What is a Management System?
Management Systems are coordinated actions to direct and control an organization. Direction and control requires informed choice decision making. Many products advertised as management systems are organizational aids, and do not assist in informed choice decision making.
What is an ISMS (Information Security Management System)?
A structure (i.e. “framework”) under which to integrate people, process, and technology in order to direct and control the activities required to preserve confidentiality, integrity, and availability of information assets.
Why would I want an ISMS?
You may already have one, although it may be informal. A formalized ISMS will improve efficiency, effectiveness, and usability of your security program, resulting in increased program visibility, informed choice decision making, speed to compliance, and conformance or certification to an international standard (ISO 27001). This is just a sampling of benefits, as there are too many to list here.
How does an ISMS provide information security metrics?
An ISMS provides the structure and context to produce metrics (i.e. gather metric data, extract information, and provide strategic intelligence). The idea of data/info/intelligence is VERY powerful when discussing metrics that matter. Also, this process based approach, when applied to an operational area, gives the guidance needed to understand what data to capture since a process by definition has a critical success factor, and key performance indicator. The KPI tells us what data (metric) to capture.
What is defensibility?
Management actions based upon informed choice decision making, resulting in the ability to defend your decisions.
What is informed choice decision making?
Decisions based upon facts rather than assumptions.
What is a risk driven approach?
Informed choice decision making based upon risk.
What is a process based approach?
The definition and deployment of business processes with measurable metrics.
What is ISO 27001?
A risk driven, process based approach to information security management. It’s also the only internationally recognized standard with auditable requirements to which an organization can certify its information security management program.
What is ISO 27002?
A collection of suggested information security controls with implementation guidance. It is commonly misrepresented as being an audit guide, when in fact it’s a suggested set of controls.