An information security management system (ISMS) is, as the name implies, a set of policies concerned with information security management. The idiom arose primarily out of ISO/IEC 27001.
The governing principle behind an ISMS is that an organization should design, implement and maintain a coherent set of processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information security (usually summarised as confidentiality, integrity and availability).
As with all management processes, an ISMS must remain effective and efficient in the long term, adapting to changes in the internal organization and external environment. ISO/IEC 27001 therefore incorporates the typical "Plan-Do-Check-Act" (PDCA), or Deming cycle, approach:
- The Plan phase is about designing the ISMS, assessing information security risks and selecting appropriate controls.
- The Do phase involves implementing and operating the controls.
- The Check phase objective is to review and evaluate the performance (efficiency and effectiveness) of the ISMS.
- In the Act phase, changes are made where necessary to bring the ISMS back to peak performance.
The best known ISMS is described in ISO/IEC 27001 and ISO/IEC 27002 and related standards published jointly by ISO and IEC.
Another competing ISMS is Information Security Forum's Standard of Good Practice (SOGP). It is more best practice-based as it comes from ISF's industry experiences.
Other frameworks such as COBIT and ITIL touch on security issues, but are mainly geared toward creating a governance framework for information and IT more generally.
Very good post, I was really searching for this topic, as I wanted this topic to understand completely and it is also very rare in internet, that is why it was very difficult to understand.
Is such a system cost-effective for small organization, such as laywer's office? I'm currently looking for all possible information about digital certificates.