If the implementation of the ISO 27001 standard has been initiated, you will surely find the term Information Security Management System or ISMS. The ISMS is the main “product” of ISO 27001 implementation. What exactly ISMS is?
ISO 27001 Certification basically describes how to develop the ISMS – you can consider these ISMS to be a systematic approach for managing and protecting a company’s information. The ISMS represent a set of policies, procedures, and various other controls that set the information security rules in an organization. What kind of control for information security will be implemented in a company is decided based on the results of the risk assessment and on the requirements of interested parties. For each risk that needs to be treated, a combination of different types of controls will be implemented.
Managing complex security systems
The only way to manage all these safeguards is to set clear security processes and responsibilities. This is called a process approach in ISO management standards – in ISO 27001. Similarly, a process approach is crucial for making this connection between responsibilities and technical controls – only if you know who has to do what and when, will you have a foundation for enabling your security controls to work.
The point of the ISMS
First of all, Information security controls are not only technical, IT-related controls. They are a combination of different types of controls: documenting a procedure is an organizational control, implementing a software tool is an IT control, and training people is a human resources control.
Secondly, without some kind of a framework, information security becomes unmanageable – this is where ISO 27001 certification comes in – when you build up your ISMS, which means developing a set of information security rules, responsibilities, and controls, then you’ll be able to manage such a complex system.
Finally, an ISMS is nothing else but several security processes all tied up together – the better these processes are defined, and the better these processes are interrelated, the fewer incidents you will have.