Certification BSI Information Security Awareness Case Studies FAQ's

What is a Management System?
Management Systems are coordinated actions to direct and control an organization. Direction and control requires informed choice decision making. Many products advertised as management systems are organizational aids, and do not assist in informed choice decision making.

What is an ISMS (Information Security Management System)?
A framework under which to integrate people, process, and technology in order to direct and control the activities required to preserve confidentiality, integrity, and availability of information assets.

Why would I want an ISMS?
Chances are you already have one, although it may be informal. A formalized ISMS will improve efficiency, effectiveness, defensibility, and visibility of your program.

What is a Compliance Management System?
A framework under which to integrate people, process, and technology in order to direct and control the activities required to obtain compliance to multiple legal and regulatory requirements.

Why would I want a Compliance Management System?
Chances are you already have one, although it may be informal. A formalized Compliance Management System will improve efficiency, effectiveness, defensibility, and visibility of your compliance program.

• A formalized Compliance Management System can address all information types simultaneously, regardless of the compliance initiative (PCI, SOX, HIPAA, GLBA, EU Directive, and any other compliance initiative that you are required to meet).
• A process based approach provides metrics for management verification.
• Required control objectives can be mapped or retrofitted to existing controls, reducing redundancy and improving efficiency.

Benefits:

• Reduced redundancy
• Improved efficiency
• Aggregation of compliance initiatives (breaking down silos)
• Better utilization of resources and budget dollars
• Faster response to new regulation
• Reduced audit pain

How does a Compliance Management System (CMS) help with speed to compliance?

• All regulations have the following in common
• Address specific information types, such as health, credit card, identity, etc.
• Require verifiably managed information security controls
• Some regulations have specific control objectives
• A Compliance Management System framework can address all information types simultaneously.
• A process based approach provides metrics for management verification.
• Required control objectives can be mapped or retrofitted to existing controls, reducing redundancy and improving efficiency.

Benefits: Reduced redundancy, improved efficiency, aggregation of compliance initiatives (breaking down silos), better utilization of resources and budget dollars, faster response to new regulation, reduced audit pain (some regulations are accepting 27001 certification in lieu of audit)

What is defensibility?
Management actions based upon informed choice decision making, resulting in the ability to defend your decisions.

What is informed choice decision making?
Decisions based upon facts rather than assumptions.

What is a risk driven approach?
Informed choice decision making based upon risk.

What is a process based approach?
The definition and deployment of business processes with measurable metrics.

What is ISO 27001?
A risk driven, process based approach to information security management. It's also the only internationally recognized standard with auditable requirements to which an organization can certify its information security program.

What is ISO 27002?
A collection of suggested information security controls with implementation guidance. It is commonly misrepresented as being an audit guide, when in fact it's a suggested set of controls.