Overview
Compliance
News & Updates
Industry Case Studies


An Information Security Management System (ISMS) provides the information necessary to understand the information security policies and practices in place at the company. The standard for compliance and registration is BS 7999-2:1999. A supplementary document ISO 17799:2000 is a Code of Practice document that gives recommendations for information security management.

The ISMS standard provides specific requirements for security controls and documents to be implemented and maintained in the company in a daily operation basis. In addition, the ISMS must include appropriate monitoring, reporting and review processes to ensure its effective functioning and to identify and implement corrective measures in a timely manner.

An ISMS is a continuous progression of compliance, improvement and prevention. The following outlines the basic requirements to obtain compliance:

Define the policy
The ISMS Policy describes a company's shared vision, commitment and direction in information security. It gives a definition of information security, its objectives and scopes, the management intent, a brief explanation of the compliance requirements, information security responsibilities and the supporting documentations.

Define the scope of the ISMS
Depending on the characteristics of the company such as its location, assets and technologies, it has to define the boundaries of its ISMS and set that as the scope.

Undertake a risk assessment
Once the scope is defined, the company must undertake a risk assessment to evaluate the risk and threats to the information system and their respective impacts to the organization. When evaluating risks, the company should take into account at a minimum both the severity of the risks and their likelihood of happening.

Manage the risk
Next the company has to determine how to manage the risks. Based on its information security policy and the degree of assurance required, the company has to prioritize the risks. Not all the high risks areas are required to be tackled. Backing up by proper decision process, the company can determine how it will deal with the prioritized risks.

Select control objectives and controls to be implemented
A list of 10 control objectives and controls come with BS 7799-2:1999 with their respective recommended practices detailed in ISO 17799:2000. The company has to select those controls that are appropriate to its operation for implementation. The selection should be justified.

Prepare a statement of applicability
From the previous stage, the company has decided which control objectives and controls are selected for implementation. The reasons for its selection are required to be documented in the Statement of Applicability. Any exclusions and exceptions should be specified clearly in the Statement of Applicability too.




© 2002, Vintara, All Rights Reserved