When it comes to IT and data security, the term information security management system (ISMS) comes up again and again. But what exactly is an ISMS? To what extent can information security be managed systematically? Which organisations should be concerned with it? What are the advantages of setting up an ISMS?
What is an ISMS?
As the term implies, it is a system for managing information security. What is meant is the process – or rather the totality of individual processes – that a body establishes in order to
- meet its own information security requirements in a regulated manner,
- measure the success of these efforts, and
- make any necessary adjustments.
As with other management systems (e.g.: data protection management system – DSMS), a procedure that is oriented towards the four steps plan, do, check and act (PDCA cycle or Deming circle) is also typical and useful for the ISMS.
Plan / planning
In this indispensable step at the beginning, it is first of all a matter of understanding in the first place what goals are to be achieved in a particular area.
- What do you have to achieve concretely?
- Why do you have to achieve this? Is it because a law directly stipulates it (e.g. IT Security Act) or indirectly via sector-specific security standards (B3S, e.g. for medical care) or because one is contractually obliged to do so?
- Is there a threat of liability or other disadvantages that one wants to avoid? One speaks here of risks that are to be avoided.
Likewise, it should be considered what one does not have to achieve, but would like to achieve. Is there a certain expectation on the market? Does one get the interesting order more easily or even only if certain requirements are met (e.g. in the automotive industry the standard TISAX)?
Does one want to improve one’s own processes independently of such external points of view and make the company independent of certain individuals? Is further growth only possible if one’s own approach becomes more structured? Such opportunities should also be known.
The ISO 27001 standard speaks here in general of the context of the organisation, which must be determined. What expectations and dependencies exist and which parties have an interest in these? In short: What do owners, partners, shareholders, customers, supervisory authorities and, last but not least, the legislator demand?
Anyone who wants to set up an ISMS must therefore define the binding criteria according to which risks are identified, assessed, and weighted in the step plan.
The result of all these considerations is a multitude of regulations in which it is specified what is to be achieved, how and by what means and by whom as the person responsible.
Since the overall responsibility always lies with the management, the management itself must define the pursued strategy in a central, superordinate document and also state where and for what these are to apply in the first place. The so-called scope of application for the planned ISMS must be defined and specified. This document is often referred to as a guideline.
In addition to the scope of application, it must also be specified which organisation is to be set up and which concrete responsibilities are to be distributed within it. It is central, for example, that an information security officer (ISO) is appointed, who is also given concrete tasks and appropriate powers.
Everything else is derived from the specifications contained in the ISMS guideline. The rather abstract regulations of the guideline must be supplemented by further regulations and, if necessary, filled out so that in the end each individual process is described in appropriate detail.
To give a handy example:
- The guideline states in the abstract that networks must be secured.
- This is supplemented by regulations that explain what this means in concrete terms, for example: “Use of a firewall, network segmentation, encryption”.
- At some point at the end of the chain there is the concept for the specific individual case: Which concrete firewall is to be used and how is it to be configured in detail?
Do / implement
In this step of the ISMS establishment, the implementation takes place – only and exactly as regulated. If it is discovered at this stage that it does not work as planned, not only must the implementation be adapted, but the previously created regulation must also be changed accordingly.
Everything is subject to the condition that the higher-ranking requirements and in particular the guideline are observed. Proceed accordingly if it turns out that processes have been forgotten. If necessary, the documentation of the previously only lived (but not documented) process must be made up for. In doing so, it must be checked whether it is in line with the general requirements of the ISMS.
The regular assessment and, if necessary, reassessment of risks also takes place at this level of the information security management system.
Check / verify
After the implementation, one now takes a step back mentally and looks at the results. Have the goals been achieved in the predetermined ways? It is about self-control, measurement, internal audits. Essential for this are accordingly measurable goals, which should already be found in the regulations. What is controlled and how often, and what is the target state during a control?
Act / adjust
If a check reveals that the targets have not been met, the next step is to analyse the errors. Why did something not work and what needs to be adjusted to make it work better in the future? The need to reflect on these questions can of course also arise unplanned. Every incident in the area of information security provides cause for self-reflection.
What are the advantages of an ISMS?
The advantages of an information security management system are obvious. In any case, it is the responsibility of every company or organisation to have its own processes adequately under control. This is simply part of careful business management; those who neglect these duties may be liable. In addition, there are now more and more regulations that explicitly prescribe information security (General Data Protection Regulation, laws in connection with critical infrastructures).
Other aspects of an ISMS have already been addressed. The PDCS approach inevitably leads to a company becoming better overall. The company’s own processes are questioned again and again. Due to the documentation, processes are not only known to specialists, but can be adopted by others at short notice. The achievement of goals is measured. At the end, there is a search for improvement possibilities. All in all, the idea of thinking beforehand, then acting in a planned manner and keeping an eye on the results may also be useful in other areas.
Finally, it should be noted that an ISMS is certifiable and thus objectively verifiable. If necessary, having a certificate from an accredited body in hand that proves in black and white that a proper ISMS exists according to ISO 27001 can be an enormous advantage. Clients and customers rely on such a seal. It makes your own company stand out from the crowd of providers for interested parties. It testifies that information security is taken seriously and operated according to recognised rules.
