Information security management system

Information security management system

An Information Security Management System (ISMS) is, as the name suggests, a set of policies concerned with information security management. The idiom arises primarily out of ISO/IEC 27001.

The key concept of ISMS is for an organization to design, implement and maintain a coherent suite of processes and systems for effectively managing information accessibility, thus ensuring the confidentiality, integrity and availability of information assets and minimizing information security risks.

As with all management processes, an ISMS must remain effective and efficient in the long term, adapting to changes in the internal organization and external environment. ISO/IEC 27001 therefore incorporates the typical "Plan-Do-Check-Act" (PDCA) Deming approach to continuous improvement:

* The Plan phase is about designing the ISMS, assessing information security risks and selecting appropriate controls.

* The Do phase involves implementing and operating the controls.

* The Check phase's objective is to review and evaluate the performance (efficiency and effectiveness) of the ISMS.

* In the Act phase, changes are made where necessary to bring the ISMS back to peak performance.

The best known ISMS is described in ISO/IEC 27001 and ISO/IEC 27002 and related standards published jointly by ISO and IEC.

Another competing ISMS is Information Security Forum's Standard of Good Practice (SOGP). It is more best practice -based as it comes from ISF's industry experiences.

Other frameworks such as COBIT and ITIL touch on security issues, but are mainly geared toward creating a governance framework for information and IT more generally.

Information Security Management Maturity Model (known as ISM-cubed or ISM3) is another form of ISMS. ISM3 builds on standards such as ISO 20000, ISO 9001, CMM, ISO/IEC 27001, and general information governance and security concepts. ISM3 can be used as a template for an ISO 9001-compliant ISMS. While ISO/IEC 27001 is controls based, ISM3 is process based and includes process metrics.

See also

* Information Security Management
* ISO/IEC 27001
* ISO/IEC 27002
* ISO 9001
* ISM3
* WARP (information security)

External links

* [http://www.bsi-global.com/ British Standard Institute]
* [http://www.securityforum.org/html/frameset.htm Information Security Forum (ISF)]
* [http://www.itil-service-management-shop.com/security.htm ITIL Security]
* [http://www.ism3.com Information Security Management Maturity Model (ISM3)]


Wikimedia Foundation. 2010.

Игры ⚽ Нужна курсовая?

Look at other dictionaries:

  • Information security management system — Système de gestion de la sécurité de l information Un système de gestion de la sécurité de l information (en anglais : Information security management system, ou ISMS) est, comme son nom le suggère, un système de gestion concernant la… …   Wikipédia en Français

  • Information Security Management System — Das Information Security Management System (ISMS, engl. für „Managementsystem für Informationssicherheit“) ist eine Aufstellung von Verfahren und Regeln innerhalb eines Unternehmens, welche dazu dienen, die Informationssicherheit dauerhaft zu… …   Deutsch Wikipedia

  • Information Security Management — Information security (ISec) describes activities that relate to the protection of information and information infrastructure assets against the risks of loss, misuse, disclosure or damage. Information security management (ISM) are controls that… …   Wikipedia

  • Information security — Components: or qualities, i.e., Confidentiality, Integrity and Availability (CIA). Information Systems are decomposed in three main portions, hardware, software and communications with the purpose to identify and apply information security… …   Wikipedia

  • Federal Information Security Management Act of 2002 — The Federal Information Security Management Act of 2002 ( FISMA , usc|44|3541, et seq. ) is a United States federal law enacted in 2002 as Title III of the E Government Act of 2002 (USPL|107|347, USStat|116|2899). The act was meant to bolster… …   Wikipedia

  • Information security professionalism — is the set of knowledge that people working in Information security and similar fields (Information Assurance and Computer security) should have and eventually demonstrate through certifications from well respected organizations. It also… …   Wikipedia

  • Management system — A management system is the framework of processes and procedures used to ensure that an organization can fulfill all tasks required to achieve its objectives[1]. For instance, an environmental management system enables organizations to improve… …   Wikipedia

  • ITIL Security Management — The ITIL Security Management process describes the structured fitting of security in the management organization. ITIL Security Management is based on the Code of practice for information security management also known as ISO/IEC 17799.A basic… …   Wikipedia

  • Information Systems Security Management Professional — is a designation awarded by the International Information Systems Certification Consortium ((ISC)^2).For experienced information security professionals with an International Information Systems Security Certification Consortium ((ISC)2)… …   Wikipedia

  • Security management — is a broad field of management related to asset management, physical security and human resource safety functions. It entails the identification of an organization s information assets and the development, documentation and implementation of… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”