Information Security Management Systems (ISMS)

What is an information security management system?

An Information Security Management System (ISMS, engl. Information Security Management System) describes guidelines, procedures and responsibilities with the aim of permanently ensuring, controlling and continuously optimizing information security in a company.

An ISMS typically addresses the behavior and procedures of employees as well as With data and technologies. It may be focused on a specific type of data focused, such as customer data.

An ISMS can be set up in accordance with the ISO 27001 standard, for example. This does not prescribe any specific measures but contains goals as well as suggestions for documentation, internal audits, continuous improvement and other improvement and other topics. Admittedly, the supporting standard ISO/IEC 27002 or also the VDA/ISA question catalog for TISAX very well contain concrete measures for implementing the goals.

Who is responsible for information security?

Information security management is the responsibility of senior management. After approving an information security policy, specific implementation is usually delegated to employees such as IT security officers and data protection officers.

An important success factor when implementing an ISMS is the support of the company's management.

Obviously, "information security" cannot be introduced single-handedly by the IT department either. the selection and implementation of appropriate information security measures is always teamwork. This can only succeed through collaboration between business departments, IT and those responsible for IT security.

Why is an information security management system important?

Nowadays, companies not only store and process information about products and developments, but often also a large amount of data about their own customers. This includes behavioral analysis, personal information, credit card and payment data, information about health and much more.

The increasing collection of corporate data in recent years, as well as the growing threat of cyberattacks and data breaches, have led to significant advancements in the area of corporate information security management. Not entirely uninvolved are also the current requirements for data protection (DSGVO, EU-GDPR) with a considerable range of penalties.

What are the benefits of an information security management system?

A holistic, preventive approach to ensuring information security offers several benefits to businesses and organizations:

Company-wide protection of sensitive information

. An ISMS ensures that own information assets as well as data of customers or third parties, are adequately protected against all threats.

Higher stability of business processes

. By making information security an integral part of business processes through an ISMS, organizations can minimize their information security risks. This prevents security incidents from causing disruptions.

Meeting customer compliance requirements

. Quite extensive compliance requirements now apply in many sectors, whether in finance, critical infrastructures (KRITIS) or even the automotive industry with TISAX® / VDA-ISA. Non-compliance with legal and contractual regulations can result in penalties or even the exclusion from expiring contract awards. With an ISMS, companies ensure that they comply with all regulatory and contractual requirements, giving them greater operational and legal certainty at the same time.

Improved efficiency and cost reduction

. With centralized coordination and a risk-based action plan, an ISMS can help prioritize scarce human and financial resources. After an initial cost overrun, costs can be reduced in the long run.

What is ISMS certification (BSI IT-Grundschutz, ISO 27001, TISAX, KRITIS)?

By certifying their ISMS, companies can demonstrate secure handling of sensitive information to third parties. This contributes to a better external image and trust-building, which in turn means a competitive advantage.

The establishment of an ISMS is also required by regulatory requirements, such as Section 91 (2) of the German Stock Corporation Act (AktG), the IT Security Act, Basel II, MaRisk or the General Data Protection Regulation. In the case of critical infrastructures (KRITIS), the IT Security Act requires certification of facilities that are of high importance.

For this purpose, there are both industry-independent certifications such as ISO/IEC 27001, ISO/IEC 27001 based on IT-Grundschutz or KRITIS. As an example of an industry-dependent label, TISAX® for the automotive industry should be mentioned.

A certification of the ISMS according to ISO/IEC 27001, but also in an assessment for a TISAX® label, the ISMS is always audited. This involves an external audit to check whether the information security management system meets all the requirements necessary for the respective certification.

Example of an ISMS

.

The BSI has used a medium-sized, but fictitious, example company, the RECPLAST GmbH, reference documents for the introduction and operation of an ISMS based on the BSI standard IT-Grundschutz.

With an ISMS, do I still need a data protection management system?

While an ISMS fundamentally helps protect information, it does not necessarily also meet regulatory data protection requirements regarding the processing of personal data. Information security and data protection do attempt to achieve similar protection goals, yet an ISMS does not replace a data protection management system (DMS).

Ideally, however, a DSMS builds on an ISMS and extends it technically as well as organizationally in accordance with the data protection requirements (Art. 25 and 32 DSGVO). Close cooperation between information security officers and data protection officers is advantageous for this purpose. and data protection officers.

What are the key steps to implementing an information security management system?

The following steps should be followed for efficient and effective implementation of an ISMS:

Determine the scope

.

One of the first steps is to clarify what the ISMS should accomplish. To do this, management must define the framework, scopes, objectives and boundaries of the ISMS in a security guideline.

Identify the corporate assets worth protecting

.

What assets should be protected by the ISMS? These can be customer data, company data, source code, tangible assets such as computers, but also intangible assets such as employee qualifications, skills and experience. The focus is on important and business-critical values that are crucial to the success of the company.

Identifying and assessing risks

.

For each asset worth protecting, potential risks must be identified. For example, organizations should ask what the impact of the risk would be if confidentiality, integrity and availability were breached. Finally, this results in an assessment of which risks are still acceptable to the company based on the expected extent of damage and which must absolutely be reduced or eliminated.

Determining measures

.

Based on the preceding risk assessment, appropriate and realistic technical and organizational measures for risk reduction or risk avoidance must be selected and implemented.

Implementation of measures

.

The defined measures should now be translated into operational reality. If possible, the measures should be measurable, for example by defining KPIs (key performance indicators).

With the actions shown so far, preparations for ISMS operations are already very far advanced and can now be transferred to the ISMS control loop.

Verify effectiveness

The measures adopted and implemented must be continuously monitored and regularly checked for effectiveness.

Improve

If deficiencies are found in the implemented measures, or even new risks are identified - the ISMS process must be run through again.

In this way, the ISMS can be continuously adapted to changing conditions or requirements and information security in the company can be continuously improved.

What can companies look to for guidance when implementing an ISMS?

Greenfield or best-practice approach? Established standards such as the ISO 27000 family can be helpful when implementing the necessary security measures.

An ISMS developed according to these standards makes it possible to identify risks at an early stage and to minimize them by means of tailor-made countermeasures to minimize them. This enables companies to achieve the primary protection goals of confidentiality, availability and integrity of managed information. Afterwards, certification according to ISO 27001 or a TISAX®-label is relatively easy to achieve.

SMEs and small municipalities, can also be guided by the simplified standard ISIS12 when setting up an ISMS. This consists of a pragmatic twelve-step plan.

Why is an ISMS not a software product?

An information security management system is composed of responsibilities within the company or organization, as well as policies, standards and processes.

Of course, there are IT-based ISMS tools that simplify the daily work with the ISMS. Any search engine will unearth a myriad of solutions and tools. For example, tools for the software-supported execution of risk management processes or the management of internal corporate security policies.

Experience has shown that a set of good and proven templates for a new ISMS is very valuable and can greatly accelerate the implementation of an ISMS. Likewise, a software-supported approach to risk management is highly recommended to everyone. It is no longer easy to say in general terms whether further helpers are needed.

In any case, it is advisable to take a brief look at the tools currently available.

Nevertheless, an ISMS is a management system for information security - and this is, by its very nature, not software.