For many companies, knowledge and information are the most valuable assets – and they are often vulnerable assets. This is because risks to the security of relevant information through even the simplest digital data exchange exist now more than ever. As a part of ISO 27001, Information Security Management System (ISMS) is a method of choice to keep risks calculable and ensure protection.
This article provides a detailed understanding of what an ISMS is, its connection to ISO 27001, why today’s organisations must implement their own ISMS, and how you can successfully implement an ISMS.
The most important points in a nutshell
- An ISMS makes the information security risks for companies calculable and manageable.
- The ISO 27001 sets out guidelines for the implementation of an ISMS to protect organisational information.
- In industries with complex, regulated supply chains, such as the automotive and health industries, an ISMS is usually a key prerequisite for market participation.
- Information security goes far beyond IT security.
- The responsibility for the implementation and operation of an ISMS always lies with the management (top-down approach).
- The individual risk appetite of an organisation decides on the implementation and scope of an ISMS.
- Implementing an ISMS improves overall business growth in addition to better information security protocols.
- Commitment and competency are two of the key factors that are required to successfully implement an ISMS.
In this article
- What is an Information Security Management System?
- What is ISO 27001 and how does it relate to ISMS?
- Why is interest in Information Security Management Systems (ISMSs) increasing?
- Who needs an ISMS and why?
- How does ISMS work?
- What will you need to implement your ISMS?
- What steps are necessary to establish an ISMS?
- Which factors are decisive for a successful ISMS deployment?
- What are the benefits of implementing an ISMS?
- Are there other standards that an ISMS must comply with besides ISO 27001?
- IT security vs. information security: What are the differences?
- Is the establishment of an ISMS different depending on the industry?
What is an Information Security Management System?
An Information Security Management System (ISMS) explains and illustrates your organisation's approach to information security and privacy. It assists you in identifying and addressing the dangers and opportunities surrounding your important information and any linked assets.
That, in turn, protects your organisation from security breaches and minimises the impact of any disruptions that may occur. With the help of an Information Security Management System, you may comply with various regulations, including the GDPR (General Data Protection Regulation) and ISO 27001. It focuses mainly on the protection of 3 key aspects:
- Confidentiality - No one outside of the intended recipients can access or use the data in any way that is not explicitly authorised.
- Integrity - The data is free of errors and tampering, as well as being kept in a secure location.
- Availability - It becomes easier for authorised individuals to access and use this information.
What is ISO 27001 and how does it relate to ISMS?
ISO 27001 is an international standard on how to manage information security. It is the reason that ISMS exists, as the essence of ISO 27001 is how to develop and maintain an ISMS.
The standard provides a set of controls for information security that an organisation needs to implement based on the results of a risk assessment and the requirements of interested parties. In other words, for each risk that needs to be treated, a combination of different types of controls will be implemented.
Need a more in depth understanding of ISO 27001? Our comprehensive ISO 27001 guide will help you.
Why is interest in Information Security Management Systems (ISMSs) increasing?
The increased pressure on organisations to develop higher information security standards has raised interest in ISMS. Companies with complex supply networks are under the most strain: Consider the SMEs in the car industry. The same is true in regulated businesses such as banking, where FinTechs exist, and insurance, where InsurTechs exist. Additionally, information security rules in health care are stringent. These industries have a regulatory emphasis that extends to company compliance.
Beyond industry-specific causes and needs, however, there is also a general trend toward greater information security. The following are a few reasons why organisations are under scrutiny when it comes to information security:
- Cybercrime is expensive - Cybersecurity is expanding because most firms can't afford data breaches. IBM's Security Cost of a Data Breach Report1 estimates that the average cost of a data breach in 2022 is $4.24 million—an amount that may put many businesses out of commission. According to a recent study, the cost of cybercrime worldwide is estimated to rise from $6 trillion to $10.5 trillion by 20252. This puts an organisation’s future at stake if it doesn't have the best information security experts protecting it.
- Everything is automated - More and more of a company's infrastructure is based on technology as its procedures become increasingly automated. Every automated system is made up of code that can be accessed by criminals who hack into the system. Consequently, the more activities that are done digitally, the more chances hackers have to obtain confidential information.
