What is an information security management system?
Information security management is a bundle of processes that companies implement in order to manage the way the select and deploy information security measures. There might be a number of smart security measures everybody should implement, like malware protection or patch management, but not all your applications and systems are alike. In order to understand what you might want to do and what you absolutely have to do, you should think about having a managed and systematic approach to information security: an information security management system (ISMS).
What is the ISO27001:2013 standard?
The ISO 27001:2013 standard is one of several standards within the 27000 family of standards aimed at describing information security management systems. These standards cover the different aspects of information security management systems, e.g. risk management, auditing, governance, cyber security and so on. The reason the ISO 27001:2013 is mentioned most often in conversation and is used as synonym for information security management systems is, that certifications are based on the ISO 27001:2013, since it is the document containing the requirements rather than the implementation.
That is a huge difference and an important fact to understand, if you are interested in establishing an information security management system according to the standards. The requirements in the ISO 27001:2013 need to be addressed, if you want to gain a certification. But you do not need to implement all best practice measures detailed in the other standards. Consider them guidance first and foremost. That doesn’t mean that auditors will not look into these documents in order to assess the quality of your activities. They might even ask you why you did not implement a certain measure. But they cannot tell you what the best measure based on your individual needs is.
What do I need to be aware of when looking at certifications?
When you assess a service provider, you therefor have to keep the following questions in mind:
- What is the certification for? Certifications are issued for specific processes, like ‘deployment of applications’, ‘management of customer environments’ and so on. Maybe the certification isn’t even for the service you want to purchase.
- How does the certified body deal with risks? The assessment of possible measures is most likely not based on your risks, but rather on the servicers assumption what they might be. They also might have identified a certain risk and have accepted it in writing, which would be compliant with the ISO standard. Are you sure, your needs are being met?
While of course there is a lot of money to be made with certifications and while there might be good reasons to gain certification, certification isn’t necessarily the right thing to do for everybody. I strongly suggest that everybody looks at the certification as an investment. Think of the initial costs needed to be prepared for the certification. Think about the additional cost you need to gain the certification. Think about the ongoing costs you need to uphold the certification. Looking into international standards for security management is still a good idea, even if you do not want to be certified in the near future.