Creating an Effective Information Security Management System (ISMS) Using ISO 27001
The diagram above shows the steps required to implement an ISO 27001-based ISMS
This week, over in the CIS 608 Information Security Management course, we studied discussed Information Security management frameworks. Since I worked on an ISO 27001-based ISMS implementation project between January 2011 and July 2011 I personally found it especially interesting. Despite the fact that ISO 27001 is an internationally recognized standard for Risk Management and Information Security Management, I was amazed that more of my CIS 608 classmates were unfamiliar with the ISO 27001 standard. Maybe it's just because this Information Security Management Standard is better known and understood in places like India, Japan, Korea, the U.K.
Many people often look at the list of Domains, Control Objectives, and Controls in ISO 27001 Annex A and think that these topics are the only things that need to be address. But it is essential to remember that the implementation of an ISMS is as much Risk Management driven and Information Security Policy driven as much as it is about the establishment of Information Security Controls. It is also important to measure it so the effectiveness of the policies and other controls can be determined and also so the entire ISMS can continue to be improved under the Plan - Do - Check - Act process so it be under continuous process improvement.
Remember, if you are doing one of these ISO 27001 implementation projects, don't forget to do the Risk Management effort.
For more information about ISO 27001, click here.
William Favre Slater, III
MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, Cloud Computing Foundation
Project Manager / Program Manager
slater@billslater.com
williamslater@gmail.com
http://billslater.com/career
Chicago, IL
United States of America
No comments:
Post a Comment