- Vulnerabilities are everywhere - There is a wide range of technologies that may be exploited by hackers, not simply computers, websites, and servers. More items and systems than ever before are vulnerable to cyberattacks, from airline systems and automobile alarms to power grids and security systems.
Who needs an ISMS and why?
An ISMS generally makes sense for all companies, regardless of industry and size of the company. The majority of focus is on software-driven, digitised and SaaS-based companies. Health markets, for example, have strict minimum standards that must be observed in the field of information security to ensure medical confidentiality.
In the automotive industry, it has more to do with the product: The product is so complex and produced by so many people that there are strictly regulated approval processes to go through before a vehicle can be on the road. Anyone involved in the supply chain must meet the information security requirements applicable in the industry – without exception.
How does ISMS work?
Information security management systems in firms are process-oriented and always the responsibility of management. It is a top-down approach. Implementation, but not responsibility, can be delegated. Depending on the motive (see Fig. 1, left), management selects the procedures and methods to apply or build to ensure information security in corporate activities. The management must regularly examine the measures' scope, intensity, and progress.
The goal of an ISMS is not to achieve maximum information security. Rather, it is to attain the organisation's desired level of information security. Risk appetite is key. A corporation must know its information, risks, and the financial impact of a materialised risk. Based on this knowledge, the management must decide to what extent the risks should be reduced by an ISMS.
What will you need to implement your ISMS?
Before taking steps to establish your ISMS, there are a few things you need to plan for and achieve. Below are a few to consider:
- ISMS implementation resource
An information security management system that is ISO 27001 compliant or certified might be a difficult undertaking. To properly deploy an ISMS, you'll need a manager or team with the necessary time, resources, and expertise. Once your ISMS is up and running, your company will require the appropriate governance mechanisms to oversee it.
- Implementation and continuing management systems and tools
As part of a comprehensive information security management system, many resources are utilised. In addition to data, your company's software and hardware, physical infrastructure, and even its employees and suppliers can all be included. There are several things you'll need to do to keep track of them all in your ISMS. Using a systematic approach to risk management ensures the success of your entire organisation.
- Actionable policies and restrictions that can be implemented in the real world
In the event of a data breach, your information security management system instructs your employees, suppliers, and other key stakeholders on how to keep their data safe. It is imperative that these information security practices and processes are established in clear, widely understood, and easy to implement policies and controls, as well. In this way, the advantages of your ISMS will be publicly known and its integrity be ensured.
- Communication and engagement strategies for employees
Information security management systems must be the lifeblood of your organisation, according to ISO 27001 standards. Those who are interested in information security should be made aware of your ISMS, as well as the reasons for its importance and their duties in maintaining it. Nothing will be safeguarded if an ISMS is let to collect dust! It's critical to have the right tools and processes in place to get the job done. You may even have to conduct some information security education sessions.
- Supply chain management tools and systems
Your information security management system will be used beyond the walls of your company. Your suppliers and other third parties may have access to or be responsible for crucial information on your behalf. ISO 27001 compliance may necessitate the compliance of your ISMS as well. It's important to ensure the integrity of your organisation by protecting yourself from any potential information security risks or challenges that your data may pose.
- Working with third-party auditors and obtaining certifications
To get comprehensive ISO 27001 certification, an independent certifying organisation must be appropriately accredited. A two-part certification process is in store for you. Then they'll come back every three years to conduct regular updates to your ISO 27001 certification. You'll need to conduct frequent internal audits of your ISMS to meet the criteria.
- Continual ISMS improvement and operating resources
Always on and aware, a good security management system ensures the safety of sensitive information. As the organisation grows and develops, so does its information security infrastructure, which adapts to keep up with the ever-changing threats. Even if the system makes a mistake, it may use the information it gathers from it to keep improving–risk assessment and response is never finished.
Now that you are aware of the resources you need to establish your ISMS, let us take a look at the steps to implement it.
What steps are necessary to establish an ISMS?
The establishment and operation of an ISMS follow a classic PDCA cycle. PDCA stands for PLAN, DO, CHECK, ACT (cf. Fig. 2).
