Home  I  Knowledge Sharing  I  Chinese  I  Links  I  Contact Us

 
Information Security Management System (ISMS)

Information Security




Information is one of your business's most valuable assets. Faster, more complex and more flexible ways of creating, using and sharing information are being developed everyday in our society. However, although electonic information is transforming and more and more dominating the way we work, the risk that information is lost, corrupted or disclosed is ever increaisng. And the impact of such a loss on your business could be devastating.


As information is an important business asset, it needs to be suitably protected. Information security is about the availability, integrity and confidentiality of information. To your business, it means having information available when it is needed - e.g. networks do not crash, power supplies do not fail and software works. It also means that you can trust the integrity of information you are accessing and using - e.g. the orders that you received or invoices that you transmitted have not been altered accidentally or intentionally. It further means that you can be sure that the information to be kept confidential has not been seen or accessed by other un-authorized persons.

Information Security Management System (ISMS)

Information security is not only a technical issue but a business and management one as technology alone cannot provide all the answers to problems posed by people. The answer is to adopt proven measures to counter specific threats facing the organization, and to build these measures into day-to-day business operations instead of bolting it on as an optional extra.

Information Security Management System (ISMS) is a management system with the purpose of facilitating informed decisions about the information security of your business within the scope of the ISMS. It assists your organization to carry out day-to-day management of information security issues in a systematic way.

Information Security Management Standards

The well recognized Information Security Standards include:

1. ISO/IEC 27001: Specification for Information Security

2. ISO/IEC 27002 (ISO/IEC 17799:2005): Code of practice for Information Security Management

The ISO/IEC 27001 standard is a standard specifying the requirements in implementing an effective Information Security Management System (ISMS) in an organization so as to manage the information security management effectively and systematically. It is a specification to which your organization can be assessed and registered. This standard replaces the old BS7799-2 standard.

On the other hand, ISO/IEC 27002 (ISO/IEC 17799:2005) takes the form of guidance notes and recommendations for an organization to initiate, implement and maintain information security in their organization. It contains over 100 security controls to help you identify elements of your business that impact on information security.

The information security best practices are organized into 11 domains or sections:

1. Security policy
2. Organization of information security
3. Asset management
4. Human resources security
5. Physical and environmental security
6. Communications and operations management
7. Access control
8. Information acquisition, development and maintenance
9. Information security incident management
10. Business continuity management
11. Compliance

Where Can You Start?

  1. Develop an information security policy and identify your organization's key information assets. Study the standard, ISO/IEC 27001 & ISO/IEC 27002 (ISO/IEC 17799:2005) to understand the requirements.

  2. Carry out a risk assessment, document and implement your ISMS. Training of staff will be critical to ensure a successful implementation.

  3. Conduct internal audit and management review to assess the effectiveness of your ISMS.

  4. Once your management system is fully implemented you can get your ISMS certification from PSB.

ISMS Certification

PSB Certification launched the ISMS Certification Scheme in Nov 2001 and has already certified some companies. More companies in Singapore have shown interest in the certification scheme.

In order to be obtain PSB certification for your Information Security Management System, your ISMS must pass an assessment by a PSB audit team to the standard BS 7799 Part 2. This includes a desktop assessment of the ISMS framework documentation; a preliminary assessment and a certification assessment.

If you are interested in getting ISMS certification from PSB Certification, or want to have more information, please contact Chris Ng at
H/P: 6885 1613 or
Email: khee-soon.ng@psbcert.com

TÜV SÜD PSB Certification, 3 Science Park Drive, #03-12 The Franklin Singapore 118223. Tel: 65-68851628 Fax: 65-68720531