include:

• Hardware – computers, phones, physical data storage media,
• Servers – both physical and virtual serves comprising the company’s ICT infrastructure,
• Network infrastructure – elements of the company’s network infrastructure,
• (Cloud) services – e.g. 365, Amazon Web Services, JIRA, Confluence, Dropbox, banking services, etc.,
• Customer information – information provided by customers; usually involves the greatest business risk,
• Other – this category includes paper data media.

Only the assets that are important from the point of view of information processing should be evaluated. Note that this section coincides with the requirements set out in the Personal Data Protection Regulation (EU) 2016/679, according to which an organisation is required to indicate and manage filing systems containing personal information.

For each indicated asset or category of assets, a risk analysis is carried out to identify, for example, the ones related to the loss of such information. Next, a responsible person/role is assigned to each asset and a risk management plan is specified.

Step 4. Define the Information Security Management System

At this stage of implementation, the executive support has been secured, objectives have been set, assets have been evaluated, the risk analysis results are already available, and the risk management plan is in place. As a result, the remaining elements of the Information Security Management System can be defined and security measures can be implemented in the organisation. Usually this is an iterative process where the following ISMS components are defined:

• Policies
• Processes
• Procedures
• Instructions
• Inputs/Outputs
• Training
• Guides
• Sources of knowledge
• Roles
• Normative sources

This scope of activities is usually carried out by a consultant or acquired by purchasing ready-made know-how for ISO/IEC 27001. In any case, the management system should reflect the actual processes within the organisation on the one hand, while also introducing the required know-how where necessary.

Know-how definitions can specify the persons in the organisation who will be responsible for the specific know-how. Together with the working group, they will be responsible for the maintenance and updating of information and passing it to other people within the organisation during the system maintenance and continuous improvement phase.

Step 5. Train and build competencies for the Roles

At this stage, the organisation should specify the competencies and skills of the persons/roles involved in the Information Security Management System. The first step after defining the ISMS is to explain it and notify the organisation about the scope and manner of the ISMS operation, as well as about how each employee affects information security. This element should be included in the organisation’s management system by defining roles, competencies required for the roles, and the manner of passing this knowledge onto new employees and refreshing it in people who have been already trained. At this point it is worth defining the training, guides and competence profiles for each role.

Some of the information security roles that can be found in most implementations include:

• Employee – role representing any person employed at the organisation,
• Internal auditor – role responsible for conducting management system audits,
• IT administrator – role representing people responsible for managing the IT infrastructure of the organisation,
• Top management – role representing the group responsible for setting directions and controlling the organisation at the top level,
• The Personal Data Protection Regulation (EU) 2016/679 indicates the need to select a DPO, as in Data Protection Officer, not Dublin Philharmonic Orchestra 😉 The Data Protection Officer (DPO) is responsible for the protection of personal data in your organisation.

Step 6. System maintenance and monitoring

Before commencing the certification of the information security management system it should already work in the organisation. Ideally, a fully defined system will have been implemented and maintained in the organisation for at least a month or two prior to the start of the certification audit, providing the time for conducting the necessary training, carrying out a management system review, implementing the required security measures, and adjusting the risk analysis and risk management plan. During this period, the first actions set out in the infrastructure maintenance and security management plan should be carried out as well.

This way when the certification audit starts off, the organisation will have the documentation and execution records to prove that the Information Security Management System is deployed and safe. Note that the basic requirement for any management system is its ability to ensure continuous improvement through monitoring, internal audits, reporting corrective actions and systematic reviews of the management system.

Step 7. Certification audit

The implementation of an information security management system in a company is confirmed by a certificate of compliance with the ISO/IEC 27001 standard. The certification requires completing a certification audit conducted by a body certifying management system. The certification audit has two phases. Phase I usually involves a check of the scope and completeness of the ISMS, i.e. a formal assessment of the required elements of a management system, and in phase II the system is verified in terms of whether it has been implemented in the company and actually corresponds to its operations.

After successfully completing the certification process audit, the company is issued ISO/IEC 27001 certification. In order to maintain it, the information security management system must be maintained and improved, as confirmed by follow-up audits. After about 3 years, a full re-certification involving a certification audit is required.

Maintenance and continuous improvement

The organisation has already obtained the ISO/IEC 27001 certification. After the certification audit, the top management can assume that the basic assets related to the processing of personal information and data have been identified, risks indicated, and appropriate security measures to address the main risk implemented. Does this mean you can rest on your laurels? No, not at all. In fact, the everyday work related to information security management has just begun. People involved in carrying out the activities and security measures will submit their improvement and change proposals. By conducting management system audits the organisation will learn which security measures and processes need improvement. The results of system operation monitoring and the system status will be presented to the top management as part of the management system review.

The most important aspect of any management system is its ability for continuous improvement and adjustment to the changing internal and external context of the organisation.

Benefits from the Information Security Management System

How can an organisation benefit from implementing and certifying their information security management system?

1. The company has defined and implemented a management system by training employees, building awareness, applying the right security measures and executing a systematic approach to information security management.
2. The risk related to information loss or unauthorised access is minimised.
3. Development of the awareness and competencies of people assigned to information security roles.
4. Increased trust of customers by demonstrating that the company is ISO/IEC 27001 certified.
5. The organisation meets regulatory requirements, including those specified in
   • the Personal Data Protection Regulation (EU) 2016/679,
   • and the new cyber-security directive (EU) 2016/1148.

Implementing ISO/IEC 27001 with ins2outs.com

ins2outs is a modern platform supporting ISO management system, which helps organisations to specify their operations so as to enable growth, provide certification support and share know-how with employees. When deploying ISO/IEC 27001, the organisation can accelerate the implementation of the standard requirements in the following way.

 Define the Information Security Management System

ins2outs supports two methods of defining the ISMS: cooperation with a consultant, and purchasing ready-made know-how for the implementation, which the organisation can access via the ins2outs platform. Buying a ready-made ISO/IEC 27001 know-how package makes the implementation project faster by providing the company with a starting point for their management system, which only requires adjusting and expanding to the organisation’s needs.

As part of the consulting services offered by ins2outs, the organisation is provided with a complete hierarchy of management system documentation to make standardisation and working with the selected consultant easier. Note that with the ins2outs platform, cooperation with the consultant can be carried out using the same communication platform.

A ready-made ISO/IEC 27001 know-how package includes the following contents to define the management system:

1. Know-how
   • Policies
   • Processes
   • Procedures
   • Instructions
   • Inputs/outputs (document and information templates)
2. Education
   • Training
   • Guides
   • Tools
3. Organisation
   • Roles
   • Contexts
   • Normative sources

The relevant content of the management system at ins2outs is assigned to individual defined roles. This way once an employee is assigned to a role, the system actively invites them to learn the corresponding contents. With policies, processes and ready-to-use document templates and contents, understanding and carrying out activities in the organisation is easier.

The ins2outs system considerably simplifies the communication of information about how the management system works.

It supports the communication of objectives and the development of employee competencies, and enables simple submission of ISMS changes and improvements.

If you are interested in implementing an information security management system on the ins2outs platform or would like to learn more, contact us at ins2outs@pro4people.com or visit our website https://ins2outs.com/.

¹ (UE) 2016/1148
² (UE) 2016/679