Security demands three pillars, human, technology and process. Any of these pillars can’t protect your sensitive information alone. Also, any two combinations of those pillars can’t 100% protects your information. To be secure, you should establish those three pillars on your company together. All security vendors won’t tell you this truth.
Building Information Security Management System (ISMS) will establish the three pillars of security in your company. ISMS includes policies, processes, procedures, organizational structures and software and hardware functions.
It’s all about Risk
Starting from the ever first question: Why we need to be secure? Because, we have valuable assets and there are risks threaten those assets. Risks include fraud, espionage, stealing information, hacking systems, fire, flood and the counting continues…
ISMS is built using risk-based strategy in which all steps are taken based on the risk. For example, setting antivirus system will play as a countermeasure of the risk of Viruses in the network. Also, setting fingerprint access control system on the data center will help preventing authorized person to access. Another examples that is not related to technology, a company may be in need to set a mandatory yearly leave for each employee just to countermeasure frauds coming from internal employees as in this way when the job is rotated to another employee any potential frauds maybe identified.
Many security professional categorize the countermeasures in ISMS into three categories:
– Preventive: Those to prevent a threat from exploiting any weakness in the system. Examples include access card, antivirus, firewall and security policy.
– Detective: Those to detect breaches in the system. Examples include intrusion detection system, fire sensors and mandatory leaves.
– Corrective: Those to correct and suppress the impact of the breach. Examples include disaster recovery plan, fire suppression system and backup and recovery process.
Building effective ISMS is not any easy process at all, and no one can say by studying all controls he can build the ISMS.
Building ISMS includes tradeoff among security, ease of use, and cost. You may don’t have enough budget and should decide between setting firewall or IDS. Also, you may don’t have enough employees to set a segregation of duties policies. Thus, It’s better to employee ISO 27001.
ISO/IEC 27001 (ISO 27001) is the international Standard that describes best practice for an Information Security Management System (ISMS). ISO 27001 can be followed by any kind of organization with any size. It was written by the world’s best experts in the field of information security to provide methodology for the implementation ISMS in the organization.
Accredited certification to ISO 27001 demonstrates that an organization is following international information security best practices.
Our team of certified consultants is happy to help and answer your inquiries regarding building your own ISMS. Also, we are happy to assess your already built ISMS against ISO 27001 standards and this will help you to ensure you are in the right track to gain or keep the certification.