The steps to take in detail are:
1. Create an ISMS policy. Why do we as a company want to establish an ISMS? What goals do we expect to achieve with it? How do we implement such a system organisationally? Who assumes the role of the information security officer (ISO)? What resources does he/she have? What measures need to be taken?
2. Identify and classify assets. Which assets/information do we want to protect? How sensitive are these assets? Automotive example: Images of a prototype vehicle that has not yet been built would be much more in need of protection than images of a test model in a road test, i.e., a vehicle shortly before its market launch.
3. Establish ISMS organisation and risk management structures. Which tools do we want to use? What financial and human resources does the ISO have? Which structures should this establish?
4. Develop control mechanisms. How do we check whether the ISMS is effective and protects our company assets as desired?
5. Operate ISMS. Which processes do we put into action in everyday life? How do we integrate and document them?
6. Check results and KPIs. It should be questioned routinely: What results does our ISMS achieve, and which key performance indicators (KPI) do we derive from them?
7. Make corrections and take precautions. In which areas do we need to improve based on the results? How can we counter risks preventively?
8. Review by the management. Do the ISMS goals and the general orientation still fit, or are course corrections by the management needed? This should be analysed at least once a year.
Which factors are decisive for a successful ISMS deployment?
An ISMS can only be successfully implemented if it is truly desired by the company management and afforded the necessary resources. The 3 key factors that would determine the success of an ISMS are:
- Management commitment - Management commitment plays an important role to ensure that the ISMS implementer has a clear direction in implementing ISMS. Management activities include ensuring that the proper resources are available to work, training all employees affected by the ISMS structuring, hosting awareness programs and monitoring ISMS competency.
- Implementer commitment - ISMS implementers need to have proper planning in their daily work schedule to ensure that an appropriate time should be allocated to focus on ISMS processes in ensuring the success of ISMS implementation.
- Implementer competency - Implementers must acquire at least three competencies to obtain appropriate skills and knowledge to comprehend the complete cycle of ISMS implementation. These skills include implementation and change management, awareness of standards, and the presentation of a method or framework for implementing, maintaining, monitoring, and improving information security.
What are the benefits of implementing an ISMS?
Nowadays, ISO 27001 plays a critical role in overall business growth. Having an ISO 27001 compliant ISMS means that:
1. Organisations gain new business opportunities - Information security is a top priority for many organisations, so it’s not a surprise that suppliers insist that third parties follow best practices. Additionally, when looking for potential investors, an ISMS pays off immediately: If there isn't one, a due diligence check is only possible to a limited extent.
2. GDPR compliance becomes easier - ISO 27001 helps organisations maintain effective information security controls by requiring them to examine the activities they've conducted consistently. An ISMS audit will be followed by a gap analysis to determine their current level of compliance.
3. Legal and regulatory compliance is ensured - Through your ISMS’s ISO 27001 certification, you can ensure that your organisation complies with all national regulations, not only GDPR.
4. A competitive advantage is provided - Anyone who operates in a market that is still under-regulated can score points with their customers with high standards of information security and improve their competitive situation. In any case, an ISMS increases the value of organisations, because only an ISMS provides a precise overview of the processes and informational assets in your own company.
5. Increase resilience to attacks and errors - When a company has high levels of cyber resilience, it is better able to withstand cyberattacks, limit the damage they do, and continue operating in the event of an attack.
6. Manage your information in one system - An ISMS acts as a centralised hub for safeguarding and managing all of your company's information in one location.
7. Evolve to adapt to newer security threats - Keeping pace with both external and internal changes, an ISMS minimises the possibility of ever-changing risks.
8. Improve company culture - Rather than focusing just on IT, an ISMS takes a comprehensive approach to security. This makes it easier for staff to grasp the dangers and incorporate security measures into their daily routines.
9. Lower costs related to Infosec - Using an ISMS-based risk assessment and analysis strategy, organisations may save money by not overspending on defence technologies that do not apply to them.
In our whitepaper Information Security for beginners, you will get an overview of everything there is to know about the basics of information security. Explained in a simple and understandable way. Get your free guide now.
Are there other standards that an ISMS must comply with besides ISO 27001?
ISO 27001 could be described as the gold standard for Information Security Management Systems. Depending on the industry, market and national legislation, other standards such as the ones mentioned below may be considered.
- Cyber Essentials Scheme - The Cyber Essentials Scheme, introduced by the UK's National Cyber Security Centre, is an effective government backed scheme that helps you to protect your organisation against a whole range of the most common cyber attacks.
- The NIST Standard - The NIST Standard (National Institute of Standards and Technology) 800-53 is important for cooperation with US government information systems. Generally speaking, NIST guidance provides the set of standards for recommended security controls for information systems at federal agencies.
- SOC 1 and SOC 2 - The international Service Organisation Control Standards SOC 1 and SOC 2 can also be relevant about a company's financial reporting. SOC 1 reports focus on financial reporting controls, whereas SOC 2 reports focus on service organisations' operational and compliance controls.
- CPPA - The California Consumer Privacy Act (CCPA) protects the privacy of California residents. Individual data, such as internet activity, cookies, IP addresses, and biometric data, will be regulated by the CCPA, as will "household data" collected by IoT devices in the home, for example. Consumers have the right under the CCPA to know what personal data is collected or sold and for what purpose, as well as disclosures of past transactions dating back to January 1, 2019. (the date on which the act was established).
- HIPAA - The HIPAA Privacy Rule protects medical records and other personally identifiable information. It applies to health plans, clearinghouses, and providers who perform electronic transactions. The Rule puts restrictions and conditions on the uses and disclosures of protected health information without an individual's consent.
- LGPD - LGPD, Brazil's General Data Protection Law, is the country's reaction to the EU's General Data Protection Regulation (GDPR). In principle, the LGPD mandates that you only process personal data of Brazilian individuals for legitimate, precise, explicit, and declared objectives.
IT security vs. information security: What are the differences?
Business owners may sometimes be unaware of the differences between IT security and information security, and it may lead them to believe that one can be substituted for the other.
This is not the case.
IT Security or Cybersecurity (Cybersec) is concerned with preventing electronic data from being hacked or compromised. Desktop and laptop computers, servers, storage systems, networks, and mobile IoT devices such as smartphones and tablets are included in the scope of technology that Cybersec protects.
Information Security (Infosec), on the other hand, focuses on securing data wherever it is stored. Keeping information private, secure, and accessible is the primary goal. Consequently, the scope of Infosec is significantly larger than Cybersec, since it covers safeguarding data and information held in both physical locations (such as desks and cabinets) and IT systems.
To further illustrate the differences between Infosec and Cybersec, here are a few examples:
- Value of data - The value of data is the most important component of both Infosec and Cybersec. The data that is most important to you and your company should be safeguarded to the fullest extent possible. Protecting your company's business information and IT systems is the goal of Cybersec, which aims to prevent digital hacking. Infosec aims to defend the value of your company's information assets from any sort of danger, digital or otherwise.
- Security professional priorities - Active threats, such as hacking attempts and viruses, are the main focus of Cybersec specialists. Infosec professionals have a wider scope, which includes policies and procedures, as well as organisational responsibility for ensuring security.
- Focus of Infosec vs Cybersec - Outside dangers to an organisation's digital infrastructure are the primary focus of Cybersec. The goal of Infosec is to safeguard the confidentiality, integrity, and accessibility of all forms of information assets through the implementation of policies and procedures.
- Threats - Where Cybersec is only concerned with cyber threats, Infosec is concerned with threats of all types like human error.
Is the establishment of an ISMS different depending on the industry?
The relevant standard ISO 27001 does not provide any information on this. It does not differentiate according to industry or company size but defines the general requirements and addresses 14 security-relevant areas. These are the same areas that are also inspected carefully during the due diligence check. In a nutshell: The same framework conditions always apply, but the implementation of the processes and measures can be different depending on the industry and the size of the company.
In terms of information security, an ISMS ensures transparency, as well as predictable processes and KPI results. In other words: With a well-implemented ISMS, there are no surprises when it comes to information security issues. Benjamin Franklin is credited with a phrase that inversely sums up the benefits of an ISMS: “When you fail to prepare, you prepare to fail.”